While you’ll usually catch me discussing Cisco’s latest networking hardware or looking into the depths of Internet routing protocols, this blog is about cryptography. More specifically, random numbers and cryptography: I think a few people might not realise how important random numbers are to keeping information secure.

Randomly insecure

Random numbers are important for cryptography as they’re used to generate encryption keys that are essential in creating a secure connection. To take a very basic approach: if numbers don’t have enough randomness, or entropy, then an attacker could emulate all possible outcomes from the ‘random’ source and find the key, meaning they can then decrypt all data that’s been encoded with that key. Suddenly, your secure communications aren’t so secure.

Random enough

It may seem obvious, but computers are designed to calculate. Indeed, the first electronic and mechanical computers were just that – deterministic calculators designed for accuracy and speed. Put two numbers in, instruct the computer to add them and the result will be the sum of the two numbers. Each time you ask the same question, you’ll get the same result. All modern computing has grown from this basic principle and therefore getting them to generate random numbers can be quite a challenge.

So instead of using a difficult-to-obtain truly random number, we use numbers that look (and behave) like random numbers. They’re called pseudorandom numbers and are created by pseudorandom number generators, or PRNGs. These use a fixed-source number, called a seed, which is coupled with a mathematical formula to generate long strings of seemingly random numbers. An algorithm used by a large number of modern languages, including Ruby and PHP, is called the Mersenne Twister. It’s been documented as being insufficiently secure for cryptography, though it’s fine to be used for games or art.

Happily there exist higher-quality PRNG algorithms that use a variety of external sources for the seed. For example: in the case of /dev/random (found in most Unix-like operating systems), inputs from device drivers such as sound input noise and milliseconds from the system real-time clock are used. While these are not truly random numbers, they are viewed in most circumstances as being random enough, or having high enough entropy, for cryptography.

Truly random

True random number generators use natural sources to generate random numbers, such as cosmic background radiation or radioactive decay, altered to prevent biases. More recently, research has gone into ways true randomness could be achieved more easily and less expensively. At London’s recent RIPE meeting, discussion took place regarding the use of overdriven transistors to generate true random entropy. This could end up being a great low-cost source for entropy, increasing information security for everyone.

With all the technology currently available, true random numbers without extra hardware are still quite a challenge for computers and not yet a solved problem. I hope that this changes soon for the good of the Internet as a whole.