Rigged Random Number Generators

3 min read
May 27, 2016

The recent sentencing of Eddie Tipton, the former information security director of the Multi-State Lottery Association, who made headlines for rigging lottery computers to land on known numbers on specific days, highlights the weakness traditional random number generators (RNG) pose to cybersecurity efforts. Not only did Tipton rig a system – even after a comprehensive security audit – in his favor, but his actions show that widely-used RNGs only offer limited security and are an easy target for outside attacks and even outright fraud.

Most computer encryption methods employed today rely on pseudo or deterministic RNGs to generate encryption keys. But as I discussed in an earlier post, these pseudo random number generators (PRNG) lack the level of randomness (or entropy) needed to ensure optimal security.

As computer processing speed and power increases, the risk of cracking security keys based on PRNGs increases with it. And if an attacker can predict the output of the RNG, then you’re practically giving away the keys to the safe. Unfortunately, far too many companies may not even realize their reliance on PRNGs and by failing to implement better technology to safeguard their encryption efforts, they put their most sensitive data at risk.

The case of the brothers Tipton

According to prosecutors of the case, Tipton tampered with the RNGs used by the Multi-State Lottery Association that were used to pick the winning numbers for jackpots. While it was initially unproved, further forensic evidence found “the generator had code that was installed after the machine had been audited by a security firm that directed the generator not to produce random numbers on three particular days of the year if two other conditions were met. Numbers on those days would be drawn by an algorithm that Tipton could predict.”

Once this was determined, investigators recreated the drawings to produce the same “winning numbers” Tipton had from a program that was supposed to produce random numbers.

It was later revealed that Tommy Tipton, Eddie’s brother and a former justice of the peace, also played a hand in the lottery avodart generic scandal. After he initially claimed he won multiple thousands by playing lotteries during his travels, it was later revealed that his brother Eddie actually wrote and installed the program to pick those “winning” numbers in multiple states.

True random can help

While Tipton’s case didn’t involve highly confidential government or financial data that was thought to be encrypted, it does show that algorithmic-based RNGs can be broken or programmed in such a way to provide “back door” access. Rather than continuing to put our faith in RNGs with known faults, risks and pitfalls, we can prevent future incidents like this one by using better random number generators, such as devices that leverage the principles of quantum science to deliver true random keys, and through that, improve data security.

Quantum technology is increasingly dipping into mainstream conversation. It was spoken about all over this year’s RSA conference, whether at booths or during panel presentations, and even the Prime Minister of Canada can give a passable description of it.

Given the nature of quantum physics, which is fundamentally random, quantum-based solutions are a natural choice in RNG design. And unlike the pseudo-random numbers used by the lottery officials above, quantum-based RNGs create numbers at full entropy, i.e. with complete unpredictability, and enable the creation of high quality cryptographic keys.

Rid the world of Faulty RNGs

In reality, encryption itself isn’t difficult. The biggest challenge lies in generating and managing keys and implementing policies across an organization to deliver the appropriate levels of security consistently. If enterprises ever hope to protect valuable data, we need to move away from vulnerable, algorithmic approaches to key generation and implement encryption strategies that actually work.

By relying on weak random number generators to secure data, companies put themselves at significant risk for attack. Quantum cybersecurity solutions that deliver fast, high-quality random can help companies protect themselves from these weaknesses. For those who don’t, the recent rigged lottery case is a warning of the risks of weak random number generators – and likely not the last.