Random numbers aren't, says infosec boffin

Even in our chaotic universe, there's a nasty entropy shortage

The randomness (or rather, lack thereof) of pseudo-random number generators (PRNGs) is a persistent pain for those who work at the low layers of cryptography.

Security researcher Bruce Potter, whose activity in the field stretches back more than a decade, when he demonstrated war-driving using Bluetooth, says problems both in design and implementation undermine the effectiveness of common crypto libraries.

Now Potter's work (his BlackHat presentation is here [PDF]) has led to the claim that nobody really understands what's going on.

Part of the problem, he writes, is that people tend to conflate “entropy” with “randomness”, when in fact the two mean different things: entropy is a measurement of the uncertainty of an outcome, while randomness is a long-term assessment of entropy.

Launching his organisation's own attempt at entropy generation, Potter offered tests showing performance from common entropy sources that ranged from 1.94 bits/s of entropy up to 12.6 bits/s.

Even unloaded, he writes, a Linux server's operating system activity gets in the way of entropy: “the kernel can consume up to 256 bits of entropy each time you start a process”, the presentation states, so “even without doing 'crypto' there is constant pressure on the entropy pool”.

The outcome of this is that it's hard to get good seeds when a server needs them.

And – this won't be a surprise, El Reg guesses – using PRNGs demands too much attention to detail from sysadmins. As an example, take an Apache server using OpenSSL.

“OpenSSL only seeds its internal PRNG once per runtime”, and for a long-running process like a Web server, Apache will source the nonces and keys it needs “from the same PRNG that is never reseeded”.

“OpenSSL does not check to see the quality of the entropy when it polls /dev/urandom”, Potter writes, either when it's used as a library or at the command line.

Speaking to the BBC, Potter said the research “scared” him and co-author Sasha Wood.

The beta of Potter's open source work, libWesEntropy, is at Whitewood Encryption, here. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2022