Certifiably Biased : An In-Depth Analysis of a Common Criteria EAL4+ Certified TRNG. / Hurley-Smith, Darren; Hernandez-Castro, Julio.

In: IEEE Transactions on Information Forensics and Security , Vol. 13, No. 4, 04.2018, p. 1031-1041.

Research output: Contribution to journalArticle

Published

Standard

Certifiably Biased : An In-Depth Analysis of a Common Criteria EAL4+ Certified TRNG. / Hurley-Smith, Darren; Hernandez-Castro, Julio.

In: IEEE Transactions on Information Forensics and Security , Vol. 13, No. 4, 04.2018, p. 1031-1041.

Research output: Contribution to journalArticle

Harvard

Hurley-Smith, D & Hernandez-Castro, J 2018, 'Certifiably Biased: An In-Depth Analysis of a Common Criteria EAL4+ Certified TRNG', IEEE Transactions on Information Forensics and Security , vol. 13, no. 4, pp. 1031-1041. https://doi.org/10.1109/TIFS.2017.2777342

APA

Hurley-Smith, D., & Hernandez-Castro, J. (2018). Certifiably Biased: An In-Depth Analysis of a Common Criteria EAL4+ Certified TRNG. IEEE Transactions on Information Forensics and Security , 13(4), 1031-1041. https://doi.org/10.1109/TIFS.2017.2777342

Vancouver

Hurley-Smith D, Hernandez-Castro J. Certifiably Biased: An In-Depth Analysis of a Common Criteria EAL4+ Certified TRNG. IEEE Transactions on Information Forensics and Security . 2018 Apr;13(4):1031-1041. https://doi.org/10.1109/TIFS.2017.2777342

Author

Hurley-Smith, Darren ; Hernandez-Castro, Julio. / Certifiably Biased : An In-Depth Analysis of a Common Criteria EAL4+ Certified TRNG. In: IEEE Transactions on Information Forensics and Security . 2018 ; Vol. 13, No. 4. pp. 1031-1041.

BibTeX

@article{f939aa55fff54500b6639f78853185a4,
title = "Certifiably Biased: An In-Depth Analysis of a Common Criteria EAL4+ Certified TRNG",
abstract = "This paper reports the first in-depth analysis of the DESFire EV1's EAL4+ certified TRNG and raises some difficult questions regarding the certification of non-deterministic random number generators. We start by analyzing the quality of the purportedly true random number generator (TRNG) on the DESFire EV1 card. Clear and consistent biases are identified, despite good performance in most randomness tests. These statistical tests, commonly used in popular certification processes, such as Common Criteria EAL4+, are found not to be able to detect these anomalies. The means we employ for the detection and characterization of the bias are explored, highlighting both novel and existing ways of spotting deficient TRNG output. Further analysis shows systemic issues affecting TRNG output at the byte level, for which we have developed an accurate explanation. Our results have been acknowledged by the manufacturer, after responsible disclosure.",
author = "Darren Hurley-Smith and Julio Hernandez-Castro",
year = "2018",
month = apr,
doi = "10.1109/TIFS.2017.2777342",
language = "English",
volume = "13",
pages = "1031--1041",
journal = "IEEE Transactions on Information Forensics and Security ",
issn = "1556-6021",
publisher = "IEEE",
number = "4",

}

RIS

TY - JOUR

T1 - Certifiably Biased

T2 - An In-Depth Analysis of a Common Criteria EAL4+ Certified TRNG

AU - Hurley-Smith, Darren

AU - Hernandez-Castro, Julio

PY - 2018/4

Y1 - 2018/4

N2 - This paper reports the first in-depth analysis of the DESFire EV1's EAL4+ certified TRNG and raises some difficult questions regarding the certification of non-deterministic random number generators. We start by analyzing the quality of the purportedly true random number generator (TRNG) on the DESFire EV1 card. Clear and consistent biases are identified, despite good performance in most randomness tests. These statistical tests, commonly used in popular certification processes, such as Common Criteria EAL4+, are found not to be able to detect these anomalies. The means we employ for the detection and characterization of the bias are explored, highlighting both novel and existing ways of spotting deficient TRNG output. Further analysis shows systemic issues affecting TRNG output at the byte level, for which we have developed an accurate explanation. Our results have been acknowledged by the manufacturer, after responsible disclosure.

AB - This paper reports the first in-depth analysis of the DESFire EV1's EAL4+ certified TRNG and raises some difficult questions regarding the certification of non-deterministic random number generators. We start by analyzing the quality of the purportedly true random number generator (TRNG) on the DESFire EV1 card. Clear and consistent biases are identified, despite good performance in most randomness tests. These statistical tests, commonly used in popular certification processes, such as Common Criteria EAL4+, are found not to be able to detect these anomalies. The means we employ for the detection and characterization of the bias are explored, highlighting both novel and existing ways of spotting deficient TRNG output. Further analysis shows systemic issues affecting TRNG output at the byte level, for which we have developed an accurate explanation. Our results have been acknowledged by the manufacturer, after responsible disclosure.

U2 - 10.1109/TIFS.2017.2777342

DO - 10.1109/TIFS.2017.2777342

M3 - Article

VL - 13

SP - 1031

EP - 1041

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6021

IS - 4

ER -