Abstract:
Transport Layer Security (TLS) is one of the most used cryptographic protocols in the world. It relies on randomness for secure key and nonce generation during the session negotiation. These keys are used to ensure integrity, authenticity, and confidentiality of data during the whole TLS session. The security of further data transmission also relies on randomness used outside of keys. In this thesis, we explore the motivation and background of randomness in TLS and implement a scalable approach for analyzing randomness exposed by TLS hosts. We are especially interested in the recovery of PRNGs and seeds that are used by implementations infringing on the TLS specification to generate this randomness. The main question of the thesis is, whether TLS hosts on the internet use weak PRNG implementations with weak seeds to generate randomness. For this, we use both algebraic solvers for certain PRNGs, as well as large sets of pre-computations. We evaluate our approach in both a lab setting to show its efficacy and performance, and a largescale internet-wide scan with 200k hosts in the IPv4 space. While the hypothesis could not be confirmed, we found hosts disregarding specification details of TLS. They used weak random values in ServerHello messages or even reused them over multiple sessions, making them vulnerable to replay attacks. We also found similar behavior for initialization vectors for CBC mode, possibly rendering hosts open to chosen plaintext attacks.