[Public Interpretations Database]

I-0332: Randomness of generated authentication

 
NUMBER:               I-0332
STATUS:               Ready to Prepare for Management/CCIMB

TITLE:                Randomness of generated authentication

FIRST POST:            [criteria 2126]
MOST RECENT REPOST:    [criteria 2164]

REQUIREMENT:          Identification and Authentication
CRITERIA CLASSES:     C1, C2, B1, B2, B3, A1
DOCUMENT(S):          <None>
RELATED TO:           <None>

STATEMENT:

The following interprets the requirement that ``... the TCB shall use a protected mechanism (e.g., passwords) to authenticate the user's identity.''

The output of a random value generator used for authentication purposes shall not be obviously predictable and shall cover a sufficiently large range of values to render negligible the probability of guessing its output in a way that could compromise the effectiveness of the authentication mechanism.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

Truly random numbers have the characteristic of being independent; that is, it is impossible to predict the next number in the random number sequence given the previous numbers in the sequence. When a pseudo-random number generators is used, the result is predictable given knowledge of the algorithm and the initial conditions.

The purpose of this interpretation is to address obvious flaws of predictability, not to judge the strength of the random value generation algorithm itself. There are many ways that an algorithm might be obviously predictable: it might have a small set of possible values (an algorithm that produced only 0 and 1 gives a 50/50 chance of prediction), or it might have an easily guessable starting seed (which would make the generated sequence highly predictable). A more subtle form of predictability results when some output values are substantially more likely to be generated than others, even though the space of values is sufficiently large (an example of this problem is described in ``A New Attack on Random Pronounceable Password Generators'' [R. Ganesan, C. Davies] in the Proceedings 17th National Computer Security Conference, Balitmore MD, October 1994, pgs. 184-191).

It is difficult to quantify what makes a seed easily guessable. Most seeds use as input some form of clock, along with other system environment variables such as process IDs. In systems with low activity and a coarse granularity clock (for example, on the order of seconds), this approach might give an easily predictable seed: the coarse granularity of the clock and the low rate of increase in process IDs makes guessing easier. On systems with processes being created and destroyed frequently and irregularly and a fine granularity clock (microseconds), the seed (and hence the values) would be less guessable.

Additional information on acceptable random number seeds may be found in Appendix A.2 of the Password Management Guideline, and a collection of tests for randomness may be found in FIPS 140-1.

A low quality random value generator would be an example of an obvious flaw as referred to by the Security Testing requirement that ``Testing shall also include a search for obvious flaws that would ... permit unauthorized access to ... authentication data.''