Bad Randomness: Protecting Against Cryptography's Perfect Crime

Crypto systems are the cornerstone of our digital security infrastructure, whether they are used to encrypt our data to protect their confidentiality or for signing to prove data authenticity.

However, most crypto systems have an Achilles heel: Their security relies on the proper randomness of their parameters' values, such as keys or nonces.

As a result, bad randomness is cryptography's perfect crime: Powerful enough to totally break crypto systems, yet highly stealthy. Unlike other malicious input based attack vectors, a bad randomness input is indistinguishable from a benign one, therefore making it impossible to protect against in real time and very hard to detect even in a post mortem analysis.

While the subject of bad randomness is not new in itself, it is often in the context of engineers' negligence or low cost IoT devices. In this talk, we will show how bad randomness was used in the wild to compromise highly targeted individuals and high value accounts.

One such example is the nation-state's APT Reductor malware, selectively fiddling with the victims' random generator (PRNG) to compromise TLS encryption. We will unearth for the first time how it could break TLS ECDHE "perfect forward secrecy" (PFS) to allow passive eavesdropping, thus making it more beneficial to attackers than the actual server TLS certificate(!). We will discuss why this capability remained undetected in previous analyses and share a new tool to demonstrate such passive decryption.
Another relevant example from a different field is our recently discovered Bitcoin's "dark forest" bots lurking for bad randomness in blockchains' signature keys, to steal millions of dollars of funds in seconds. We will explain and demonstrate this attack and share a tool to recreate it.

To solve this acute problem, we will suggest a novel architecture that allows crypto systems to minimize their blind trust in randomness. Where it is possible, it eliminates the need for additional randomness by relying on well-reputed past randomness. Where it is impossible, it applies secure Multi-Party Computation (MPC) to the protocol and its randomness. Distributing systems' randomness and removing single points of failure increases their resilience against bad randomness exploits.

By:
Tal Be'ery | Co-Founder, CTO, Zengo

Full Abstract & Presentation Materials:
https://www.blackhat.com/asia-24/brie...