Switch to cryptographically strong PRNG

[gavv]

Problem

In RTP, the SSRC value and the initial value for seqnums and timestamps should be random.

Here is what RFC 3550 says about seqnums:

The initial value of the sequence number
SHOULD be random (unpredictable) to make known-plaintext attacks
on encryption more difficult, even if the source itself does not
encrypt according to the method in Section 9.1, because the
packets may flow through a translator that does. Techniques for
choosing unpredictable numbers are discussed in [17].

These requirements have security reasons. The RFC recommends using a cryptographically strong PRNG (CSPRNG), but currently our PRNG is uniform but not cryptographically strong.

Solution

We already use libuv, which also provides CSPRNG: http://docs.libuv.org/en/v1.x/misc.html#c.uv_random

Here is what we should do:

• Rename current PRNG: roc_core/target_posix/roc_core/random.h|cpp to roc_core/target_posix/roc_core/fast_random.h|cpp and core::random() to core::fast_random().

• Add roc_core/target_libuv/roc_core/secure_random.h|cpp with core::secure_random(). Implement is using synchronous version of uv_random() (set loop, req, and cb to NULL).

• Use secure_random() instead of fast_random() in audio::Packetizer and fec::Writer.

[fusuiyi123]

Hi @gavv i will send a pr for this, thanks.

[fusuiyi123]

Q: I don't quite understand the original random() usage here: https://github.com/roc-project/roc/blob/master/src/modules/roc_audio/packetizer.cpp#L38, and int uv_random(uv_loop_t* loop, uv_random_t* req, void* buf, size_t buflen, unsigned int flags, uv_random_cb cb) returns succeed or not, which I don't quite understand how to use it here. New to this repo and your docs really impressed me, Would appreciate your help.

[gavv]

@fusuiyi123 Hi, you're welcome.

I don't quite understand the original random() usage here

We generate a random number in range [0; 2^32) and assign it to source_. (packet::source_t is a 32-bit unsigned integer and so packet::source_t(-1) is 2^32-1).

int uv_random(...) returns succeed or not, which I don't quite understand how to use it here.

If uv_random fails, we should fail Packetizer initialization. We can do it by adding bool valid_ field and using it like this:

Packetizer::Packetizer() 
    : valid_(false) {
    if (something failed) {
        return;
    }
    valid_ = true;
}

bool Packetizer::valid() const {
    return valid_;
}

Then we can use Packetizer::valid() to check whether it was initialized correctly, somewhere in roc_pipeline when it's created. We use the same approach for many other classes, just grep for valid_ string.

[fusuiyi123]

Hi @gavv sorry if I ask dumb question.
Here

    , source_((packet::source_t)core::random(packet::source_t(-1)))
    , seqnum_((packet::seqnum_t)core::random(packet::seqnum_t(-1)))
    , timestamp_((packet::timestamp_t)core::random(packet::timestamp_t(-1))) {

these 3 var are assigned random number. Now we want to replace them with int uv_random(uv_loop_t* loop, uv_random_t* req, void* buf, size_t buflen, unsigned int flags, uv_random_cb cb), which however is Fill buf with exactly buflen cryptographically strong random bytes acquired from the system CSPRNG. How this can be used here? Thank you:)

[gavv]

You can look at current core::random() implementation (which we should rename to core::fast_random()). I think we need something similar, but using uv_random() instead of nrand48() to generate random numbers.

[fusuiyi123]

hmm I am new to this concept, how to transform bytes void* buf to a random number..?

[gavv]

uv_random fills the provided buffer with random bytes. You can just use the number as "a buffer", something like this:

uint32_t num;
uv_random(NULL, NULL, &num, sizeof(num), 0, NULL);

After this call, num will contain a random integer in range [0; 2^32).

The next step is to generate a uniformly-distributed random numbers in range [from; to] based on this. We can use the same technique with a loop, as we do in current core::random() implementation.

To be honest, that's a bit strange question to me. If you feel new to C or C++, I can recommend you a few good books on them.

[fusuiyi123]

thanks I finally understand it.. please recommend me a c++ book:)

[gavv]

please recommend me a c++ book:)

I've sent you an email.

[fusuiyi123]

thanks! I met an issue: though I have #include <uv.h> in secure_random.cpp, I have src/modules/roc_core/target_posix/roc_core/secure_random.cpp:56:13: error: use of undeclared identifier 'uv_random' if (uv_random(NULL, NULL, &val, sizeof(val), 0, NULL) && val >= min) {

[fusuiyi123]

I saw this is New in version 1.33.0. and https://github.com/roc-project/roc/blob/master/SConstruct#L28 gives 1.5.0 default, I am not sure if it is related to this

[gavv]

Oh, I didn't notice that this is a new function. So you're using an older libuv?

Then let's do the following:

• change default from 1.5.0 to 1.33.0
• add in ifdef to check libuv version; if we're using an old one, fallback to fast_random()

[gavv]

Later we'll add an optional alternative secure_random() implementation using OpenSSL, so it'll be possible to have a correct implementation even with old libuv.

[fusuiyi123]

Thanks so much, I raised a pr and listed my question over there.

[gavv]

FYI: 90e5533 (pushed to develop)

[gavv]

PR is merged.

[gavv]

@fusuiyi123 FYI: #364