Portal de Periódicos da CAPES

On statistical distance based testing of pseudo random sequences and experiments with PHP and Debian OpenSSL

2015; Elsevier BV; Volume: 53; Linguagem: Inglês

10.1016/j.cose.2015.05.005

1872-6208

Yongge Wang, Tony Nicol,

Digital Media Forensic Detection

NIST SP800-22 (2010) proposed the state of the art statistical testing techniques for testing the quality of (pseudo) random generators. However, it is easy to construct natural functions that are considered as GOOD pseudorandom generators by the NIST SP800-22 test suite though the output of these functions is easily distinguishable from the uniform distribution. This paper proposes solutions to address this challenge by using statistical distance based testing techniques. We carried out both NIST tests and LIL based tests on commonly deployed pseudorandom generators such as the standard C linear congruential generator, Mersenne Twister pseudorandom generator, and Debian Linux (CVE-2008-0166) pseudorandom generator with OpenSSL 0.9.8c-1. Based on experimental results, we illustrate the advantages of our LIL based testing over NIST testing. It is known that Debian Linux (CVE-2008-0166) pseudorandom generator based on OpenSSL 0.9.8c-1 is flawed and the output sequences are predictable. Our LIL tests on these sequences discovered the flaws in Debian Linux implementation. However, NIST SP800-22 test suite is not able to detect this flaw using the NIST recommended parameters. It is concluded that NIST SP800-22 test suite is not sufficient and distance based LIL test techniques be included in statistical testing practice. It is also recommended that all pseudorandom generator implementations be comprehensively tested using state-of-the-art statistically robust testing tools. Extensive testing shows that NIST's state of the art testing techniques for pseudorandom generators are not sufficient.Design and implementation of LIL based testing techniques.Comprehensive documentation of OpenSSL pseudorandom generators and entropy collection process.Based on the comprehensive documentation, identification of potential attacks and flaws on OpenSSL pseudorandom generators.