Digital securityProof of randomness for stronger future digital security
Nearly all secure online traffic — from shopping to banking to communications — relies on a technique of randomly generating a number that serves as a key to unlock encrypted communication. The problem is that small programming errors can make these systems vulnerable, and those vulnerabilities can often be very difficult to detect. In an effort to block emerging threats to online security, researchers have developed a method to verify the strength of random number generators that form the basis of most encryption systems.
In an effort to block emerging threats to online security, researchers at Princeton University have developed a method to verify the strength of random number generators that form the basis of most encryption systems.
Nearly all secure online traffic — from shopping to banking to communications — relies on a technique of randomly generating a number that serves as a key to unlock encrypted communication. The problem is that small programming errors can make these systems vulnerable, and those vulnerabilities can often be very difficult to detect.
“Whenever you connect up to Amazon to give them your credit card number, whenever you log in somewhere through a secure connection, you’re depending on randomly generated cryptographic keys,” said Andrew Appel, the Eugene Higgins Professor of Computer Science at Princeton and leader of the research team. “And if the adversary, the spy who is trying to read your messages or impersonate you, could guess what random number your computer was using, then it could know what key you’re going to be using and it could impersonate your traffic and read your messages.”
In a paper presented to the Association for Computing Machinery 2017 Conference on Computer and Communications Security, the researchers said it may be impossible to tell whether a number generator is compromised without examining the generators’ source code (and without proper methods, difficult to guarantee security even with access to the code). The programs, called Deterministic Random Bit Generators or DRBGs, are tested typically by analyzing their outputs, either statistically or by using a set of tests to check the results. But the researchers said these methods cannot guarantee the generators’ proper function.
“Despite the importance of DRBGs, their development has not received the scrutiny it deserves,” the researchers write in their article.
Princeton notes that although often called random number generators, these programs are actually pseudorandom number generators. The programs are algorithms that produce numbers that seem to be random and can practically work as random numbers for many applications. The DRBGs use a variety of methods to create a truly random number called a seed. The program then mathematically expands this seed into a much longer number. The long number is not actually random, but it must appear random enough that an adversary (who does not know the seed) can’t predict the output.