Evaluating the Randomness of the RNG in a Commercial Smart Card

  • Wellinton Costa Ribeiro CEFET-MG
  • Marcus Tadeu Pinheiro Silva CEFET-MG

Resumo


This paper brings results concerning the quality evaluation for the pseudo-random number generator (PRNG) in a commercial smart card. The RNG is a fundamental part for the cryptography carried out in several applications. We have acquired a huge quantity of random numbers from three samples of a commercial smart card. These data were evaluated using the statistical computation package developed by National Institute of Standards and Technology. In order to be used as gold benchmark and to validate our methodology, we have also tested the true random number generator (TRNG) included in a commercial integrated circuit. Our results show that the card PRNG owns quality too inferior than the TRNG. Due to card vendor confidentiality policy is not possible state the tested PRNG is base for the device cryptography. However, if this occurs, results lead us to conclude the tested PRNG is not adequate to provide the required security in the systems that adopt the evaluated smart card.

Referências

Akram, R.N. et al. (2012). Pseudorandom number generation in smart cards: an implementation, performance and randomness analysis. In 5th IEEE International Conference on New Technologies, Mobility and Security (NTMS), May 7-10, Istanbul, Turkey.

Balasch, J. et al. (2012). Power analysis of Atmel CryptoMemory - recovering keys from secure EEPROMs. In Topics in Cryptology - CT-RSA 2012, The Cryptographers' Track at the RSA Conference, Lecture Notes in Computer Science 7178, O. Dunkelman (ed.), Springer-Verlag, pages 19-34.

Bernstein, D.J. et al. (2013). Factoring RSA keys from certified smart cards: Coppersmith in the wild. In International Conference on the Theory and Application of Cryptology and Information Security, Dec. 1-5, Bangalore, India, pages 341-360.

Boorghany, A. et al. (2014). Random data key generation evaluation of some commercial tokens and smart cards. In Proc. of 11th International ISC Conference on Information Security and Cryptology, Sept. 3-4, Tehran, Iran, pages 49-54.

L'Ecuyer, P., and Simard, R. (2007). TestU01: A C library for empirical testing of random number generators. In ACM Transactions on Mathematical Software, 33, (4), article 22.

Marsaglia, G., and Tsang, W. W. (2002). Some difficult-to-pass tests of randomness. In Journal of Statistical Software, 7,(3), pages 1-9.

Rankl, W. and Effing, W. (2003). Smart Card Handbook. 3rd edition, Wiley, Chichester, England, pages 210-213.

Rukhin, A. et. al. (2010). A statistical test suite for random and pseudo-random number generators for cryptographic applications. NIST special publication 800-22, National Institute of Standards and Technology, USA.

Taylor, G. and Cox, G. (2011). Digital randomness. In IEEE Spectrum, vol. 48, no. 9, pages 32-58.
Publicado
06/11/2017
RIBEIRO, Wellinton Costa; SILVA, Marcus Tadeu Pinheiro. Evaluating the Randomness of the RNG in a Commercial Smart Card. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 17. , 2017, Brasília. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2017 . p. 557-563. DOI: https://doi.org/10.5753/sbseg.2017.19531.