- Man dragged for recording, posting video of neighbor being ‘killed’ instead of helping Today 4:14 PM
- How to stream Saints vs. Bears in Week 7 Today 3:25 PM
- How to stream Seahawks vs. Ravens in Week 7 Today 3:25 PM
- Are TikTok teens throwing up gang signs in their videos? Today 2:45 PM
- Anti-impeachment protesters believe ‘deep state’ tried to sabotage rally Today 12:51 PM
- How to stream 49ers vs. Redskins in Week 7 Today 12:00 PM
- How to stream Cardinals vs. Giants in Week 7 Today 12:00 PM
- How to stream Packers vs. Raiders in Week 7 Today 12:00 PM
- How to stream Vikings vs. Lions in Week 7 Today 12:00 PM
- How to stream Rams vs. Falcons in Week 7 Today 12:00 PM
- Billie Eilish fans think they figured out who stole her ring Today 11:32 AM
- ‘Give me candy’: Hailey Bieber mocked for defense of celebrating Halloween as a Christian Today 10:28 AM
- Aaron Paul predicted Jesse Pinkman’s fate on Reddit years ago Today 8:53 AM
- Netflix’s ‘Eli’ is a satisfyingly nasty blend of haunted houses and medical horror Today 7:00 AM
- Why 8chan’s founder is fighting to keep the infamous message board dead Today 6:30 AM
The random-number generators that power Web encryption are dangerously weak
Someone should probably fix this.
Research presented at the Black Hat security conference in Las Vegas, Nevada, last week revealed that the Linux software used by the most widely used random-number generators does not spit out sufficiently random numbers. When the stream of numbers underlying encryption is not random, it makes it easier for hackers to break that encryption by predicting the number stream.
Software that spits out highly random numbers is said to possess a quality called entropy. But according to Bruce Potter, one of the computer scientists who conducted the study, the Linux servers that run the most popular random-number generators possess very low entropy.
“If there’s one theme in the work we did, it’s ‘no one really understands what’s happening…'”
These servers generate random numbers by processing reams of data and translating it into a number stream that encryption tools can use. The less data they have to process, the less random their output will be. Potter’s study found that they were relying on surprisingly little data.
Potter also noticed that these servers weren’t checking entropy levels, meaning that they weren’t verifying how reliable their random-number streams were.
Potter and Sasha Wood, a senior engineer at KEYW Corporation, where Potter is CTO, presented a talk called “Managing and Understanding Entropy Usage” at this year’s Black Hat conference. “If there’s one theme in the work we did,” they noted early in their presentation, “it’s ‘no one really understands what’s happening with respect to entropy and randomness in the enterprise.'”
Random-number generators are one of the least discussed but most crucial building blocks of the encryption that secures billions of people’s emails and documents. Attempts to undermine encryption have, in many cases, focused on these basic systems.
In 2006, the NSA built a pseudorandom-number generator whose output it could predict. The spy agency then convinced a government body to recommend its adoption across industries and federal agencies. That standard, called Dual_EC_DRBG, fatally compromised the encryption in every product that relied on it by exposing it to NSA surveillance. By applying its knowledge of how number generation worked, the NSA could defeat any encryption built on top of its standard.
The resulting disclosure of the “backdoor” in Dual_EC_DRBG forever changed the relationship between private security engineers and the government’s technical-standards group, called the National Institute of Standards and Technology (NIST). It is too early to know how businesses will change thanks to Potter and Woods’ research.
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.