BadRandom: The effect and mitigations for low entropy random numbers in TLS
Abstract
E-commerce has become critical to everyday life and how businesses and governments operate. The Internet's global reach is a significant factor in E-commerce success, but it ultimately would not be possible without secure communications. The IETF Transport Layer Security (TLS) protocol is used for almost all Internet traffic security, but TLS is not as secure as the general public believes it to be.
We know that the current TLS protocol is proven secure, but it is uncertain if the implementations live up to that promise. The history of random number generators that have not been as random as expected has led us to question the security of TLS.
Random numbers are the key to any cryptographic protocol's security. These numbers separate the attacker from the attacked. The proof assumes that all random numbers are perfectly random.If the actual implementations of TLS's random numbers are not perfectly random, the protocol's security proof is not applicable at best and worthless at worst.
We measured the randomness of actual TLS traffic to discover if TLS random numbers are indeed random. The TLS protocol has a raw random value the protocol uses to ensure that the connection is fresh. We captured two years of Internet traffic to and from UCSC to determine if the exposed raw random values are random.
The findings are disturbing. We found client implementations that do not offer any security because of simple programming mistakes. We found other insecure closed source client implementations and used them to demonstrate that the TLS protocol is fragile to insufficiently random numbers. One can not solely blame the programmers. We have discovered that the fragility of the TLS protocol contributes to these failures by allowing passive monitoring to identify these vulnerable implementations.
The IETF has standardized fragile protocols with at least the tacit approval of governments worldwide; we can do better. We propose a new proven secure TLS Authenticated Key Agreement Protocol that hides the implementation and is robust to random numbers that are less than perfect.