Randomness and security

You may ask how randomness has anything to do with security or cryptography. At first glance it sounds like randomness should have nothing to do with security or cryptography but this statement couldn’t be further from the truth. In...

Share

You may ask how randomness has anything to do with security or cryptography. At first glance it sounds like randomness should have nothing to do with security or cryptography but this statement couldn’t be further from the truth.

In fact, in order to have good security, randomness plays a key role (pardon the pun) to ensuring our messages are secure.

Randomness is used in all sorts of ways and when it comes to cryptography it’s usually the difference between a strong and fundamentally weak cryptosystem - all due to randomness alone.

For example, randomness is used to generate cryptographic keys such as long term keys, which are used for encrypting a document for example, or short term keys, which secure such things as secure sockets layer (SSL) sessions.

The biggest challenge with random numbers and computers is that the two do not go well together. A computer is a finite state machine, but even as technology advances and what becomes possible continues to increase, a computer still remains finite.

Randomness by its very nature isn’t finite, and it is incredibly difficult to generate truly random numbers on a finite state machine. Many cryptosystems and security systems are broken by the use of sub-optimal or predictable random number generators.

There are only a few ways to generate truly random numbers and they involve the collection of physically occurring events (radioactive decay, heat dissipation, etc.) and these are very hard to achieve within most modern computers.

There are ways to cryptographically strengthen random numbers, but there are still gaps which must be mitigated - and the assumption must never be that they are perfectly secure.

Weak random number generators in computer systems can be manipulated to produce predictable results, giving the illusion of security and providing only superficial protection. The next time you’re evaluating a security or cryptosystem, ask about the security of random number generator. Chances are you will be surprised at what you will discover.


Blog post by John Velissarios, Accenture Security Consulting

"Recommended For You"

Software developers are failing to implement crypto correctly, data reveals Overreliance on the NSA led to weak crypto standard, NIST advisers find