Testing randomness with Stompy

Stompy is a fairly advanced entropy verifier for session cookies, XSRF tokens, OTPs, and other random data. It goes well beyond FIPS-140-2, performing n-dimensional spectral testing as well.

What's so cool about stompy?

Stompy aims to be a quick and mostly automated tool to provide a first line of
assessment and reliably detect common anomalies that are not readily apparent
at a cursory glance.

To achieve this, it:

  • Automatically detects session IDs encoded as URLs, cookies, as well as as
    form inputs, then collects a statistially significant sample of data
    without any user interaction (but can also accept preformated data from
    external sources),
  • Automatically determines alphabet structure to transparently handle base64,
    uuencode, base32, decimal, hex, or any other sane encoding scheme, including
    mixed encodings. What's big is that it can handle fractional-bit alphabets
    (ones that do not consist of power-of-2 elements), which normally cannot be
    directly mapped to binary,
  • After carrying out a couple of trivial alphabet-based tests, stompy then
    splits the samples into temporally separated bitstreams (stream 1: bit 0 of
    sample 1, bit 0 of sample 2, bit 0 of sample 3...; stream 2: bit 1 of
    sample 1, bit 1 of sample 2, bit...) to individually evaluate how bits change
    in time, and how much entropy they contribute to the identifier.
  • To detect weaknesses in each of the bitstreams, the tool launches NIST
    FIPS-140-2 PRNG evaluation tests on the collected data, as well as a bunch of
    n-dimensional phase analysis attempts (spectral tests) aimed to find PRNG
    hyperplanes and other types of non-trivial data correlation.
  • Lastly, the tool performs series of spatial correlation checks to identify
    dependencies between neighboring bits in each of the tokens,
  • A final report on the number of correct and anomalous bits is then prepared,
    and an estimate on the number of "untainted" entropy is assigned a
    human-readable rating.
  • How to install/compile stompy in BackTrack 4, BackTrack 5, Debian, ...

    First install an additional library, then download and compile stompy

    apt-get install libgmp3-dev
    wget http://lcamtuf.coredump.cx/soft/stompy.tgz
    tar -xzf stompy.tgz
    cd stompy

    How to run stompy?

    To run the program against a website, you can invoke it this way:

    ... or ...

    To test a text file that contains raw tokens obtained by some other means
    (one per line), do this:

    ./stompy -R file.txt