11

A lot of computer security depends on encryption: SSL connections, TCP packet sequencing, encrypted files, etc. These depend on random number generation to ensure that attackers can't guess the encryption key.

Weak random number generation creates security vulnerabilities like the recent one with SSL certificates. However, you can't get truly random output from a deterministic computer program; you need to at least seed it with something truly random from the physical world.

Pseudorandom number generators are sufficient for most purposes; they output a pattern of numbers which is very hard to predict unless you know the starting point. That starting point, however, should be a truly random seed, and should be renewed periodically.

I see that hardware random number generators do exist. My question is: how can I, as a regular computer user, use one? Or am I likely using one already?

I'd like to know that when I start an SSL connection, it's based on solid randomness.

(Of course, this applies doubly to web servers that I work with.)

AviD
  • 72,708
  • 22
  • 137
  • 218
Nathan Long
  • 2,644
  • 4
  • 21
  • 28
  • Lack of entropy can be a problem in embedded devices or virtual machines. But it is very rarely a problem on desktop computers. – CodesInChaos Jun 18 '12 at 08:54
  • Almost, but not quite, a duplicate - you might be interested in this answer by a cryptographer here: http://security.stackexchange.com/a/29321/33 – AviD Dec 24 '13 at 19:14

2 Answers2

3

As a regular computer user your problems won't be with the random number generator you use, but probably something like password reuse. SSL does depend in part on the MD5 hash function, for which collision attacks do exist. Recently the Flame malware exhibited a successful (but computationally expensive) attack on the Windows Update system due to its dependence on MD5 for security. TLS is more widespread and uses the SHA1 algorithm, no attack has yet been found; However any sane hacker will try to attack the CA's directly and use a forged certificate to perform a man in the middle attack, rather than investigate the entropy of your random numbers.

For a regular linux user, you can read from /dev/random to get "pure" random numbers gathered from the enviroment, in practice /dev/urandom is just as good. It hashes the entropy pool that /dev/random draws from and falls back on pseudo random number generators when the pool becomes to "dilute". For comparison on my netbook reading from /dev/random for 10 seconds gives me 46 bytes of really really random data, /dev/urandom pipes 65 megabytes of only slightly less random data. I don't feel like waiting a minute to start a ssh session.

In most any case, randomness is not the weak link. TLS depends on CAs which are operated by people, file encryption depends on how long a password you can remember and where else you type it, people are always part of the equation and they typically less reliable than SHA1.

  • So `/dev/random` has truly random data? Is it getting that from a hardware source that most computers have? – Nathan Long Jun 18 '12 at 10:21
  • 2
    /dev/random comes from the significant figures on the timing of network/disk reads, key presses, you don't need any special hardware. – Tyler Parker Jun 18 '12 at 15:16
  • Hi @TylerParker, welcome to [security.se]! It seems you do have some significant mistakes here, though - Both SSL and TLS are flexible to use various algorithms, specified by the cipher suite; You should read from /dev/urandom, and NOT /dev/random (see e.g. http://security.stackexchange.com/a/3939/33 and http://security.stackexchange.com/a/7074/33); and weak randomness *does* often directly cause exploitable vulnerabilities - e.g. how many webservers had a guessable session Id? Weak passwords, encryption keys? And who can forget the Debian fiasco...? – AviD Dec 24 '13 at 19:12
  • 1
    That said, your last sentence is dead on, though - people are invariably the weakest link. Deal with those before worrying about which algorithm to use.... – AviD Dec 24 '13 at 19:12
0

Yeah I agree with 'Tyler Parker' that most of the hacking happens through CA side and not through the end user secure random generation mechanism detection or interception.

On the other side, you are right; the deterministic algorithm model adopted for generating secure random numbers is vulnerable and cannot be compared to hardware random number generator. Typically hardware generators are slow and robust as they use some natural randomness agents like flux and environmental parameters. That is the reason hardware based crypto devices like smart cards contains the necessary hardware for randomness generation.

Intel in there architecture for Intel 4 had introduced a similar logic in there microprocessor using which software in the PC can leverage the hardware random generation process. More information can be found at http://software.intel.com/en-us/articles/fast-random-number-generator-on-the-intel-pentiumr-4-processor/ and http://www.intel.com/design/software/drivers/platform/security.htm . I am not very sure if the new security providers software implementations have used it or not. But this is definitely a better approach.

Mohit Sethi
  • 692
  • 4
  • 7