Back to Charles Smutz's Research Home

Random Escrow Project

Breaking forward secrecy through Operating System level escrow of randomly generated values

Presentation for IT862 Presentation for IT673

Concept

This goal of this project is to investigating the praticality and value of OS level escrow of randomly generated values.

Motivation

Many system administrators go to great lengths to monitor the activity of their computer systems, but often find their ability to adequately monitor hampered by the use of cryptography. Even in systems where the administrators have access to long term term keys and/or extensive monitoring/forensics capablities, monitoring/forensics can still be impeded by cryptography that provides forward secrecy. OS level random value escrow could provide the missing peice of information required to allow administrators the ability to perform extensive monitoring/forensics. Random Escrow seems like a practical solution for system administrators who have relatively strong control over system infrastructure, including computer operating systems, but relatively weak control over application software. Random Escrow doesn't appear to be a particularly useful technique for attackers and unauthorized users.

Progress

The first aspect of this project is developing a means of "tapping" the random number generator of a modern operating system.
The second aspect is to demonstrate the practical appliation of random escrow by breaking the forward secrecy of a network communications protocal using the network traffic capture and the associated random values used in session key negotiation.
Many levels of refinements can be imagined for both aspects of project.

OS level Random Generation Tap

Linux was chosen to implement a proof-of-concept random value generation tap becuase it is open and familiar. The current implementation is a kernel patch that prints all OS level randomly generated values (in hex) using printk() (see dmesg, klogd, and the syslog kernel facility). This implementation should not be considered secure!
The patch for linux 2.6.18 kernel can be found here: radom_escrow.patch
Future implementations should provide mechanisms to ensure that only the system administrator has access to the escrowed random values; ability to select which interfaces into the random number generator to escrow (get_random_bytes(), /dev/urandom, or /dev/random), preferably at run time; etc

Breaking Forward Secrecy

Finished POC step 1.
Step 2 is to develop a POC with a real protocol, such as SSH.
This has been started but is not complete. The current demonstration is embodied in a VM. Excuse the slow download. See the README.txt file.