Security is weakened because random numbers are not random enough
A lot of security systems are based on random numbers, prime numbers, or a combination of the two. But generating random numbers is not as random as you might expect -- or hope -- and it relies on sources of broadly random data that can be used as a starting point. The problem is that these sources of data are not large enough.
The entropy of data generated by Linux servers -- which are the backbone of much of the internet -- is, says security expert Bruce Potter, too low. Speaking at Black Hat USA 2015 -- an event which has already seen the unveiling of the Thunderstrike 2 firmware malware and the Stagefright-beating Certifi-Gate Android vulnerability -- Potter warns that the low entropy problem means that seemingly random numbers could in fact be easier to guess or crack than first thought.
Researcher Sasha Moore worked with Potter on a study into random number generation, and the pair were surprised and worried by what they discovered. As reported by the BBC data for random number generation comes from a number of sources, including translating mouse and keyboard movements into binary code. The study found that the data streams generated by many Linux servers not only had low entropy, but also was not tested rigorously enough.
These pools often ran dry leaving encryption systems struggling to get good seeds for their random number generators. This might meant they were easier to guess and more susceptible to a brute force attack because seeds for new numbers were generated far less regularly than was recommended.
Random numbers are used for more than just encryption and data scrambling. They can also be used to randomize the order in which tasks are performed, where data is stored, and many other things that need to be difficult to guess to increase security.
Potter's work uncovered the inner workings of encryption systems used by popular web servers. The previously unknown aspects of the system gave cause for concern. Potter said:
That scared us because when you have unknowns in crypto that's when things go sideways.
With much of the world's business now conducted online, and all of this reliant on encryption and random numbers, the exposure of any weaknesses in the system that are used could have huge ramifications.