[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.32,0:00:17.69,Default,,0000,0000,0000,,Herald: Our next talk is on "the plain simple\Nreality of entropy", and
Dialogue: 0,0:00:17.69,0:00:21.57,Default,,0000,0000,0000,,we all know that you need randomness and entropy
Dialogue: 0,0:00:21.57,0:00:23.99,Default,,0000,0000,0000,,if you want to do something like encryption
Dialogue: 0,0:00:23.99,0:00:26.14,Default,,0000,0000,0000,,or generate keys.
Dialogue: 0,0:00:26.14,0:00:28.83,Default,,0000,0000,0000,,And if you don't want to do it the xkcd way,
Dialogue: 0,0:00:28.83,0:00:31.78,Default,,0000,0000,0000,,using only 4 as the random number,
Dialogue: 0,0:00:31.78,0:00:37.43,Default,,0000,0000,0000,,you need a cryptographically secure pseudorandom\Nnumber generator,
Dialogue: 0,0:00:37.43,0:00:39.71,Default,,0000,0000,0000,,and what is this, how it works,
Dialogue: 0,0:00:39.71,0:00:41.72,Default,,0000,0000,0000,,and where you can find one,
Dialogue: 0,0:00:41.72,0:00:44.17,Default,,0000,0000,0000,,will be the topic of this talk.
Dialogue: 0,0:00:44.17,0:00:47.17,Default,,0000,0000,0000,,So I present to you Filippo Valsorda,
Dialogue: 0,0:00:47.17,0:00:52.44,Default,,0000,0000,0000,,on "How I learned to stop worrying and love\Nurandom".
Dialogue: 0,0:00:52.44,0:00:59.23,Default,,0000,0000,0000,,applause
Dialogue: 0,0:00:59.23,0:01:03.44,Default,,0000,0000,0000,,FV: Hello. Okay, I'm very glad so many people\Nshowed up,
Dialogue: 0,0:01:03.44,0:01:06.58,Default,,0000,0000,0000,,even if I essentially gave away the entire\Ncontent of the talk
Dialogue: 0,0:01:06.58,0:01:09.70,Default,,0000,0000,0000,,in the description.
Dialogue: 0,0:01:09.70,0:01:11.43,Default,,0000,0000,0000,,Want me to stop, to leave, something?
Dialogue: 0,0:01:11.43,0:01:12.48,Default,,0000,0000,0000,,Okay? No.
Dialogue: 0,0:01:12.48,0:01:15.10,Default,,0000,0000,0000,,Anyway, hi! I'm Filippo Valsorda,
Dialogue: 0,0:01:15.10,0:01:16.49,Default,,0000,0000,0000,,I work for CloudFlare,
Dialogue: 0,0:01:16.49,0:01:18.87,Default,,0000,0000,0000,,I do cryptography and systems engineering,
Dialogue: 0,0:01:18.87,0:01:22.95,Default,,0000,0000,0000,,I recently implemented the DNSSEC implementation
Dialogue: 0,0:01:22.95,0:01:25.83,Default,,0000,0000,0000,,of the CloudFlare DNS server,
Dialogue: 0,0:01:25.83,0:01:31.75,Default,,0000,0000,0000,,and maybe in April 2014, you used my Heartbleed\Ntest.
Dialogue: 0,0:01:31.75,0:01:33.20,Default,,0000,0000,0000,,Anyway,
Dialogue: 0,0:01:33.20,0:01:34.66,Default,,0000,0000,0000,,applause
Dialogue: 0,0:01:34.66,0:01:39.02,Default,,0000,0000,0000,,Well, thank you!
Dialogue: 0,0:01:39.02,0:01:44.36,Default,,0000,0000,0000,,Okay. Anyway, I'm here to tell you about random\Nbytes.
Dialogue: 0,0:01:44.36,0:01:46.37,Default,,0000,0000,0000,,So, here are some random bytes.
Dialogue: 0,0:01:46.37,0:01:50.12,Default,,0000,0000,0000,,They're pretty good, you can use them.
Dialogue: 0,0:01:50.12,0:01:52.48,Default,,0000,0000,0000,,laughter
Dialogue: 0,0:01:52.48,0:01:55.65,Default,,0000,0000,0000,,But, if you need more,
Dialogue: 0,0:01:55.65,0:01:59.42,Default,,0000,0000,0000,,Amazon sells this excellent book
Dialogue: 0,0:01:59.42,0:02:04.82,Default,,0000,0000,0000,,full of a million random numbers.
Dialogue: 0,0:02:04.82,0:02:07.67,Default,,0000,0000,0000,,Anyway. More seriously,
Dialogue: 0,0:02:07.67,0:02:10.63,Default,,0000,0000,0000,,random numbers are central to a lot of
Dialogue: 0,0:02:10.63,0:02:16.05,Default,,0000,0000,0000,,the security protocols and systems of our\Nmodern technology.
Dialogue: 0,0:02:16.05,0:02:19.31,Default,,0000,0000,0000,,The most obvious is encryption keys.
Dialogue: 0,0:02:19.31,0:02:22.02,Default,,0000,0000,0000,,You obviously want your encryption key to\Nbe random,
Dialogue: 0,0:02:22.02,0:02:24.22,Default,,0000,0000,0000,,to be really hard to predict,
Dialogue: 0,0:02:24.22,0:02:26.14,Default,,0000,0000,0000,,and you want your encryption key to be different
Dialogue: 0,0:02:26.14,0:02:29.08,Default,,0000,0000,0000,,from the person next to you.
Dialogue: 0,0:02:29.08,0:02:30.25,Default,,0000,0000,0000,,Unless you're doing key escrow,
Dialogue: 0,0:02:30.25,0:02:32.52,Default,,0000,0000,0000,,which, well, we don't point.
Dialogue: 0,0:02:32.52,0:02:37.16,Default,,0000,0000,0000,,So, a lot of other different systems
Dialogue: 0,0:02:37.16,0:02:41.13,Default,,0000,0000,0000,,use randomness to prevent all kinds of attack.
Dialogue: 0,0:02:41.13,0:02:43.60,Default,,0000,0000,0000,,In particular, one amongst many,
Dialogue: 0,0:02:43.60,0:02:45.78,Default,,0000,0000,0000,,DNS, using random query IDs
Dialogue: 0,0:02:45.78,0:02:48.64,Default,,0000,0000,0000,,to prevent Kaminsky attacks.
Dialogue: 0,0:02:48.64,0:02:55.45,Default,,0000,0000,0000,,So, what makes a stream, a source of random\Nbytes, good?
Dialogue: 0,0:02:55.45,0:02:59.19,Default,,0000,0000,0000,,What are we looking for when we look for good\Nrandom bytes?
Dialogue: 0,0:02:59.19,0:03:03.56,Default,,0000,0000,0000,,First of all, we look for uniform random bytes.
Dialogue: 0,0:03:03.56,0:03:07.38,Default,,0000,0000,0000,,Every time we draw a random byte from our\Nrandom byte source
Dialogue: 0,0:03:07.38,0:03:09.51,Default,,0000,0000,0000,,we want to have the same probability
Dialogue: 0,0:03:09.51,0:03:13.59,Default,,0000,0000,0000,,to get all values, from 0 to 255.
Dialogue: 0,0:03:13.59,0:03:18.51,Default,,0000,0000,0000,,For example, you don't want your distribution\Nto look like this.
Dialogue: 0,0:03:18.51,0:03:21.15,Default,,0000,0000,0000,,This is RC4.
Dialogue: 0,0:03:21.15,0:03:23.88,Default,,0000,0000,0000,,But that's not enough.
Dialogue: 0,0:03:23.88,0:03:28.37,Default,,0000,0000,0000,,You also want your random bytes to be completely\Nunpredictable.
Dialogue: 0,0:03:28.37,0:03:33.19,Default,,0000,0000,0000,,And here is where the task actually becomes\Ndifficult.
Dialogue: 0,0:03:33.19,0:03:36.64,Default,,0000,0000,0000,,Because if you think about it, we are programming\Ncomputers.
Dialogue: 0,0:03:36.64,0:03:38.65,Default,,0000,0000,0000,,Computers are very deterministic machines,
Dialogue: 0,0:03:38.65,0:03:43.77,Default,,0000,0000,0000,,even if they don't feel like they are.
Dialogue: 0,0:03:43.77,0:03:45.83,Default,,0000,0000,0000,,And they're essentially machines built
Dialogue: 0,0:03:45.83,0:03:51.87,Default,,0000,0000,0000,,to sequentially execute always the same set\Nof instructions,
Dialogue: 0,0:03:51.87,0:03:54.45,Default,,0000,0000,0000,,which we call code.
Dialogue: 0,0:03:54.45,0:03:56.56,Default,,0000,0000,0000,,And when we ask them, at some point,
Dialogue: 0,0:03:56.56,0:03:58.95,Default,,0000,0000,0000,,to do something that is completely different
Dialogue: 0,0:03:58.95,0:04:00.90,Default,,0000,0000,0000,,every time they do it,
Dialogue: 0,0:04:00.90,0:04:03.73,Default,,0000,0000,0000,,and two equal computers should do it differently,
Dialogue: 0,0:04:03.73,0:04:05.26,Default,,0000,0000,0000,,we get in trouble.
Dialogue: 0,0:04:05.26,0:04:11.31,Default,,0000,0000,0000,,So, where can a computer source this randomness?
Dialogue: 0,0:04:11.31,0:04:15.22,Default,,0000,0000,0000,,Where can a computer find unpredictability,
Dialogue: 0,0:04:15.22,0:04:17.58,Default,,0000,0000,0000,,if it can't have its own?
Dialogue: 0,0:04:17.58,0:04:21.70,Default,,0000,0000,0000,,Obviously, in our messy meat world.
Dialogue: 0,0:04:21.70,0:04:23.44,Default,,0000,0000,0000,,In our physical world,
Dialogue: 0,0:04:23.44,0:04:27.97,Default,,0000,0000,0000,,where everything is not always happening the\Nsame way.
Dialogue: 0,0:04:27.97,0:04:32.06,Default,,0000,0000,0000,,So, user input: every time you type on the\Nkeyboard,
Dialogue: 0,0:04:32.06,0:04:33.82,Default,,0000,0000,0000,,you do that with different timings.
Dialogue: 0,0:04:33.82,0:04:35.18,Default,,0000,0000,0000,,When you move your mouse around,
Dialogue: 0,0:04:35.18,0:04:37.32,Default,,0000,0000,0000,,you do that differently every time.
Dialogue: 0,0:04:37.32,0:04:40.72,Default,,0000,0000,0000,,Or, simply, reading from disk.
Dialogue: 0,0:04:40.72,0:04:45.19,Default,,0000,0000,0000,,Every time your computer reads something from\Ndisk,
Dialogue: 0,0:04:45.19,0:04:49.21,Default,,0000,0000,0000,,it takes a slightly different amount of time.
Dialogue: 0,0:04:49.21,0:04:53.40,Default,,0000,0000,0000,,Or interrupt times, I/O, you get the idea.
Dialogue: 0,0:04:53.40,0:04:56.88,Default,,0000,0000,0000,,So, all these events are visible to the kernel.
Dialogue: 0,0:04:56.88,0:04:59.19,Default,,0000,0000,0000,,The kernel is the component of your system
Dialogue: 0,0:04:59.19,0:05:03.25,Default,,0000,0000,0000,,which is controlling all these interactions
Dialogue: 0,0:05:03.25,0:05:05.82,Default,,0000,0000,0000,,with the outside world, and can measure them
Dialogue: 0,0:05:05.82,0:05:09.85,Default,,0000,0000,0000,,and observe them with the right precision.
Dialogue: 0,0:05:09.85,0:05:14.10,Default,,0000,0000,0000,,And each of these events can have
Dialogue: 0,0:05:14.10,0:05:16.99,Default,,0000,0000,0000,,a wide or narrow range of possible values,
Dialogue: 0,0:05:16.99,0:05:19.20,Default,,0000,0000,0000,,for example, when you read from disk,
Dialogue: 0,0:05:19.20,0:05:25.19,Default,,0000,0000,0000,,it might take from 0.17 nanoseconds to 1.3\Nnanoseconds.
Dialogue: 0,0:05:25.19,0:05:29.07,Default,,0000,0000,0000,,I made numbers up.
Dialogue: 0,0:05:29.07,0:05:33.60,Default,,0000,0000,0000,,How wide this range is what we call entropy.
Dialogue: 0,0:05:33.60,0:05:36.14,Default,,0000,0000,0000,,Essentially it is how many different values,
Dialogue: 0,0:05:36.14,0:05:40.75,Default,,0000,0000,0000,,how spread apart the values are,
Dialogue: 0,0:05:40.75,0:05:45.25,Default,,0000,0000,0000,,which also means how easy they are to predict.
Dialogue: 0,0:05:45.25,0:05:48.61,Default,,0000,0000,0000,,But something they definitely aren't is uniform.
Dialogue: 0,0:05:48.61,0:05:51.14,Default,,0000,0000,0000,,Because as I said, for example, reading from\Ndisk
Dialogue: 0,0:05:51.14,0:05:53.42,Default,,0000,0000,0000,,might take in a specific range,
Dialogue: 0,0:05:53.42,0:05:56.51,Default,,0000,0000,0000,,definitely not from 0 to 255 nanoseconds.
Dialogue: 0,0:05:56.51,0:05:58.99,Default,,0000,0000,0000,,That would be...
Dialogue: 0,0:05:58.99,0:06:01.31,Default,,0000,0000,0000,,And usually they're not enough to satisfy
Dialogue: 0,0:06:01.31,0:06:04.31,Default,,0000,0000,0000,,all our random bytes needs.
Dialogue: 0,0:06:04.31,0:06:07.68,Default,,0000,0000,0000,,So, now we have some unpredictability.
Dialogue: 0,0:06:07.68,0:06:12.15,Default,,0000,0000,0000,,We have some events that we can see from our\Nsystem,
Dialogue: 0,0:06:12.15,0:06:15.90,Default,,0000,0000,0000,,and we want to turn that into a stream of\Nrandom bytes
Dialogue: 0,0:06:15.90,0:06:18.77,Default,,0000,0000,0000,,that we can use to generate SSH keys,
Dialogue: 0,0:06:18.77,0:06:21.95,Default,,0000,0000,0000,,and DNS query IDs, etc.
Dialogue: 0,0:06:21.95,0:06:24.87,Default,,0000,0000,0000,,Enter a CSPRNG.
Dialogue: 0,0:06:24.87,0:06:29.22,Default,,0000,0000,0000,,Cryptographers like their acronyms very long.
Dialogue: 0,0:06:29.22,0:06:33.50,Default,,0000,0000,0000,,It's a cryptographically secure pseudorandom\Nnumber generator.
Dialogue: 0,0:06:33.50,0:06:36.63,Default,,0000,0000,0000,,applause
Dialogue: 0,0:06:36.63,0:06:39.91,Default,,0000,0000,0000,,It's not that hard to pronounce!
Dialogue: 0,0:06:39.91,0:06:41.67,Default,,0000,0000,0000,,Okay, it is.
Dialogue: 0,0:06:41.67,0:06:45.62,Default,,0000,0000,0000,,Anyway, it's nothing else than a cryptographic\Ntool
Dialogue: 0,0:06:45.62,0:06:51.56,Default,,0000,0000,0000,,that takes some input and generates an unlimited,
Dialogue: 0,0:06:51.56,0:06:52.59,Default,,0000,0000,0000,,reasonably unlimited,
Dialogue: 0,0:06:52.59,0:06:56.99,Default,,0000,0000,0000,,stream of random uniform bytes,
Dialogue: 0,0:06:56.99,0:07:03.34,Default,,0000,0000,0000,,which depend on all and only the input you\Ngave to the CSPRNG.
Dialogue: 0,0:07:03.34,0:07:05.78,Default,,0000,0000,0000,,So you can see how we can use this.
Dialogue: 0,0:07:05.78,0:07:09.93,Default,,0000,0000,0000,,We have this amount of random events,
Dialogue: 0,0:07:09.93,0:07:13.09,Default,,0000,0000,0000,,we feed that into the CSPRNG,
Dialogue: 0,0:07:13.09,0:07:17.01,Default,,0000,0000,0000,,and we get out random bytes that we can use\Nfor everything.
Dialogue: 0,0:07:17.01,0:07:21.94,Default,,0000,0000,0000,,So, to understand how a CSPRNG works,
Dialogue: 0,0:07:21.94,0:07:26.62,Default,,0000,0000,0000,,I decided to simply present you with a very\Nsimple one.
Dialogue: 0,0:07:26.62,0:07:28.56,Default,,0000,0000,0000,,One based on hash functions.
Dialogue: 0,0:07:28.56,0:07:31.89,Default,,0000,0000,0000,,I assume that everyone in the hall
Dialogue: 0,0:07:31.89,0:07:34.95,Default,,0000,0000,0000,,knows essentially what hash functions are.
Dialogue: 0,0:07:34.95,0:07:39.37,Default,,0000,0000,0000,,But the properties we care about today of\Nhash functions are:
Dialogue: 0,0:07:39.37,0:07:43.09,Default,,0000,0000,0000,,The fact that the output is uniform.
Dialogue: 0,0:07:43.09,0:07:45.87,Default,,0000,0000,0000,,If you take the output of a hash function,
Dialogue: 0,0:07:45.87,0:07:48.49,Default,,0000,0000,0000,,all the bits should be indistinguishable from\Nrandom,
Dialogue: 0,0:07:48.49,0:07:51.66,Default,,0000,0000,0000,,if you don't know the input.
Dialogue: 0,0:07:51.66,0:07:54.73,Default,,0000,0000,0000,,It's impossible to reverse a hash function.
Dialogue: 0,0:07:54.73,0:07:57.18,Default,,0000,0000,0000,,If I give you the output of a hash function,
Dialogue: 0,0:07:57.18,0:07:59.69,Default,,0000,0000,0000,,you should know nothing more than before
Dialogue: 0,0:07:59.69,0:08:03.12,Default,,0000,0000,0000,,about what the input of the hash function\Nis,
Dialogue: 0,0:08:03.12,0:08:05.97,Default,,0000,0000,0000,,unless you can specifically figure out the\Ninput
Dialogue: 0,0:08:05.97,0:08:09.84,Default,,0000,0000,0000,,and try the hash function.
Dialogue: 0,0:08:09.84,0:08:13.43,Default,,0000,0000,0000,,And finally, it takes a limited amount of\Ninput,
Dialogue: 0,0:08:13.43,0:08:16.54,Default,,0000,0000,0000,,and makes a fixed amount of output.
Dialogue: 0,0:08:16.54,0:08:18.82,Default,,0000,0000,0000,,These are the properties we are going to use
Dialogue: 0,0:08:18.82,0:08:23.64,Default,,0000,0000,0000,,to build a CSPRNG out of hash functions.
Dialogue: 0,0:08:23.64,0:08:26.70,Default,,0000,0000,0000,,So. This is how it works.
Dialogue: 0,0:08:26.70,0:08:27.92,Default,,0000,0000,0000,,We start with a pool.
Dialogue: 0,0:08:27.92,0:08:32.17,Default,,0000,0000,0000,,We call "pool" an array of bytes,
Dialogue: 0,0:08:32.17,0:08:35.15,Default,,0000,0000,0000,,and we fill it with zeros to start.
Dialogue: 0,0:08:35.15,0:08:37.51,Default,,0000,0000,0000,,And every time a new event comes in,
Dialogue: 0,0:08:37.51,0:08:40.68,Default,,0000,0000,0000,,for example, you moved the mouse around,
Dialogue: 0,0:08:40.68,0:08:41.93,Default,,0000,0000,0000,,we take that event,
Dialogue: 0,0:08:41.93,0:08:44.89,Default,,0000,0000,0000,,we serialize it to some binary format,
Dialogue: 0,0:08:44.89,0:08:46.04,Default,,0000,0000,0000,,doesn't really matter.
Dialogue: 0,0:08:46.04,0:08:52.08,Default,,0000,0000,0000,,For example, mouse is at position 15 to 835.
Dialogue: 0,0:08:52.08,0:08:53.14,Default,,0000,0000,0000,,And we hash together,
Dialogue: 0,0:08:53.14,0:08:56.83,Default,,0000,0000,0000,,we hash the concatenation of our pool,
Dialogue: 0,0:08:56.83,0:08:59.33,Default,,0000,0000,0000,,which for now is just zeros,
Dialogue: 0,0:08:59.33,0:09:03.28,Default,,0000,0000,0000,,and the serialization of this event.
Dialogue: 0,0:09:03.28,0:09:06.34,Default,,0000,0000,0000,,We hash them together, we get an output,
Dialogue: 0,0:09:06.34,0:09:10.01,Default,,0000,0000,0000,,and that's our new value of the pool.
Dialogue: 0,0:09:10.01,0:09:10.97,Default,,0000,0000,0000,,And we repeat.
Dialogue: 0,0:09:10.97,0:09:15.45,Default,,0000,0000,0000,,Now, instead of zeros, we have the output\Nfrom before.
Dialogue: 0,0:09:15.45,0:09:19.94,Default,,0000,0000,0000,,Now we have this output, and a new event happens.
Dialogue: 0,0:09:19.94,0:09:25.86,Default,,0000,0000,0000,,A disk read happens, and it takes exactly\N1.27589 nanoseconds.
Dialogue: 0,0:09:25.86,0:09:33.51,Default,,0000,0000,0000,,And we hash together the old contents of the\Npool,
Dialogue: 0,0:09:33.51,0:09:38.39,Default,,0000,0000,0000,,this information, disk read happened and it\Ntook this amount of time,
Dialogue: 0,0:09:38.39,0:09:42.44,Default,,0000,0000,0000,,we hash them together and we get a new value\Nof the pool.
Dialogue: 0,0:09:42.44,0:09:45.25,Default,,0000,0000,0000,,You see where this is going.
Dialogue: 0,0:09:45.25,0:09:46.54,Default,,0000,0000,0000,,We keep doing this.
Dialogue: 0,0:09:46.54,0:09:48.89,Default,,0000,0000,0000,,Every time a new event comes in,
Dialogue: 0,0:09:48.89,0:09:51.00,Default,,0000,0000,0000,,every time the mouse moves,
Dialogue: 0,0:09:51.00,0:09:53.63,Default,,0000,0000,0000,,every time a CPU interrupt is raised,
Dialogue: 0,0:09:53.63,0:09:56.23,Default,,0000,0000,0000,,every time disk read happens,
Dialogue: 0,0:09:56.23,0:09:58.94,Default,,0000,0000,0000,,we call this stirring function
Dialogue: 0,0:09:58.94,0:10:02.73,Default,,0000,0000,0000,,to mix this event into this pool.
Dialogue: 0,0:10:02.73,0:10:04.92,Default,,0000,0000,0000,,And what do we end up with?
Dialogue: 0,0:10:04.92,0:10:07.64,Default,,0000,0000,0000,,We end up with what we call an entropy pool.
Dialogue: 0,0:10:07.64,0:10:13.83,Default,,0000,0000,0000,,Now, to figure this value, you need exactly\Nall the events
Dialogue: 0,0:10:13.83,0:10:16.41,Default,,0000,0000,0000,,that lead to this value.
Dialogue: 0,0:10:16.41,0:10:19.45,Default,,0000,0000,0000,,If you're an attacker, and you really want\Nto figure out
Dialogue: 0,0:10:19.45,0:10:21.52,Default,,0000,0000,0000,,what my entropy pool is,
Dialogue: 0,0:10:21.52,0:10:25.40,Default,,0000,0000,0000,,you don't, you're not supposed to have any\Nbetter way
Dialogue: 0,0:10:25.40,0:10:28.81,Default,,0000,0000,0000,,to figure it out than to guess all the different
Dialogue: 0,0:10:28.81,0:10:32.05,Default,,0000,0000,0000,,hard disk timings and mouse movements that\Nhappened
Dialogue: 0,0:10:32.05,0:10:35.23,Default,,0000,0000,0000,,all the way up to now.
Dialogue: 0,0:10:35.23,0:10:41.09,Default,,0000,0000,0000,,Okay? So now we have this essentially unpredictable\Nvalue,
Dialogue: 0,0:10:41.09,0:10:43.87,Default,,0000,0000,0000,,but now we want to generate keys out of it,
Dialogue: 0,0:10:43.87,0:10:48.90,Default,,0000,0000,0000,,and we can't just use these few bytes here.
Dialogue: 0,0:10:48.90,0:10:53.18,Default,,0000,0000,0000,,So we can use again hash functions.
Dialogue: 0,0:10:53.18,0:10:54.30,Default,,0000,0000,0000,,Same hash function.
Dialogue: 0,0:10:54.30,0:10:58.31,Default,,0000,0000,0000,,We take the entropy pool, and we hash it with\Na counter.
Dialogue: 0,0:10:58.31,0:11:02.80,Default,,0000,0000,0000,,You want 5000 random bits? Sure.
Dialogue: 0,0:11:02.80,0:11:04.54,Default,,0000,0000,0000,,You hash entropy pool and 0,
Dialogue: 0,0:11:04.54,0:11:09.86,Default,,0000,0000,0000,,hash entropy pool and 1, and 2, 3, 4, 5, 6,\N7, 8, 9.
Dialogue: 0,0:11:09.86,0:11:13.40,Default,,0000,0000,0000,,You get all these outputs, you concatenate\Nthem,
Dialogue: 0,0:11:13.40,0:11:18.66,Default,,0000,0000,0000,,and now you have 5000 bits, which are as unpredictable
Dialogue: 0,0:11:18.66,0:11:23.42,Default,,0000,0000,0000,,as all the events that were stirred into the\Npool.
Dialogue: 0,0:11:23.42,0:11:25.70,Default,,0000,0000,0000,,Let's think about it for a second.
Dialogue: 0,0:11:25.70,0:11:28.55,Default,,0000,0000,0000,,We said that hash functions are not invertible,
Dialogue: 0,0:11:28.55,0:11:31.28,Default,,0000,0000,0000,,so even if you know one of the outputs,
Dialogue: 0,0:11:31.28,0:11:34.41,Default,,0000,0000,0000,,you can't get back to the entropy pool.
Dialogue: 0,0:11:34.41,0:11:37.11,Default,,0000,0000,0000,,And we said that hash functions have,
Dialogue: 0,0:11:37.11,0:11:41.48,Default,,0000,0000,0000,,that with hash functions, all the bits in\Ninput
Dialogue: 0,0:11:41.48,0:11:43.67,Default,,0000,0000,0000,,affect all the bits of the output.
Dialogue: 0,0:11:43.67,0:11:46.79,Default,,0000,0000,0000,,So even if just the counter changes
Dialogue: 0,0:11:46.79,0:11:50.18,Default,,0000,0000,0000,,between one rand and the other,
Dialogue: 0,0:11:50.18,0:11:52.25,Default,,0000,0000,0000,,the output is completely unrelated.
Dialogue: 0,0:11:52.25,0:11:55.97,Default,,0000,0000,0000,,So, did we get what we want?
Dialogue: 0,0:11:55.97,0:11:58.27,Default,,0000,0000,0000,,It's uniform, because we said before,
Dialogue: 0,0:11:58.27,0:12:00.93,Default,,0000,0000,0000,,hash functions' outputs are uniform.
Dialogue: 0,0:12:00.93,0:12:04.38,Default,,0000,0000,0000,,It's unpredictable, because the only way an\Nattacker has
Dialogue: 0,0:12:04.38,0:12:07.87,Default,,0000,0000,0000,,to figure out what the output will be
Dialogue: 0,0:12:07.87,0:12:12.89,Default,,0000,0000,0000,,is imagine or brute-force or observe, I guess,
Dialogue: 0,0:12:12.89,0:12:17.16,Default,,0000,0000,0000,,all the hard-disk timings and user inputs,
Dialogue: 0,0:12:17.16,0:12:20.38,Default,,0000,0000,0000,,which is impossible for a third party.
Dialogue: 0,0:12:20.38,0:12:22.38,Default,,0000,0000,0000,,And it's unlimited, because we can keep
Dialogue: 0,0:12:22.38,0:12:25.26,Default,,0000,0000,0000,,incrementing that counter forever.
Dialogue: 0,0:12:25.26,0:12:29.01,Default,,0000,0000,0000,,Now, really please don't go implement this\Nscheme
Dialogue: 0,0:12:29.01,0:12:32.10,Default,,0000,0000,0000,,and say "Filippo told me it was okay".
Dialogue: 0,0:12:32.10,0:12:33.06,Default,,0000,0000,0000,,No.
Dialogue: 0,0:12:33.06,0:12:38.16,Default,,0000,0000,0000,,Also because it's exactly not what this talk\Nis about.
Dialogue: 0,0:12:38.16,0:12:44.55,Default,,0000,0000,0000,,So, if CSPRNGs, if we have this tool
Dialogue: 0,0:12:44.55,0:12:48.18,Default,,0000,0000,0000,,to turn some unpredictable events
Dialogue: 0,0:12:48.18,0:12:51.60,Default,,0000,0000,0000,,into an unlimited stream of random bytes,
Dialogue: 0,0:12:51.60,0:12:53.23,Default,,0000,0000,0000,,which is what we need,
Dialogue: 0,0:12:53.23,0:12:55.16,Default,,0000,0000,0000,,and we have all these unpredictable events
Dialogue: 0,0:12:55.16,0:12:57.75,Default,,0000,0000,0000,,observed by the kernel,
Dialogue: 0,0:12:57.75,0:13:01.99,Default,,0000,0000,0000,,doesn't it make sense to just put a CSPRNG\Nin the kernel
Dialogue: 0,0:13:01.99,0:13:05.49,Default,,0000,0000,0000,,and just have the kernel run the CSPRNG
Dialogue: 0,0:13:05.49,0:13:09.25,Default,,0000,0000,0000,,when we need random bytes?
Dialogue: 0,0:13:09.25,0:13:12.83,Default,,0000,0000,0000,,It's such a good idea that it's exactly what\NLinux did,
Dialogue: 0,0:13:12.83,0:13:15.73,Default,,0000,0000,0000,,and all the other operating systems.
Dialogue: 0,0:13:15.73,0:13:18.85,Default,,0000,0000,0000,,In Linux, it's called /dev/urandom,
Dialogue: 0,0:13:18.85,0:13:22.74,Default,,0000,0000,0000,,and it looks like a file, you read it like\Na file,
Dialogue: 0,0:13:22.74,0:13:25.24,Default,,0000,0000,0000,,and it's technically a character device
Dialogue: 0,0:13:25.24,0:13:27.80,Default,,0000,0000,0000,,and every time you read 100 bytes from it,
Dialogue: 0,0:13:27.80,0:13:31.36,Default,,0000,0000,0000,,it runs a CSPRNG, on an entropy pool
Dialogue: 0,0:13:31.36,0:13:34.92,Default,,0000,0000,0000,,not different from the one I've presented,
Dialogue: 0,0:13:34.92,0:13:41.28,Default,,0000,0000,0000,,and this entropy pool is stirred with all\Nthe events
Dialogue: 0,0:13:41.28,0:13:46.68,Default,,0000,0000,0000,,that the kernel saw happen from its privileged\Nposition.
Dialogue: 0,0:13:46.68,0:13:50.61,Default,,0000,0000,0000,,Other operating systems have something similar.
Dialogue: 0,0:13:50.61,0:13:54.89,Default,,0000,0000,0000,,OS X and BSD have /dev/random
Dialogue: 0,0:13:54.89,0:13:59.17,Default,,0000,0000,0000,,which is exactly what /dev/urandom is on Linux,
Dialogue: 0,0:13:59.17,0:14:01.11,Default,,0000,0000,0000,,and on Windows you can get something similar
Dialogue: 0,0:14:01.11,0:14:06.64,Default,,0000,0000,0000,,with a CryptGenRandom call.
Dialogue: 0,0:14:06.64,0:14:08.26,Default,,0000,0000,0000,,One last thing.
Dialogue: 0,0:14:08.26,0:14:11.12,Default,,0000,0000,0000,,Putting the CSPRNG in the kernel
Dialogue: 0,0:14:11.12,0:14:13.39,Default,,0000,0000,0000,,is not only about convenience,
Dialogue: 0,0:14:13.39,0:14:15.28,Default,,0000,0000,0000,,it's also about security.
Dialogue: 0,0:14:15.28,0:14:16.74,Default,,0000,0000,0000,,Because, first of all,
Dialogue: 0,0:14:16.74,0:14:19.54,Default,,0000,0000,0000,,the kernel is the entity that can observe
Dialogue: 0,0:14:19.54,0:14:21.93,Default,,0000,0000,0000,,the unpredictable events.
Dialogue: 0,0:14:21.93,0:14:25.66,Default,,0000,0000,0000,,If you take a CSPRNG, which is just code,
Dialogue: 0,0:14:25.66,0:14:27.64,Default,,0000,0000,0000,,so you can implement your own,
Dialogue: 0,0:14:27.64,0:14:30.12,Default,,0000,0000,0000,,and you implement it in your library,
Dialogue: 0,0:14:30.12,0:14:32.10,Default,,0000,0000,0000,,or in your application,
Dialogue: 0,0:14:32.10,0:14:33.36,Default,,0000,0000,0000,,now you have the problem of,
Dialogue: 0,0:14:33.36,0:14:38.18,Default,,0000,0000,0000,,how do you take the random, the unpredictable\Nevents
Dialogue: 0,0:14:38.18,0:14:42.13,Default,,0000,0000,0000,,from the kernel and take them to the application?
Dialogue: 0,0:14:42.13,0:14:45.96,Default,,0000,0000,0000,,This is something that you can forget to do,
Dialogue: 0,0:14:45.96,0:14:46.79,Default,,0000,0000,0000,,often,
Dialogue: 0,0:14:46.79,0:14:48.42,Default,,0000,0000,0000,,or do wrong.
Dialogue: 0,0:14:48.42,0:14:52.46,Default,,0000,0000,0000,,And, moreover, the kernel can protect
Dialogue: 0,0:14:52.46,0:14:55.43,Default,,0000,0000,0000,,the memory space of the entropy pool
Dialogue: 0,0:14:55.43,0:14:58.21,Default,,0000,0000,0000,,much better than applications.
Dialogue: 0,0:14:58.21,0:15:00.18,Default,,0000,0000,0000,,For example, applications can fork,
Dialogue: 0,0:15:00.18,0:15:02.64,Default,,0000,0000,0000,,there's a whole lot of different things
Dialogue: 0,0:15:02.64,0:15:05.22,Default,,0000,0000,0000,,that applications can get wrong.
Dialogue: 0,0:15:05.22,0:15:10.16,Default,,0000,0000,0000,,And finally, you have one single centralized\Nimplementation
Dialogue: 0,0:15:10.16,0:15:13.99,Default,,0000,0000,0000,,that is reasonably easy to audit.
Dialogue: 0,0:15:13.99,0:15:19.00,Default,,0000,0000,0000,,I don't know, was anyone managing Debian servers\Nin 2008?
Dialogue: 0,0:15:19.00,0:15:20.41,Default,,0000,0000,0000,,laughter
Dialogue: 0,0:15:20.41,0:15:24.72,Default,,0000,0000,0000,,Just asking. Unrelated. Right.
Dialogue: 0,0:15:24.72,0:15:29.00,Default,,0000,0000,0000,,So, yeah. /dev/urandom.
Dialogue: 0,0:15:29.00,0:15:34.26,Default,,0000,0000,0000,,So, we have a solution, right?
Dialogue: 0,0:15:34.26,0:15:37.84,Default,,0000,0000,0000,,We have a tool to turn unpredictable events
Dialogue: 0,0:15:37.84,0:15:42.01,Default,,0000,0000,0000,,into an unlimited uniform stream of random\Nbytes,
Dialogue: 0,0:15:42.01,0:15:46.34,Default,,0000,0000,0000,,we have a source of unpredictable events,
Dialogue: 0,0:15:46.34,0:15:48.68,Default,,0000,0000,0000,,solved!
Dialogue: 0,0:15:48.68,0:15:50.35,Default,,0000,0000,0000,,What are everybody talking about?
Dialogue: 0,0:15:50.35,0:15:52.80,Default,,0000,0000,0000,,Why is there even a need for a talk?
Dialogue: 0,0:15:52.80,0:16:01.60,Default,,0000,0000,0000,,Well. Sadly, there's some common misconceptions\Nin the field,
Dialogue: 0,0:16:01.60,0:16:05.76,Default,,0000,0000,0000,,which is also why I'm here to give this talk.
Dialogue: 0,0:16:05.76,0:16:10.79,Default,,0000,0000,0000,,One of the most common is fueled by the very\NLinux man pages.
Dialogue: 0,0:16:10.79,0:16:13.84,Default,,0000,0000,0000,,The recent versions are better but
Dialogue: 0,0:16:13.84,0:16:16.51,Default,,0000,0000,0000,,they still give you this impression
Dialogue: 0,0:16:16.51,0:16:19.89,Default,,0000,0000,0000,,that if you want real security,
Dialogue: 0,0:16:19.89,0:16:21.59,Default,,0000,0000,0000,,you should be using /dev/random,
Dialogue: 0,0:16:21.59,0:16:24.82,Default,,0000,0000,0000,,because /dev/urandom is okay, but, hmm, kinda...
Dialogue: 0,0:16:24.82,0:16:29.46,Default,,0000,0000,0000,,and, well, we want real security, right?
Dialogue: 0,0:16:29.46,0:16:31.51,Default,,0000,0000,0000,,But you might ask yourself, okay,
Dialogue: 0,0:16:31.51,0:16:34.43,Default,,0000,0000,0000,,if /dev/urandom is a CSPRNG,
Dialogue: 0,0:16:34.43,0:16:38.20,Default,,0000,0000,0000,,and a CSPRNG is all I need,
Dialogue: 0,0:16:38.20,0:16:40.39,Default,,0000,0000,0000,,what else can I get,
Dialogue: 0,0:16:40.39,0:16:44.80,Default,,0000,0000,0000,,what does /dev/random have more?
Dialogue: 0,0:16:44.80,0:16:48.10,Default,,0000,0000,0000,,Well, the idea of this talk is giving you\Nthe knowledge
Dialogue: 0,0:16:48.10,0:16:52.45,Default,,0000,0000,0000,,to figure out by yourself whether you need\N/dev/random or not.
Dialogue: 0,0:16:52.45,0:16:54.78,Default,,0000,0000,0000,,So, first I explained how a CSPRNG works,
Dialogue: 0,0:16:54.78,0:16:58.14,Default,,0000,0000,0000,,now I'm going to go a bit into the details
Dialogue: 0,0:16:58.14,0:17:01.88,Default,,0000,0000,0000,,of how /dev/urandom and /dev/random work.
Dialogue: 0,0:17:01.88,0:17:06.29,Default,,0000,0000,0000,,These are taken directly from the kernel source.
Dialogue: 0,0:17:06.29,0:17:11.38,Default,,0000,0000,0000,,Both /dev/urandom and /dev/random are...
Dialogue: 0,0:17:11.38,0:17:13.69,Default,,0000,0000,0000,,Yeah. Sorry.
Dialogue: 0,0:17:13.69,0:17:16.41,Default,,0000,0000,0000,,Essentially, everything I'm going to say now
Dialogue: 0,0:17:16.41,0:17:19.63,Default,,0000,0000,0000,,applies to both /dev/urandom and /dev/random.
Dialogue: 0,0:17:19.63,0:17:24.19,Default,,0000,0000,0000,,They both are based on a pool of 4000 bits,
Dialogue: 0,0:17:24.19,0:17:29.15,Default,,0000,0000,0000,,not dissimilar from the one of the CSPRNG\Nwe played with before,
Dialogue: 0,0:17:29.15,0:17:36.34,Default,,0000,0000,0000,,which is implemented as a series of 32-bits\Nwords, I think.
Dialogue: 0,0:17:36.34,0:17:39.41,Default,,0000,0000,0000,,The pool is mixed with all the unpredictable\Nevents,
Dialogue: 0,0:17:39.41,0:17:41.47,Default,,0000,0000,0000,,using a CRC-like function.
Dialogue: 0,0:17:41.47,0:17:44.54,Default,,0000,0000,0000,,This is not a cryptographically secure hash\Nfunction,
Dialogue: 0,0:17:44.54,0:17:47.98,Default,,0000,0000,0000,,but this is just about how the unpredictable\Nevents,
Dialogue: 0,0:17:47.98,0:17:52.52,Default,,0000,0000,0000,,the interrupts, the disk timings, are stirred
Dialogue: 0,0:17:52.52,0:17:55.65,Default,,0000,0000,0000,,into the internal pool.
Dialogue: 0,0:17:55.65,0:17:58.01,Default,,0000,0000,0000,,Every time one of these events happens,
Dialogue: 0,0:17:58.01,0:18:00.33,Default,,0000,0000,0000,,this very fast function kicks in
Dialogue: 0,0:18:00.33,0:18:07.42,Default,,0000,0000,0000,,and stirs the pool with the unpredictable\Nevent.
Dialogue: 0,0:18:07.42,0:18:13.09,Default,,0000,0000,0000,,Then extraction, so actual random byte generation,
Dialogue: 0,0:18:13.09,0:18:14.54,Default,,0000,0000,0000,,happens with SHA-1.
Dialogue: 0,0:18:14.54,0:18:17.02,Default,,0000,0000,0000,,So you want some random bytes from the kernel,
Dialogue: 0,0:18:17.02,0:18:21.54,Default,,0000,0000,0000,,what the kernel does is just run SHA-1 on\Nthe pool,
Dialogue: 0,0:18:21.54,0:18:22.76,Default,,0000,0000,0000,,give you the output,
Dialogue: 0,0:18:22.76,0:18:26.80,Default,,0000,0000,0000,,and also take the output and feed it back\Ninto the pool
Dialogue: 0,0:18:26.80,0:18:28.62,Default,,0000,0000,0000,,using that mixing function.
Dialogue: 0,0:18:28.62,0:18:31.84,Default,,0000,0000,0000,,This is a big difference, you might have noticed,
Dialogue: 0,0:18:31.84,0:18:35.12,Default,,0000,0000,0000,,from our design, which is a counter,
Dialogue: 0,0:18:35.12,0:18:38.82,Default,,0000,0000,0000,,because keeping counters, turns out, is still\Nhard.
Dialogue: 0,0:18:38.82,0:18:43.63,Default,,0000,0000,0000,,And they can reset, you can lose count, that's\Nbad.
Dialogue: 0,0:18:43.63,0:18:48.74,Default,,0000,0000,0000,,Also, this has more security properties against\Ncompromise.
Dialogue: 0,0:18:48.74,0:18:51.20,Default,,0000,0000,0000,,So what is does is simply that,
Dialogue: 0,0:18:51.20,0:18:54.15,Default,,0000,0000,0000,,when it generates output, it also stirs it\Nback,
Dialogue: 0,0:18:54.15,0:18:55.35,Default,,0000,0000,0000,,and if you need more output,
Dialogue: 0,0:18:55.35,0:18:57.81,Default,,0000,0000,0000,,SHA-1 again on the new pool
Dialogue: 0,0:18:57.81,0:19:00.51,Default,,0000,0000,0000,,gives output and stirs it back into the pool,
Dialogue: 0,0:19:00.51,0:19:03.31,Default,,0000,0000,0000,,so that the pool keeps changing.
Dialogue: 0,0:19:03.31,0:19:06.99,Default,,0000,0000,0000,,Now, both /dev/urandom and /dev/random
Dialogue: 0,0:19:06.99,0:19:09.73,Default,,0000,0000,0000,,do the exact same thing.
Dialogue: 0,0:19:09.73,0:19:13.41,Default,,0000,0000,0000,,Same code, same sizes, same entropy sources,
Dialogue: 0,0:19:13.41,0:19:15.16,Default,,0000,0000,0000,,literally in the source,
Dialogue: 0,0:19:15.16,0:19:18.07,Default,,0000,0000,0000,,random_read is a call to extract_entropy_user,
Dialogue: 0,0:19:18.07,0:19:23.21,Default,,0000,0000,0000,,urandom_read is a call to extract_entropy_user.
Dialogue: 0,0:19:23.21,0:19:26.73,Default,,0000,0000,0000,,The only difference is
Dialogue: 0,0:19:26.73,0:19:30.12,Default,,0000,0000,0000,,I finally get to what's special about /dev/random,
Dialogue: 0,0:19:30.12,0:19:34.32,Default,,0000,0000,0000,,is that it tries to do a couple of really\Nhard and weird things.
Dialogue: 0,0:19:34.32,0:19:39.15,Default,,0000,0000,0000,,First, it tries to guess how many bits of\Nentropy
Dialogue: 0,0:19:39.15,0:19:43.53,Default,,0000,0000,0000,,were mixed into the pool after each unpredictable\Nevent.
Dialogue: 0,0:19:43.53,0:19:46.45,Default,,0000,0000,0000,,This is already very hard, because, think\Nabout it,
Dialogue: 0,0:19:46.45,0:19:53.19,Default,,0000,0000,0000,,a disk read took 1.735 nanoseconds. Great.
Dialogue: 0,0:19:53.19,0:19:56.34,Default,,0000,0000,0000,,We don't know how many different values this\Nmight take.
Dialogue: 0,0:19:56.34,0:19:59.57,Default,,0000,0000,0000,,We don't know if this is a spinning hard disk,
Dialogue: 0,0:19:59.57,0:20:01.95,Default,,0000,0000,0000,,which has timings all over the place,
Dialogue: 0,0:20:01.95,0:20:05.38,Default,,0000,0000,0000,,or if it's a SSD which almost always takes\Nthe same time.
Dialogue: 0,0:20:05.38,0:20:07.70,Default,,0000,0000,0000,,So we don't know how much predictable this\Nis.
Dialogue: 0,0:20:07.70,0:20:08.77,Default,,0000,0000,0000,,So this is already hard,
Dialogue: 0,0:20:08.77,0:20:13.46,Default,,0000,0000,0000,,figuring out how unpredictable the pool is.
Dialogue: 0,0:20:13.46,0:20:18.36,Default,,0000,0000,0000,,So it keeps a counter, arbitrary number of\Nhow many bits
Dialogue: 0,0:20:18.36,0:20:21.33,Default,,0000,0000,0000,,of entropy, how much unpredictability
Dialogue: 0,0:20:21.33,0:20:24.59,Default,,0000,0000,0000,,there is in this pool.
Dialogue: 0,0:20:24.59,0:20:27.86,Default,,0000,0000,0000,,And then, when you run the hash function on\Nthe pool,
Dialogue: 0,0:20:27.86,0:20:30.80,Default,,0000,0000,0000,,it decreases this count,
Dialogue: 0,0:20:30.80,0:20:33.95,Default,,0000,0000,0000,,it reduces this number.
Dialogue: 0,0:20:33.95,0:20:37.91,Default,,0000,0000,0000,,And if this number gets too low, it blocks\Nyou.
Dialogue: 0,0:20:37.91,0:20:39.49,Default,,0000,0000,0000,,So you're reading from /dev/random,
Dialogue: 0,0:20:39.49,0:20:41.48,Default,,0000,0000,0000,,this number dwindles,
Dialogue: 0,0:20:41.48,0:20:44.21,Default,,0000,0000,0000,,so now you're still reading from /dev/random
Dialogue: 0,0:20:44.21,0:20:45.32,Default,,0000,0000,0000,,but you're blocked
Dialogue: 0,0:20:45.32,0:20:48.89,Default,,0000,0000,0000,,until more unpredictable events happen.
Dialogue: 0,0:20:48.89,0:20:52.38,Default,,0000,0000,0000,,This is useless in the modern world.
Dialogue: 0,0:20:52.38,0:20:53.89,Default,,0000,0000,0000,,Because entropy does not decrease.
Dialogue: 0,0:20:53.89,0:20:59.23,Default,,0000,0000,0000,,Entropy does not run out, and everything freezes.
Dialogue: 0,0:20:59.23,0:21:01.03,Default,,0000,0000,0000,,Once the pool becomes unpredictable
Dialogue: 0,0:21:01.03,0:21:04.43,Default,,0000,0000,0000,,because too many different events contributed
Dialogue: 0,0:21:04.43,0:21:06.73,Default,,0000,0000,0000,,to how the entropy pool looks like,
Dialogue: 0,0:21:06.73,0:21:08.71,Default,,0000,0000,0000,,it's forever unpredictable,
Dialogue: 0,0:21:08.71,0:21:12.52,Default,,0000,0000,0000,,because the attacker doesn't learn anything\Nfrom the output.
Dialogue: 0,0:21:12.52,0:21:15.86,Default,,0000,0000,0000,,Obviously, unless the CSPRNG is broken
Dialogue: 0,0:21:15.86,0:21:19.63,Default,,0000,0000,0000,,and is leaking information about the entropy\Npool.
Dialogue: 0,0:21:19.63,0:21:23.13,Default,,0000,0000,0000,,However, saying that CSPRNGs are broken
Dialogue: 0,0:21:23.13,0:21:29.23,Default,,0000,0000,0000,,is equivalent to saying that a lot of cryptography\Nconstructs are broken.
Dialogue: 0,0:21:29.23,0:21:31.66,Default,,0000,0000,0000,,It's saying that stream ciphers are broken,
Dialogue: 0,0:21:31.66,0:21:34.34,Default,,0000,0000,0000,,it's saying that CTR mode is broken,
Dialogue: 0,0:21:34.34,0:21:36.66,Default,,0000,0000,0000,,it's saying that TLS and PGP are broken,
Dialogue: 0,0:21:36.66,0:21:39.47,Default,,0000,0000,0000,,because they're both about reusing the same\Nkey
Dialogue: 0,0:21:39.47,0:21:42.30,Default,,0000,0000,0000,,for multiple packets or messages.
Dialogue: 0,0:21:42.30,0:21:45.27,Default,,0000,0000,0000,,So if cryptographers didn't know how to build
Dialogue: 0,0:21:45.27,0:21:47.77,Default,,0000,0000,0000,,a secure CSPRNG,
Dialogue: 0,0:21:47.77,0:21:50.03,Default,,0000,0000,0000,,it would mean that cryptographers weren't\Nable
Dialogue: 0,0:21:50.03,0:21:54.75,Default,,0000,0000,0000,,to build most of the things we're relying\Non today.
Dialogue: 0,0:21:54.75,0:21:57.17,Default,,0000,0000,0000,,It would mean that cryptography was doomed.
Dialogue: 0,0:21:57.17,0:22:02.06,Default,,0000,0000,0000,,Now, I'm not DJB, I can't tell you if cryptography\Nis doomed.
Dialogue: 0,0:22:02.06,0:22:05.59,Default,,0000,0000,0000,,But I can tell you that if cryptography is\Ndoomed,
Dialogue: 0,0:22:05.59,0:22:08.21,Default,,0000,0000,0000,,your problem is not your CSPRNG.
Dialogue: 0,0:22:08.21,0:22:09.33,Default,,0000,0000,0000,,laughter
Dialogue: 0,0:22:09.33,0:22:12.53,Default,,0000,0000,0000,,So, cryptography relies on being able
Dialogue: 0,0:22:12.53,0:22:16.39,Default,,0000,0000,0000,,to build secure CSPRNGs.
Dialogue: 0,0:22:16.39,0:22:17.13,Default,,0000,0000,0000,,And on the other hand,
Dialogue: 0,0:22:17.13,0:22:20.95,Default,,0000,0000,0000,,that makes /dev/random blocking useless, obviously.
Dialogue: 0,0:22:20.95,0:22:23.32,Default,,0000,0000,0000,,It can be unacceptable, too, because
Dialogue: 0,0:22:23.32,0:22:25.70,Default,,0000,0000,0000,,you get a TLS request, and you're like
Dialogue: 0,0:22:25.70,0:22:29.01,Default,,0000,0000,0000,,"I have that HTTP page, but wait a second,
Dialogue: 0,0:22:29.01,0:22:31.62,Default,,0000,0000,0000,,I need someone to start typing
Dialogue: 0,0:22:31.62,0:22:36.72,Default,,0000,0000,0000,,on the keyboard of the rack to serve it to\Nyou."
Dialogue: 0,0:22:36.72,0:22:38.01,Default,,0000,0000,0000,,And it can even be dangerous,
Dialogue: 0,0:22:38.01,0:22:40.08,Default,,0000,0000,0000,,because you're essentially giving away information
Dialogue: 0,0:22:40.08,0:22:42.62,Default,,0000,0000,0000,,about what other users in the system are doing
Dialogue: 0,0:22:42.62,0:22:46.06,Default,,0000,0000,0000,,to other users.
Dialogue: 0,0:22:46.06,0:22:47.52,Default,,0000,0000,0000,,On the other hand,
Dialogue: 0,0:22:47.52,0:22:50.32,Default,,0000,0000,0000,,/dev/urandom is safe for any cryptography\Nuse
Dialogue: 0,0:22:50.32,0:22:51.74,Default,,0000,0000,0000,,you want to use it for.
Dialogue: 0,0:22:51.74,0:22:54.02,Default,,0000,0000,0000,,You want to generate long-term keys...
Dialogue: 0,0:22:54.02,0:22:59.53,Default,,0000,0000,0000,,My GPG keys are generated from /dev/urandom.
Dialogue: 0,0:22:59.53,0:23:01.90,Default,,0000,0000,0000,,And I'm not the only one saying this,
Dialogue: 0,0:23:01.90,0:23:06.37,Default,,0000,0000,0000,,BoringSSL, Python, Go, Ruby, use /dev/urandom
Dialogue: 0,0:23:06.37,0:23:09.81,Default,,0000,0000,0000,,as the only source, the only CSPRNG.
Dialogue: 0,0:23:09.81,0:23:13.07,Default,,0000,0000,0000,,Sandstorm even replaces /dev/random with it.
Dialogue: 0,0:23:13.07,0:23:15.22,Default,,0000,0000,0000,,And here is a long list of people
Dialogue: 0,0:23:15.22,0:23:20.26,Default,,0000,0000,0000,,saying exactly what I'm here on stage to tell\Nyou.
Dialogue: 0,0:23:20.26,0:23:26.12,Default,,0000,0000,0000,,So, I hope that at the end of this, you see
Dialogue: 0,0:23:26.12,0:23:29.60,Default,,0000,0000,0000,,that you don't actually need /dev/random,
Dialogue: 0,0:23:29.60,0:23:31.45,Default,,0000,0000,0000,,as well as you don't need to keep measuring
Dialogue: 0,0:23:31.45,0:23:33.87,Default,,0000,0000,0000,,how much entropy you have in the pool,
Dialogue: 0,0:23:33.87,0:23:35.57,Default,,0000,0000,0000,,you don't need to refill the pool
Dialogue: 0,0:23:35.57,0:23:37.84,Default,,0000,0000,0000,,with things like haveged or
Dialogue: 0,0:23:37.84,0:23:39.96,Default,,0000,0000,0000,,I don't know how to pronounce it.
Dialogue: 0,0:23:39.96,0:23:45.92,Default,,0000,0000,0000,,Actually I've even seen people take output\Nfrom /dev/urandom
Dialogue: 0,0:23:45.92,0:23:49.35,Default,,0000,0000,0000,,and pipe it back as root into /dev/random
Dialogue: 0,0:23:49.35,0:23:51.99,Default,,0000,0000,0000,,so that the entropy doesn't run out,
Dialogue: 0,0:23:51.99,0:23:58.18,Default,,0000,0000,0000,,which is exactly what the kernel is doing!
Dialogue: 0,0:23:58.18,0:24:03.36,Default,,0000,0000,0000,,Which is, obviously, a pretty upvoted answer\Non StackOverflow.
Dialogue: 0,0:24:03.36,0:24:04.78,Default,,0000,0000,0000,,laughter
Dialogue: 0,0:24:04.78,0:24:08.55,Default,,0000,0000,0000,,Anyway. And finally,
Dialogue: 0,0:24:08.55,0:24:10.49,Default,,0000,0000,0000,,random number quality does not decrease,
Dialogue: 0,0:24:10.49,0:24:13.26,Default,,0000,0000,0000,,there are not like premium-level random numbers
Dialogue: 0,0:24:13.26,0:24:18.17,Default,,0000,0000,0000,,and then they kinda rot after you use them\Nfor a while.
Dialogue: 0,0:24:18.17,0:24:21.42,Default,,0000,0000,0000,,No, that's not a thing.
Dialogue: 0,0:24:21.42,0:24:26.35,Default,,0000,0000,0000,,Okay. So, there is only one small case
Dialogue: 0,0:24:26.35,0:24:29.66,Default,,0000,0000,0000,,in which /dev/urandom does not do exactly
Dialogue: 0,0:24:29.66,0:24:33.59,Default,,0000,0000,0000,,what we would expect it to do, which is early\Nat boot.
Dialogue: 0,0:24:33.59,0:24:34.39,Default,,0000,0000,0000,,If you think about it,
Dialogue: 0,0:24:34.39,0:24:38.53,Default,,0000,0000,0000,,everything we said is about using unpredictable\Nevents
Dialogue: 0,0:24:38.53,0:24:40.66,Default,,0000,0000,0000,,to build up unpredictability.
Dialogue: 0,0:24:40.66,0:24:43.51,Default,,0000,0000,0000,,As soon as you boot the machine,
Dialogue: 0,0:24:43.51,0:24:47.56,Default,,0000,0000,0000,,you don't have observed enough events yet.
Dialogue: 0,0:24:47.56,0:24:50.89,Default,,0000,0000,0000,,So this got embedded devices,
Dialogue: 0,0:24:50.89,0:24:55.52,Default,,0000,0000,0000,,this got the Raspberry Pi recently,
Dialogue: 0,0:24:55.52,0:24:57.81,Default,,0000,0000,0000,,essentially it's a Linux shortcoming,
Dialogue: 0,0:24:57.81,0:25:00.20,Default,,0000,0000,0000,,which by now it's too late to fix,
Dialogue: 0,0:25:00.20,0:25:02.39,Default,,0000,0000,0000,,which is the fact that /dev/urandom will not\Nblock
Dialogue: 0,0:25:02.39,0:25:05.100,Default,,0000,0000,0000,,even at boot, before being initialized.
Dialogue: 0,0:25:05.100,0:25:09.71,Default,,0000,0000,0000,,The solution in most cases is just that the\Ndistribution
Dialogue: 0,0:25:09.71,0:25:12.81,Default,,0000,0000,0000,,should save the state of the pool at power-off,
Dialogue: 0,0:25:12.81,0:25:15.57,Default,,0000,0000,0000,,and reload it at power-on,
Dialogue: 0,0:25:15.57,0:25:18.85,Default,,0000,0000,0000,,or block until the pool is initialized.
Dialogue: 0,0:25:18.85,0:25:22.100,Default,,0000,0000,0000,,So, your distribution probably solves this\Nfor you anyway.
Dialogue: 0,0:25:22.100,0:25:28.16,Default,,0000,0000,0000,,So, to sum up, CSPRNGs are pretty cool, and\Nthey work.
Dialogue: 0,0:25:28.16,0:25:30.81,Default,,0000,0000,0000,,You don't need /dev/random.
Dialogue: 0,0:25:30.81,0:25:33.53,Default,,0000,0000,0000,,You shouldn't use userspace CSPRNGs
Dialogue: 0,0:25:33.53,0:25:35.82,Default,,0000,0000,0000,,because they're very easy to get wrong.
Dialogue: 0,0:25:35.82,0:25:38.71,Default,,0000,0000,0000,,And if you need 100 random bytes,
Dialogue: 0,0:25:38.71,0:25:42.03,Default,,0000,0000,0000,,read 100 bytes from /dev/urandom.
Dialogue: 0,0:25:42.03,0:25:43.70,Default,,0000,0000,0000,,That's it!
Dialogue: 0,0:25:43.70,0:25:54.53,Default,,0000,0000,0000,,applause
Dialogue: 0,0:25:54.53,0:25:58.01,Default,,0000,0000,0000,,I glossed over a lot of different ways to\Ndo it wrong,
Dialogue: 0,0:25:58.01,0:26:01.09,Default,,0000,0000,0000,,so if you have questions about why not this\Nother thing,
Dialogue: 0,0:26:01.09,0:26:03.12,Default,,0000,0000,0000,,please, come forward.
Dialogue: 0,0:26:03.12,0:26:07.25,Default,,0000,0000,0000,,Herald: Okay, and because people on the stream\Ncan't be here in person,
Dialogue: 0,0:26:07.25,0:26:09.72,Default,,0000,0000,0000,,we will start with questions from the Internet.
Dialogue: 0,0:26:09.72,0:26:13.96,Default,,0000,0000,0000,,Q: The first question is: How do you explain,
Dialogue: 0,0:26:13.96,0:26:18.06,Default,,0000,0000,0000,,regarding what you explained of /dev/random\Nversus /dev/urandom,
Dialogue: 0,0:26:18.06,0:26:21.34,Default,,0000,0000,0000,,the fact that on the 4.3.3 kernel, /dev/random\Noutput
Dialogue: 0,0:26:21.34,0:26:25.71,Default,,0000,0000,0000,,is identical with something from /dev/input\Nsomething?
Dialogue: 0,0:26:25.71,0:26:26.71,Default,,0000,0000,0000,,Someone claimed that.
Dialogue: 0,0:26:26.71,0:26:30.22,Default,,0000,0000,0000,,FV: I'm sorry, you have to repeat. On the\Nwhat?
Dialogue: 0,0:26:30.22,0:26:34.49,Default,,0000,0000,0000,,Q: On a kernel 4.3.3, someone claims that\Nsometimes,
Dialogue: 0,0:26:34.49,0:26:37.22,Default,,0000,0000,0000,,the output from /dev/random, or /dev/unrandom,
Dialogue: 0,0:26:37.22,0:26:39.70,Default,,0000,0000,0000,,is identical to something that comes from\N/dev/input,
Dialogue: 0,0:26:39.70,0:26:41.100,Default,,0000,0000,0000,,like an input device.
Dialogue: 0,0:26:41.100,0:26:45.66,Default,,0000,0000,0000,,FV: I'm not sure I got what system, but...
Dialogue: 0,0:26:45.66,0:26:47.45,Default,,0000,0000,0000,,oh my god, what system?
Dialogue: 0,0:26:47.45,0:26:50.59,Default,,0000,0000,0000,,Q: Linux, Linux 4.3.3, the guy claims.
Dialogue: 0,0:26:50.59,0:26:53.56,Default,,0000,0000,0000,,FV: That sounds like a pretty bad bug, but...
Dialogue: 0,0:26:53.56,0:26:55.26,Default,,0000,0000,0000,,I don't know.
Dialogue: 0,0:26:55.26,0:26:57.58,Default,,0000,0000,0000,,If that's the case, I'm not aware of it,
Dialogue: 0,0:26:57.58,0:26:59.29,Default,,0000,0000,0000,,because I read the kernel source,
Dialogue: 0,0:26:59.29,0:27:03.59,Default,,0000,0000,0000,,and it's really a call to extract_entropy_user.
Dialogue: 0,0:27:03.59,0:27:04.61,Default,,0000,0000,0000,,File a bug report, maybe?
Dialogue: 0,0:27:04.61,0:27:06.16,Default,,0000,0000,0000,,No, I mean, I'm joking.
Dialogue: 0,0:27:06.16,0:27:08.72,Default,,0000,0000,0000,,I would be happy to talk about this offline.
Dialogue: 0,0:27:08.72,0:27:12.04,Default,,0000,0000,0000,,Herald: Is there another question from the\Nstream?
Dialogue: 0,0:27:12.04,0:27:14.28,Default,,0000,0000,0000,,Q: Yes, I have two more questions.
Dialogue: 0,0:27:14.28,0:27:17.04,Default,,0000,0000,0000,,One is: What do you think about hardware entropy\Ngenerators,
Dialogue: 0,0:27:17.04,0:27:17.83,Default,,0000,0000,0000,,or hardware random generators?
Dialogue: 0,0:27:17.83,0:27:22.60,Default,,0000,0000,0000,,FV: Aha! I have a slide for this!
Dialogue: 0,0:27:22.60,0:27:29.38,Default,,0000,0000,0000,,laughter
Dialogue: 0,0:27:29.38,0:27:32.100,Default,,0000,0000,0000,,So, hardware random number generators, very\Nquickly.
Dialogue: 0,0:27:32.100,0:27:37.30,Default,,0000,0000,0000,,Some CPUs on some platforms have real random\Nnumber generators.
Dialogue: 0,0:27:37.30,0:27:40.57,Default,,0000,0000,0000,,Essentially, I'm told they use electrical\Nnoises
Dialogue: 0,0:27:40.57,0:27:43.50,Default,,0000,0000,0000,,to give you actual randomness.
Dialogue: 0,0:27:43.50,0:27:47.19,Default,,0000,0000,0000,,Linux has support for them, and, if they're\Nloaded,
Dialogue: 0,0:27:47.19,0:27:50.17,Default,,0000,0000,0000,,they will immediately be used to refuel this\Npool,
Dialogue: 0,0:27:50.17,0:27:53.85,Default,,0000,0000,0000,,and they will also be used as the initialization\Nvectors
Dialogue: 0,0:27:53.85,0:27:56.22,Default,,0000,0000,0000,,for the SHA-1 of this extraction.
Dialogue: 0,0:27:56.22,0:27:59.44,Default,,0000,0000,0000,,So, if they're turned on, you don't have to\Nworry about them,
Dialogue: 0,0:27:59.44,0:28:03.48,Default,,0000,0000,0000,,and they will make /dev/urandom work even\Nbetter.
Dialogue: 0,0:28:03.48,0:28:05.02,Default,,0000,0000,0000,,Yep.
Dialogue: 0,0:28:05.02,0:28:08.78,Default,,0000,0000,0000,,applause
Dialogue: 0,0:28:08.78,0:28:11.15,Default,,0000,0000,0000,,Herald: Okay, quick question from the stream.
Dialogue: 0,0:28:11.15,0:28:16.92,Default,,0000,0000,0000,,Q: Yeah, someone wants your opinion about\Nentropy-gathering daemons
Dialogue: 0,0:28:16.92,0:28:18.20,Default,,0000,0000,0000,,like havege daemons.
Dialogue: 0,0:28:18.20,0:28:21.21,Default,,0000,0000,0000,,FV: There was probably a time when they had
Dialogue: 0,0:28:21.21,0:28:26.75,Default,,0000,0000,0000,,their reason to exist, maybe because Linux\Nimplementations
Dialogue: 0,0:28:26.75,0:28:30.08,Default,,0000,0000,0000,,of this entropy gathering was not that good,
Dialogue: 0,0:28:30.08,0:28:33.31,Default,,0000,0000,0000,,today they don't really have reason to exist.
Dialogue: 0,0:28:33.31,0:28:36.63,Default,,0000,0000,0000,,Herald: Okay, thank you. And microphone 4,\Nplease.
Dialogue: 0,0:28:36.63,0:28:40.47,Default,,0000,0000,0000,,Q: Hello. I wanted to ask about the early\Nboot problem.
Dialogue: 0,0:28:40.47,0:28:45.92,Default,,0000,0000,0000,,You say that we should mix, that we should\Nsave the state
Dialogue: 0,0:28:45.92,0:28:51.94,Default,,0000,0000,0000,,of /dev/urandom, what happens if a machine\Ncrashes?
Dialogue: 0,0:28:51.94,0:28:54.77,Default,,0000,0000,0000,,Wouldn't you restart from an earlier state\Nof /dev/urandom?
Dialogue: 0,0:28:54.77,0:28:59.29,Default,,0000,0000,0000,,FV: Hm, yeah, I think that the correct way\Nto do this is,
Dialogue: 0,0:28:59.29,0:29:06.02,Default,,0000,0000,0000,,as soon as, even before the input is used\Nto initialize the pool,
Dialogue: 0,0:29:06.02,0:29:09.41,Default,,0000,0000,0000,,the one from the last shutdown,
Dialogue: 0,0:29:09.41,0:29:12.38,Default,,0000,0000,0000,,it should be deleted from the disk,
Dialogue: 0,0:29:12.38,0:29:13.42,Default,,0000,0000,0000,,and the disk flushed.
Dialogue: 0,0:29:13.42,0:29:16.85,Default,,0000,0000,0000,,Yes, it's kind of hard, yes.
Dialogue: 0,0:29:16.85,0:29:20.36,Default,,0000,0000,0000,,Herald: Okay, and unfortunately we are running\Nout of time,
Dialogue: 0,0:29:20.36,0:29:24.17,Default,,0000,0000,0000,,because we have to clear this room. And you\Nhave a short announcement?
Dialogue: 0,0:29:24.17,0:29:30.01,Default,,0000,0000,0000,,FV: Oh, yeah! Tomorrow, at 15.30, I am giving\Na quick workshop
Dialogue: 0,0:29:30.01,0:29:34.80,Default,,0000,0000,0000,,about how to implement a Vaudenay padding\Noracle attack in Hall 14.
Dialogue: 0,0:29:34.80,0:29:39.36,Default,,0000,0000,0000,,I think it doesn't take as many people as\Nare here now...
Dialogue: 0,0:29:39.36,0:29:40.80,Default,,0000,0000,0000,,so maybe I shouldn't have said that.
Dialogue: 0,0:29:40.80,0:29:44.17,Default,,0000,0000,0000,,Herald: Okay, then! Thanks again, Filippo,\Nfor the talk.
Dialogue: 0,0:29:44.17,0:29:48.29,Default,,0000,0000,0000,,applause
Dialogue: 0,0:29:48.29,0:30:00.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\NJoin, and help us!