Cryptograph

y and
Network
Security
Seventh Edition, Global Edition
by William Stallings

© 2017 Pearson Education, Ltd., All rights reserved.

 Chapter 8
Random Bit Generation
and Stream Ciphers
© 2017 Pearson Education, Ltd., All rights reserved.
 Random Numbers
• A number of network security algorithms and protocols
based on cryptography make use of random binary
numbers:
• Key distribution and reciprocal authentication schemes
• Session key generation
• Generation of keys for the RSA public-key encryption
algorithm
• Generation of a bit stream for symmetric stream
encryption

There are two Randomness

distinct
requirements for
a sequence of
random
numbers: Unpredictability

© 2017 Pearson Education, Ltd., All rights reserved.

 Randomness
• The generation of a sequence of
allegedly random numbers being
random in some well-defined statistical
sense has been a concern
Two criteria are used to validate
that a sequence of numbers is
random:
Uniform distribution
• The frequency of occurrence of ones and
zeros should be approximately equal

Independence
• No one subsequence in the sequence can
be inferred from the others

© 2017 Pearson Education, Ltd., All rights reserved.

 Unpredictability
• The requirement is not just that the sequence of
numbers be statistically random, but that the
successive members of the sequence are
unpredictable
• With “true” random sequences each number is
statistically independent of other numbers in the
sequence and therefore unpredictable
• True random numbers have their limitations, such
as inefficiency, so it is more common to implement
algorithms that generate sequences of numbers
that appear to be random
• Care must be taken that an opponent not be able to
predict future elements of the sequence on the
basis of earlier elements
© 2017 Pearson Education, Ltd., All rights reserved.
 Pseudorandom
Numbers
• Cryptographic applications typically
make use of algorithmic techniques for
random number generation

• These algorithms are deterministic and

therefore produce sequences of
numbers that are not statistically
random

• If the algorithm is good, the resulting

sequences will pass many tests of
randomness and are referred to as
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 True Random
Number Generator
(TRNG)
• Takes as input a source that is effectively random

• The source is referred to as an entropy source and is

drawn from the physical environment of the computer
• Includes things such as keystroke timing patterns, disk
electrical activity, mouse movements, and
instantaneous values of the system clock
• The source, or combination of sources, serve as input
to an algorithm that produces random binary output

• The TRNG may simply involve conversion of an

analog source to a binary output
• The TRNG may involve additional processing to
overcome any bias in the source
© 2017 Pearson Education, Ltd., All rights reserved.
 Pseudorandom
Number Generator
•
(PRNG)
Takes as input a fixed value,
called the seed, and produces
Two different forms of PRNG
a sequence of output bits
using a deterministic algorithm
• Quite often the seed is
generated by a TRNG

• The output bit stream is

determined solely by the input sequence of bits
value or values, so an common application for an open-ended
adversary who knows the • Input
s are symmetric keys and
to a symmetric
encryption stream cipher is a
algorithm and the seed can ended sequence of bits
me fixed length
reproduce the entire bit stream
• An algorithmstring
roduce a pseudorandom of used to produce an open-
that is
(PRF) number generator
Pseudorandom
andom function
• Other than the number of
bits produced there is no
difference between a
PRNG and a PRF

© 2017 Pearson Education, Ltd., All rights reserved.

 PRNG Requirements
• The basic requirement when a PRNG or PRF
is used for a cryptographic application is
that an adversary who does not know the
seed is unable to determine the
pseudorandom string
• The requirement for secrecy of the output
of a PRNG or PRF leads to specific
requirements in the areas of:
• Randomness
• Unpredictability
• Characteristics of the seed
© 2017 Pearson Education, Ltd., All rights reserved.
 Randomness
• The generated bit stream needs to appear random
even though it is deterministic
• There is no single test that can determine if a
PRNG generates numbers that have the
characteristic of randomness
• If the PRNG exhibits randomness on the basis of
multiple tests, then it can be assumed to satisfy the
randomness requirement

• NIST SP 800-22 specifies that the tests should seek

to establish three characteristics:
• Uniformity
• Scalability
• Consistency
© 2017 Pearson Education, Ltd., All rights reserved.
 numberuniversal
of
runs in the
Frequency statistical
sequence,

Randomness Tests test

• The most
where
is an
basic test
test
•
a run
Focus is the
number of
uninterrupt
bits
and must ed
sequence
be included between
of
identical
in any test matching
• SP 800-22 lists 15 suite bits patterns
separate tests of • Purposebounded
is • Purpose is
to to detect
before and
randomness determine whether
after with a or
whetherbit not the
of the
the
numberopposite
of sequence
ones and value can be

sequence Thr
zeros• inPurpose
a
to is
significantly
is
compressed
without loss
determine
approximat
ee
ely the whetherofthe
same asnumberinformation
of
runs of A.
test
would be
expected ones and significantly
zeros ofcompressibl
for a truly

sequence s
random various e sequence
lengths isis
considered
as expected
for a to be non-
random random
sequence

© 2017 Pearson Education, Ltd., All rights reserved.

 Unpredictability
• A stream of pseudorandom numbers should exhibit two
forms of unpredictability:
• Forward unpredictability
• If the seed is unknown, the next output bit in the sequence
should be unpredictable in spite of any knowledge of previous
bits in the sequence
• Backward unpredictability
• It should not be feasible to determine the seed from
knowledge of any generated values
• No correlation between a seed and any value generated from
that seed should be evident
• Each element of the sequence should appear to be the
outcome of an independent random event whose probability
is 1/2

• The same set of tests for randomness also provides a test

of unpredictability
• A random sequence will have no correlation with a fixed
© 2017 Pearson Education, Ltd., All rights reserved.
value (the seed)
 Seed Requirements
• The seed that serves as input to the
PRNG must be secure and
unpredictable

• The seed itself must be a random or

pseudorandom number
• Typically the seed is generated by
TRNG

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
 Algorithm Design
• Algorithms fall into two categories:
• Purpose-built algorithms
• Algorithms designed specifically and solely for the
purpose of generating pseudorandom bit streams
• Algorithms based on existing cryptographic
algorithms
• Have the effect of randomizing input data
Three broad categories of
cryptographic algorithms are
commonly used to create
PRNGs:
•Symmetric block ciphers
•Asymmetric
© 2017 Pearson Education, Ltd., ciphers
All rights reserved.
 Linear Congruential
Generator
• An algorithm first proposed by Lehmer that is parameterized
with four numbers:
m the modulus m > 0
a the multiplier 0 < a< m
c the increment 0≤ c < m
X0 the starting value, or seed 0 ≤ X0 < m

• The sequence of random numbers {Xn} is obtained via the

following iterative equation:
Xn+1 = (aXn + c) mod m

• If m , a , c , and X0 are integers, then this technique will produce

a sequence of integers with each integer in the range 0 ≤ Xn < m

• The selection of values for a , c , and m is critical in developing

a good random number generator

© 2017 Pearson Education, Ltd., All rights reserved.

 Blum Blum Shub
(BBS) Generator
• Has perhaps the strongest public proof of its
cryptographic strength of any purpose-built
algorithm
• Referred to as a cryptographically secure
pseudorandom bit generator (CSPRBG)
• A CSPRBG is defined as one that passes the
next-bit-test if there is not a polynomial-time
algorithm that, on input of the first k bits of an
output sequence, can predict the (k + 1)st bit
with probability significantly greater than 1/2

• The security of BBS is based on the difficulty

of factoring
© 2017 Pearson Education, n
Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 8.1
Example Operation of
© 2017 Pearson Education, Ltd., All rights reserved. BBS Generator
 PRNG Using Block Cipher
Modes of Operation
• Two approaches that use a block cipher
to build a PNRG have gained
widespread acceptance:
• CTR mode
• Recommended in NIST SP 800-90, ANSI
standard X.82, and RFC 4086
• OFB mode
• Recommended in X9.82 and RFC 4086

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
 Table 8.2

Example Results for PRNG Using OFB

© 2017 Pearson Education, Ltd., All rights reserved.

 Table 8.3

Example Results for PRNG Using CTR

© 2017 Pearson Education, Ltd., All rights reserved.

 ANSI X9.17 PRNG
• One of the Input
• Two pseudorandom inputs

strongest PRNGs
drive the generator. One is
a 64-bit representation of
the current date and time.

is specified in The other is a 64-bit seed

value; this is initialized to
some arbitrary value and is
ANSI X9.17 updated during the
generation process.

• A number of
applications
employ this
technique
including The algorithm makes use of
financial security triple DES for encryption.
applications and Ingredients are:
PGP Output
Keys
• The generator makes use
• The output of three triple DES
encryption modules. All
consists of a 64- three make use of the
bit pseudorandom same pair of 56-bit keys,
which must be kept secret
number and a 64- and are used only for
bit seed value. pseudorandom number
generation.

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
 NIST CTR_DRBG
• Counter mode-deterministic random bit generator

• PRNG defined in NIST SP 800-90 based on the CTR mode

of operation
• Is widely implemented and is part of the hardware
random number generator implemented on all recent
Intel processor chips
• DRBG assumes that an entropy source is available to
provide random bits
• Entropy is an information theoretic concept that measures
unpredictability or randomness

• The encryption algorithm used in the DRBG may be

3DES with three keys or AES with a key size of 128, 192,
or 256 bits
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 8.4

CTR_DRBG Parameters
© 2017 Pearson Education, Ltd., All rights reserved.
 CTR_DRBG

Functions

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
 Stream Cipher Design
Considerations
The encryption •A pseudorandom number generator uses a function that
produces a deterministic stream of bits that eventually
sequence should repeats; the longer the period of repeat the more difficult it
have a large period will be to do cryptanalysis

The keystream should

•There should be an approximately equal number of 1s and 0s
approximate the •If the keystream is treated as a stream of bytes, then all of the
properties of a true 256 possible byte values should appear approximately equally
random number stream often
as close as possible

A key length of •The output of the pseudorandom number generator is

conditioned on the value of the input key
at least 128 •The same considerations that apply to block ciphers are
bits is desirable valid

With a properly designed

pseudorandom number •A potential advantage is that stream ciphers that do
generator a stream cipher can not use block ciphers as a building block are typically
be as secure as a block cipher faster and use far less code than block ciphers
of comparable key length

© 2017 Pearson Education, Ltd., All rights reserved.

 RC4
• Designed in 1987 by Ron Rivest for RSA Security

• Variable key size stream cipher with byte-oriented

operations
• Based on the use of a random permutation

• Eight to sixteen machine operations are required per

output byte and the cipher can be expected to run very
quickly in software
• Used in the Secure Sockets Layer/Transport Layer Security
(SSL/TLS) standards that have been defined for
communication between Web browsers and servers
• Is also used in the Wired Equivalent Privacy (WEP) protocol
and the newer WiFi Protected Access (WPA) protocol that
are part of the IEEE 802.11 wireless LAN standard
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Strength of RC4

A number of papers A more serious problem is that the

WEP protocol intended to provide
have been published confidentiality on 802.11 wireless
analyzing methods of LAN networks is vulnerable to a
attacking RC4 particular attack approach

•None of these •The problem is not with RC4 itself,

but the way in which keys are
generated for use as input
approaches is •Problem does not appear to be
relevant to other applications and
practical against can be remedied in WEP by
changing the way in which keys are
RC4 with a generated
•Problem points out the difficulty in
reasonable key designing a secure system that
involves both cryptographic
length functions and protocols that make
use of them

© 2017 Pearson Education, Ltd., All rights reserved.

 Entropy Sources
• A true random number generator (TRNG) uses a
nondeterministic source to produce randomness

• Most operate by measuring unpredictable natural

processes such as pulse detectors of ionizing radiation
events, gas discharge tubes, and leaky capacitors

• Intel has developed a commercially available chip that

samples thermal noise by amplifying the voltage
measured across undriven resistors

• LavaRnd is an open source project for creating truly

random numbers using inexpensive cameras, open
source code, and inexpensive hardware
• The system uses a saturated CCD in a light-tight can as a
chaotic source to produce the seed; software processes the
result into truly random numbers in a variety of formats
© 2017 Pearson Education, Ltd., All rights reserved.
 Possible Sources of
Randomness
RFC 4086 lists the following possible sources of
randomness that can be used on a computer
to generate true random sequences:

Sound/video input Disk drives

The input from a sound

digitizer with no source Have small random
plugged in or from a fluctuations in their
camera with the lens cap rotational speed due to
on is essentially thermal chaotic air turbulence
noise The addition of low-level
If the system has enough
disk seek-time
gain to detect anything,
instrumentation produces
such input can provide
a series of measurements
reasonable high quality
that contain this
random bits
randomness

There is also an online service (random.org) which can deliver random sequences securely over
the
© 2017 Internet
Pearson Education, Ltd., All rights reserved.
 Table 8.5

Comparison of PRNGs and TRNGs

© 2017 Pearson Education, Ltd., All rights reserved.

 Conditioning
• A TRNG may produce an output that is biased in some way (such as
having more ones than zeros or vice versa)
• Biased
• NIST SP 800-90B defines a random process as biased with respect to an
assumed discrete set of potential outcomes if some of those outcomes
have a greater probability of occurring than do others
• Entropy rate
• NIST 800-90B defines entropy rate as the rate at which a digitized noise
source provides entropy
• Is a measure of the randomness or unpredictability of a bit string
• Will be a value between 0 (no entropy) and 1 (full entropy)
• Conditioning algorithms/deskewing algorithms
• Methods of modifying a bit stream to further randomize the bits
• Typically conditioning is done by using a cryptographic algorithm to
scramble the random bits so as to eliminate bias and increase
entropy
• The two most common approaches are the use of a hash function or a
symmetric block cipher
© 2017 Pearson Education, Ltd., All rights reserved.
 Hash Function
• A hash function produces an n-bit output
from an input of arbitrary length
• A simple way to use a hash function for
conditioning is as follows:
• Blocks of m input bits, with m ≥ n, are
passed through the hash function and the n
output bits are used as random bits
• To generate a stream of random bits,
successive input blocks pass through the
hash function to produce successive hashed
output blocks
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Health Tests on the
Noise Source
• The nature of the health testing of the noise source
depends strongly on the technology used to produce
noise
• In general, the assumption can be made that the
digitized output of the noise source will exhibit some bias
• Thus, traditional statistical tests are not useful for
monitoring the noise source, because the noise source is
likely to always fail
• The tests on the noise source need to be tailored to the
expected statistical behavior of the correctly operating
noise source
• The goal is not to determine if the source is unbiased, but
if it is operating as expected

© 2017 Pearson Education, Ltd., All rights reserved.

 Health Tests on the
Noise Source
• SP 800-90B specifies that continuous tests be done on digitized
samples obtained from the noise source
• The purpose is to test for variability and to determine if the noise
source is producing at the expected entropy rate

• SP 800-90B mandates the use of two tests

• Repetition Count Test
• Designed to quickly detect a catastrophic failure that causes the
noise source to become “stuck” on a single output value for a long
time
• Involves looking for consecutive identical samples
• Adaptive Proportion Test
• Designed to detect a large loss of entropy, such as might occur as a
result of some physical failure or environmental change affecting the
noise source
• The test continuously measures the local frequency of occurrence of
some sample value in a sequence of noise source samples to
determine if the sample occurs too frequently

© 2017 Pearson Education, Ltd., All rights reserved.

 Health Tests on the
Conditioning
T
h
e
p
u
rp

c
o
m
p
o
n
e
n
t
i
s
t
o
a
s
s
u
r
e
t
h
a
t
o
s
e
o
ft

th

I
t
e
o
u
t
p
u
t
b
e
h
a
v
e
s
a
s
a
h
e
h
e
a
lt
h
t
e
s
t
s
o
n
t
h
e
c
o
n
d
it

tru
e
r
a
n
d
o
m
b
o
n
i
n
g

it
s
tr
e
a
m
Function
i
s

r
e
a
s
o
n
a
b
l
e

t
o

u
s
e

t
h
e

t
e
s
t
s

f
o
r

r
a
n
d
o
m
n
e
s
s

d
e
f
i
n
e
d

i
n

S
P

8
0
0
-
2
2

© 2017 Pearson Education, Ltd., All rights reserved.

 Intel Digital Random
Number Generator
• TRNGs have traditionally been used only for key
generation and other applications where only a
small number of random bits were required
• This is because TRNGs have generally been
inefficient with a low bit rate of random bit production

• The first commercially available TRNG that achieves

bit production rates comparable with that of PRNGs
is the Intel digital random number generator offered
on new multicore chips since May 2012
• It is implemented entirely in hardware
• The entire DRNG is on the same multicore chip as the
processors

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Summary
• Principles of pseudorandom
number generation • Stream ciphers
• The use of random numbers
• TRNGs, PRNGs, and PRFs
• PRNG requirements
• RC4
• Algorithm design • Initialization of S
• Pseudorandom number • Stream generation
generators • Strength of RC4
• Linear congruential
generators
• Blum Blum Shub generator • True random
• Pseudorandom number
number generators
generation using a block • Entropy sources
cipher
• PRNG using block cipher
• Comparison of
modes of operation PRNGs and TRNGs
• ANSI X9.17 PRNG
• Conditioning
• NIST
© 2017 Pearson CTR_DRBG
Education, Ltd., All rights reserved.