- People are roasting this ‘traditional’ take on marriage with a hilarious meme Today 5:17 PM
- The internet just collectively realized that the Neopets of the world must be hungry Today 4:00 PM
- Alt-right message board 8chan was served a search warrant Today 3:06 PM
- O.J. Simpson just joined Twitter in the most bizarre fashion Today 1:20 PM
- Prominent phone-hacking firm says it can unlock any iPhone for law enforcement Today 12:39 PM
- Hundreds of police officers belong to extremist Facebook groups, investigation finds Today 9:31 AM
- How to watch Tyson Fury vs. Tom Schwarz online Today 8:00 AM
- ‘Late Night’ is a disappointing, tepid comedy Today 7:00 AM
- How to stream ‘Love It or List It’ for free Today 7:00 AM
- How to watch the 2019 Concacaf Gold Cup online for free Today 6:55 AM
- Borderlands 3 preview suggests the aging series can still hang with the cool kids Today 6:30 AM
- How to stream the 2019 College World Series for free Today 6:00 AM
- Police try to solve domestic violence by giving victims blunt kitchen knives Friday 5:40 PM
- Privacy activist Ola Bini detained for 2 months in Ecuador without charges Friday 5:01 PM
- Twitter says suspending ‘God’ for a pro-LGBTQ tweet was an ‘error’ Friday 4:14 PM
The random-number generators that power Web encryption are dangerously weak
Someone should probably fix this.
Research presented at the Black Hat security conference in Las Vegas, Nevada, last week revealed that the Linux software used by the most widely used random-number generators does not spit out sufficiently random numbers. When the stream of numbers underlying encryption is not random, it makes it easier for hackers to break that encryption by predicting the number stream.
Software that spits out highly random numbers is said to possess a quality called entropy. But according to Bruce Potter, one of the computer scientists who conducted the study, the Linux servers that run the most popular random-number generators possess very low entropy.
“If there’s one theme in the work we did, it’s ‘no one really understands what’s happening…'”
These servers generate random numbers by processing reams of data and translating it into a number stream that encryption tools can use. The less data they have to process, the less random their output will be. Potter’s study found that they were relying on surprisingly little data.
Potter also noticed that these servers weren’t checking entropy levels, meaning that they weren’t verifying how reliable their random-number streams were.
Potter and Sasha Wood, a senior engineer at KEYW Corporation, where Potter is CTO, presented a talk called “Managing and Understanding Entropy Usage” at this year’s Black Hat conference. “If there’s one theme in the work we did,” they noted early in their presentation, “it’s ‘no one really understands what’s happening with respect to entropy and randomness in the enterprise.'”
Random-number generators are one of the least discussed but most crucial building blocks of the encryption that secures billions of people’s emails and documents. Attempts to undermine encryption have, in many cases, focused on these basic systems.
In 2006, the NSA built a pseudorandom-number generator whose output it could predict. The spy agency then convinced a government body to recommend its adoption across industries and federal agencies. That standard, called Dual_EC_DRBG, fatally compromised the encryption in every product that relied on it by exposing it to NSA surveillance. By applying its knowledge of how number generation worked, the NSA could defeat any encryption built on top of its standard.
The resulting disclosure of the “backdoor” in Dual_EC_DRBG forever changed the relationship between private security engineers and the government’s technical-standards group, called the National Institute of Standards and Technology (NIST). It is too early to know how businesses will change thanks to Potter and Woods’ research.
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.