sfmt-erlang security notice 8-JAN-2020: regarding the Ambionics Security's PHP mt_seed() vulnerability

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sfmt-erlang security notice 8-JAN-2020: regarding the Ambionics Security's PHP mt_seed() vulnerability

Kenji Rikitake-4
The following is the security notice of sfmt-erlang, a random number module for Erlang based on SFMT, regarding the recently revealed attack against PHP mt_seed() vulnerability.
I've already updated hex.pm/sfmt with a new package including the following security notice.
-- Kenji Rikitake

## Security notice regarding the PHP mt_seed() vulnerability

Ambionics Security published [an internal state retrieval algorithm of PHP `mt_rand()`](https://www.ambionics.io/blog/php-mt-rand-prediction) on 6-JAN-2020. sfmt-erlang uses the same seed-to-internal-state initialization algorithm at the function `init_gen_rand/1`.

For reducting the possibility of the internal state revelation, use `init_by_list32/1` instead, better combined with `rand:uniform/1`. [Raimo Niskanen published a piece of code for this purpose](http://erlang.org/pipermail/erlang-questions/2018-July/095875.html).

*Note well that sfmt-erlang has no cryptographic security guarantee and MUST NOT be used for security purposes such as password generation.*

Also: Version 0.13.0 and 0.13.1 Erlang and C code files are identical. Users have no need to upgrade.
Reply | Threaded
Open this post in threaded view
|

Re: sfmt-erlang security notice 8-JAN-2020: regarding the Ambionics Security's PHP mt_seed() vulnerability

Raimo Niskanen-11
On Wed, Jan 08, 2020 at 01:03:53PM +0900, Kenji Rikitake wrote:
> The following is the security notice of sfmt-erlang, a random number module
> for Erlang based on SFMT, regarding the recently revealed attack against
> PHP mt_seed() vulnerability.
> I've already updated hex.pm/sfmt with a new package including the following
> security notice.
> -- Kenji Rikitake
>
> ## Security notice regarding the PHP mt_seed() vulnerability

Great that you keep an eye on these kinds of matters, Kenji! :-)

>
> Ambionics Security published [an internal state retrieval algorithm of PHP
> `mt_rand()`](https://www.ambionics.io/blog/php-mt-rand-prediction) on
> 6-JAN-2020. sfmt-erlang uses the same seed-to-internal-state initialization
> algorithm at the function `init_gen_rand/1`.
>
> For reducting the possibility of the internal state revelation, use
> `init_by_list32/1` instead, better combined with `rand:uniform/1`. [Raimo
> Niskanen published a piece of code for this purpose](
> http://erlang.org/pipermail/erlang-questions/2018-July/095875.html).

I would just like to emphasize that using `rand:uniform/1` with any algorithm
in the `rand` module only _reduces_ the possibility for internal state
revelation.  All the steps in that Ambionics Security paper, as far as I
can tell, can, in theory, be done on any algorithm in the `rand` module,
albeit with much more work. Not yet figured out work, to be added...

"Breaking" a non-secure PRNG like a Mersenne Twister is really a moot point
since you can not break what is not supposed to hold.  The Ambionics
Security paper shows code that incorrectly used a non-secure PRNG to
generate a password and then demonstartes exactly how efficiently that
can be exploited.  So what they actually broke was that incorrect code.

>
> *Note well that sfmt-erlang has no cryptographic security guarantee and
> MUST NOT be used for security purposes such as password generation.*

_That_ is a very important point here!


>
> Also: Version 0.13.0 and 0.13.1 Erlang and C code files are identical.
> Users have no need to upgrade.

--

/ Raimo Niskanen, Erlang/OTP, Ericsson AB
Reply | Threaded
Open this post in threaded view
|

Re: sfmt-erlang security notice 8-JAN-2020: regarding the Ambionics Security's PHP mt_seed() vulnerability

Jesper Louis Andersen-2
On Wed, Jan 8, 2020 at 11:19 AM Raimo Niskanen <[hidden email]> wrote:
On Wed, Jan 08, 2020 at 01:03:53PM +0900, Kenji Rikitake wrote:
>
> *Note well that sfmt-erlang has no cryptographic security guarantee and
> MUST NOT be used for security purposes such as password generation.*

_That_ is a very important point here!


This is the important part. CSPRNGs[0] are made to withstand these types of attacks. This is due to the fact they must withstand extension attacks, typically by rolling the internal state material forward in a ratchet so you can't go back to the earlier states. Otherwise, an attacker gaining access to the internal state would be able to roll the RNG state backwards.

For example, consider we create a "CSPRNG" based on AES265 in CTR mode. Our internal state is {k, n} for a key k and a counter n and to produce the stream of randomness we compute AES_k(0), AES_k(1), AES_k(2), ... and so on. Now the problem is that if the attacker gains access to the pair {k, n} they can regenerate the whole sequence from the start up until n.




--
J.
Reply | Threaded
Open this post in threaded view
|

Re: sfmt-erlang security notice 8-JAN-2020: regarding the Ambionics Security's PHP mt_seed() vulnerability

Kenji Rikitake-4
In reply to this post by Raimo Niskanen-11
I've discovered it's not only PHP or sfmt-erlang, but any language or system which uses the reference initialization sequence (i.e. copying the init_gen_rand() of MT or SFMT distribution by the original authors) might be affected by this PRNG state disclosure. 
-- Kenji Rikitake


On Wed, Jan 8, 2020 at 7:19 PM Raimo Niskanen <[hidden email]> wrote:
On Wed, Jan 08, 2020 at 01:03:53PM +0900, Kenji Rikitake wrote:
> The following is the security notice of sfmt-erlang, a random number module
> for Erlang based on SFMT, regarding the recently revealed attack against
> PHP mt_seed() vulnerability.
> I've already updated hex.pm/sfmt with a new package including the following
> security notice.
> -- Kenji Rikitake
>
> ## Security notice regarding the PHP mt_seed() vulnerability

Great that you keep an eye on these kinds of matters, Kenji! :-)

>
> Ambionics Security published [an internal state retrieval algorithm of PHP
> `mt_rand()`](https://www.ambionics.io/blog/php-mt-rand-prediction) on
> 6-JAN-2020. sfmt-erlang uses the same seed-to-internal-state initialization
> algorithm at the function `init_gen_rand/1`.
>
> For reducting the possibility of the internal state revelation, use
> `init_by_list32/1` instead, better combined with `rand:uniform/1`. [Raimo
> Niskanen published a piece of code for this purpose](
> http://erlang.org/pipermail/erlang-questions/2018-July/095875.html).

I would just like to emphasize that using `rand:uniform/1` with any algorithm
in the `rand` module only _reduces_ the possibility for internal state
revelation.  All the steps in that Ambionics Security paper, as far as I
can tell, can, in theory, be done on any algorithm in the `rand` module,
albeit with much more work. Not yet figured out work, to be added...

"Breaking" a non-secure PRNG like a Mersenne Twister is really a moot point
since you can not break what is not supposed to hold.  The Ambionics
Security paper shows code that incorrectly used a non-secure PRNG to
generate a password and then demonstartes exactly how efficiently that
can be exploited.  So what they actually broke was that incorrect code.

>
> *Note well that sfmt-erlang has no cryptographic security guarantee and
> MUST NOT be used for security purposes such as password generation.*

_That_ is a very important point here!


>
> Also: Version 0.13.0 and 0.13.1 Erlang and C code files are identical.
> Users have no need to upgrade.

--

/ Raimo Niskanen, Erlang/OTP, Ericsson AB