19

This happened during a discussion of RNG entropy, and the difficulty of verifying the level of entropy in a long sequence of bits (e.g. a private key.)

A colleague of mine told me about a website that, given a sufficient quantity of output from an PRNG, had been able to deduce which application the PRNG was from. As an example, he told me that he had submitted data from OpenSSL's random number generator and the website had identified "Open SSL" as the source.

This was about three years ago. He encountered the website at a previous company he worked at.

I can't find this site by googling, and my colleague may not be able to find the URL (he's looking it up.) Not surprisingly, I'm very worried if the output from supposedly-cryptographically-secure-PRNGs is vulnerable to a distinguisher attack with trivial complexity!

If anyone here recognises this website, could they please post an answer containing its URL?

AJM
  • 319
  • 4
  • 16

2 Answers2

32

A colleague of mine told me about a website that, given a sufficient quantity of output from an PRNG, had been able to deduce which application the PRNG was from.

As you correctly identified this would present an immediate and probably devastating attack to any cryptographic PRNG as it indeed would allow you to easily distinguish a random string from a PRNG output, something cryptographers try to make impossible efficiently.

However, there might be some truth to the story. Here are the two cases I know of where it would be possible:

  • The website identifies the output to be from the infamous OpenSSL Debian bug.
  • The site is given an RSA public key and can tell which implementation produced it as the prime-search strategies vary a bit in a secure way between different libraries. This was presented at Usenix Security 2016 (PDF) and perhaps someone converted this into a website.
b degnan
  • 5,110
  • 1
  • 27
  • 49
SEJPM
  • 46,697
  • 9
  • 103
  • 214
29

One tool that tries to do this is untwister. It's almost certainly not the tool you were thinking of, though, as it cannot determine if the output came from OpenSSL specifically.

It can determine Glibc's rand(), Mersenne Twister (MT19937), PHP's MT-variant (php_mt_rand), Ruby's MT-variant DEFAULT::rand(), and Java's Random() class, though, and can recover the seed, thereby allowing you to predict future output.

All these are however insecure random bit generators; the name of the website (after the Mersenne Twister no doubt) means that it likely won't be able to distinguish secure random number generators.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
ChrisInEdmonton
  • 391
  • 2
  • 2