Weak Random Number Generation and Rededies

  • Venky Karukuri
Weak Random Number Generation and Rededies

Weak Random Numbers

Intro

In cryptography, random numbers are often used to generate session identifiers and cryptographic keys. One of the biggest sins you can commit with random numbers is not using cryptographically sound random numbers when they should be used. An attacker who can predict numbers can use this information to breach a system's security. A value should not be predictable from another value.

Most programming language libraries have had random number generators for years. The numbers may look random, but they aren't because the algorithms used to generate them are deterministic.

What is randomness?

Randomness is the lack of predictability or pattern in a series of numbers or occurrences. In cryptography, random numbers are crucial to creating cryptographic keys, initialization vectors, and other key parameters, ensuring that cryptographic methods are secure and unpredictable.

What is entropy?

As a measure of randomness or unpredictability in a system, entropy refers to the level of unpredictability necessary for truly random numbers to be generated. It is recommended that strong cryptographic random numbers be generated from sources that have high entropy, such as hardware events (e.g., mouse movements, keyboard inputs) or environmental noise.

What is pseudo-randomness?

In pseudo-randomness, numbers that appear random are actually generated via deterministic processes. By using an algorithm and a seed, pseudo-random number generators (PRNGs) generate a sequence of integers with statistical unpredictability properties. It is possible for PRNGs to become predictable if their internal state is known, resulting in weak random numbers in cryptography.

Random numbers can be divided into three types:

Non-cryptographic pseudo-random number generators (non-cryptographic PRNG):

Prior to the internet, random numbers weren't usually employed for security-sensitive applications; rather they were only used in statistical simulations. The concept was to generate numbers that passed all randomness tests, so APIs were written to receive a single number and use it as the source (seed) of an extended succession of random appearing numbers. In the case of conventional non-cryptographic generators, the whole state could be computed from one output value, but since most applications don't employ output directly, they convert it into a small range.

Cryptographic pseudo-random number generators (CRNGs)

In the simplest form, cryptographic pseudo-random number generators (CRNGs) behave similarly to traditional random number generators. Whenever you give one the same seed, it produces the same set of numbers. In addition, the strength of cryptographic generator outputs can never exceed the strength of the underlying key. The only real difference is that the attacker doesn't know the seed.

"True" random number generators (TRNGs)

"True" random number generators (TRNGs) Because of this, true random numbers are in short supply on the typical machine, especially on servers where no one sits in front of the console with a keyboard and mouse. Hardware can be used to solve this problem, but it's usually not cost effective. Therefore, it usually pays to seed CRNGs with true random numbers instead.

Redemption Steps on Windows Platform:

On Windows Vista, the Windows CryptoAPI provides the routine CryptGenRandom() or BCryptGenRandom, which can be implemented by any cryptographic provider.

Install a trusted third-party random number generator like the Microsoft Cryptographic API or a hardware random number generator.

Install the latest security patches and upgrades on your Windows computer.

If you use random numbers for cryptography, make sure they come from a reliable source, such as a dependable hardware system.

Several cryptography libraries contain random number generators which have been extensively tested and verified. Such libraries provide a higher level of security and confidence in the unpredictability of the numbers being generated.

Redemption Steps for Unix platforms:

Two special devices serve random numbers (generally, /dev/random and /dev/urandom, but OpenBSD provides /dev/srandom and /dev/urandom as well).

A third-party random number generator, such as haveged, would be a good option for use in cryptography. Linux systems have a built-in random number generator called /dev/random. It might not provide enough entropy.

Your Linux machine should have the most recent security patches and upgrades installed.

Any random numbers you use for cryptography should come from a dependable source, such as a hardware system or an outside source.

Verify the randomly generated numbers for biases and trends with statistical tests or output analysis.

The random number generator tools in a number of cryptography libraries have been extensively tested and verified. A higher level of security and confidence in the unpredictability of the numbers being generated can be achieved by using such a library. OpenSSL and GnuPG are a couple of well-liked libraries.