Encryption: When Random Numbers aren’t Random Enough

2 min read
February 9, 2016

Random numbers are the backbone of security. If an attacker can predict the output of your Random Number Generator (RNG), then virtually everything you build on it will be vulnerable. Unfortunately, the way these random numbers are typically generated can put our most sensitive data at risk. Today’s cyber-criminals know that the path of least resistance for breaking encryption can often be stealing or guessing cryptographic keys that are generated and managed poorly.

Since security keys generated from pseudo or deterministic random number generators (PRNGs) are based on mathematical algorithms, they are not truly random and can be vulnerable to randomness errors and attacks by increasingly powerful computers. These PRNGs lack the level of entropy needed to ensure optimal security, and as computer processing speed and power increases, the risk of cracking security keys based on PRNGs increases greatly. If we ever hope to improve encryption, we need to move away from these vulnerable algorithmic approaches.

“Random numbers” at their worst

In the past year alone we’ve seen major companies come under scrutiny because they relied on traditional RNGs that didn’t sufficiently generate keys at high entropy. Following the recent attack on Juniper devices, multiple cryptographers reported the use of a weak random number generator as one of several problems with their VPN technology. The company is now working on including more robust random number technology.

In another recent case, Raspberry Pi computers running the Raspbian OS produced algorithms that were actually predictable “random” numbers because it did not use a hardware RNG by default. Instead, the cryptographic keys created from these predictable sequences during the machine’s first boot-up could be recreated by attackers, and used to decrypt intercepted Secure Shell (SSH) connections to reveal login passwords and spy on the computers.

These two examples are unfortunately far from exhaustive…

True random at its best

It is fair to ask why so many avodart or propecia security solutions are still reliant on inadequate, predictable cybersecurity solutions, when stronger alternatives are now commercially available. Unlike the problem-ridden pseudo-random numbers, commercial solutions leveraging the randomness properties of quantum technology delivered at the high speeds needed for practical solutions can vastly improve the foundation and strength of encryption. Quantum-based RNGs create numbers at full entropy, i.e. with complete unpredictability, and enable the creation of high quality cryptographic keys. For more information on the basics, check out this whitepaper that goes into greater detail.

While quantum technology sounds expensive and complicated to implement, it may be surprising to know that quantum technology is already present in everyday objects such as lasers, lava lamps and LED lights, which rely significantly on quantum mechanics. Developments in applications of quantum science over the past few years mean that true random is not only approachable, but available cost-effectively and reliably through commercial options on the market now. This makes the question “Why aren’t you using true random?” all the more relevant.

The road to true random

Security breaches are growing at an exponential rate and we are seeing more successful attacks on companies leveraging poor encryption. The failure to protect their customers’ data is costing companies revenue and more importantly trust – which is far more difficult to regain once lost. Higher levels of security employing true random numbers generated from quantum sources, are part of the solution to better protect customers’ data and their trust. Pioneers in several industry sectors are already beginning to use these solutions to protect their sensitive data, including aerospace, government and defense, cloud storage, and financial institutions. I believe it is just a question of time before this awareness extends more broadly among security minded firms.