- The giant battle episode of ‘Game of Thrones’ is nearly here Sunday 10:12 PM
- ‘Game of Thrones’ finally revealed the Night King’s endgame Sunday 9:53 PM
- Sri Lankan government shuts down social media in wake of deadly blasts Sunday 7:56 PM
- Amazon Flex drivers now must use selfies to verify identity Sunday 6:34 PM
- #GentrifyingGeorge thinks 152-year-old HBCU should ‘just move’ Sunday 5:27 PM
- Watch out! Tonight’s episode of ‘Game of Thrones’ leaked online (updated) Sunday 3:32 PM
- Videos of people working may be the best thing on TikTok right now Sunday 1:46 PM
- How to watch ‘Game of Thrones’ season 8, episode 2 for free Sunday 7:00 AM
- Gendry is making a new weapon for Arya Stark—but what is it? Sunday 6:30 AM
- The live-action Halo series could be Showtime’s most ambitious project yet Sunday 6:00 AM
- How to watch Turner Classic Movies for free Sunday 5:30 AM
- How to watch Real Madrid vs. Athletic Bilbao online for free Sunday 5:00 AM
- ‘Star Trek’s Jonathan Frakes calls out your lies with this new meme Saturday 3:46 PM
- #JusticeForLucca trends after video shows police slam Black teen’s head into pavement Saturday 3:11 PM
- The internet is shocked to learn that Goombas do, in fact, have arms Saturday 2:02 PM
The random-number generators that power Web encryption are dangerously weak
Someone should probably fix this.
Research presented at the Black Hat security conference in Las Vegas, Nevada, last week revealed that the Linux software used by the most widely used random-number generators does not spit out sufficiently random numbers. When the stream of numbers underlying encryption is not random, it makes it easier for hackers to break that encryption by predicting the number stream.
Software that spits out highly random numbers is said to possess a quality called entropy. But according to Bruce Potter, one of the computer scientists who conducted the study, the Linux servers that run the most popular random-number generators possess very low entropy.
“If there’s one theme in the work we did, it’s ‘no one really understands what’s happening…'”
These servers generate random numbers by processing reams of data and translating it into a number stream that encryption tools can use. The less data they have to process, the less random their output will be. Potter’s study found that they were relying on surprisingly little data.
Potter also noticed that these servers weren’t checking entropy levels, meaning that they weren’t verifying how reliable their random-number streams were.
Potter and Sasha Wood, a senior engineer at KEYW Corporation, where Potter is CTO, presented a talk called “Managing and Understanding Entropy Usage” at this year’s Black Hat conference. “If there’s one theme in the work we did,” they noted early in their presentation, “it’s ‘no one really understands what’s happening with respect to entropy and randomness in the enterprise.'”
Random-number generators are one of the least discussed but most crucial building blocks of the encryption that secures billions of people’s emails and documents. Attempts to undermine encryption have, in many cases, focused on these basic systems.
In 2006, the NSA built a pseudorandom-number generator whose output it could predict. The spy agency then convinced a government body to recommend its adoption across industries and federal agencies. That standard, called Dual_EC_DRBG, fatally compromised the encryption in every product that relied on it by exposing it to NSA surveillance. By applying its knowledge of how number generation worked, the NSA could defeat any encryption built on top of its standard.
The resulting disclosure of the “backdoor” in Dual_EC_DRBG forever changed the relationship between private security engineers and the government’s technical-standards group, called the National Institute of Standards and Technology (NIST). It is too early to know how businesses will change thanks to Potter and Woods’ research.
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.