Comments on: Are random numbers a solved function?

By: C.L. @ LI

C.L. @ LI — Sun, 27 May 2012 16:22:55 +0000

@Ray – I agree mostly, but when it comes to manufacturing of devices and properly provisioning them for exclusive, protected use with services at a later time, the black-hat argument is moot. So I’m with Emilio – it’s all about context. In the wild, hackers will do their thing, but to sell a product that supports various DRM schemes, for instance, so you can make money on services later – an entropy register in an SoC will typically suffice as a starting point for a security model, and will definately be better than a PRNG. Please note I said a starting point. Proper provisioning and use of OTP fuses is also pretty vital.

If your manufacturing line doesn’t have a V&I station at board level test to ensure that rails are properly biased and you can’t shell out the cash for proper enclosures to block out UV and EMI during manufacturing, you definately have not only a system security issue on your hands but a pretty severe OPS process issue and I would want to buy the product or sign up as a partner to deliver content on the device.

By: Mario

Mario — Tue, 10 Apr 2012 07:22:51 +0000

Check out QRBG121 if you need a fast physical RNG not plagued by black cats or hats or whatever. Each bit has almost unity entropy, while PRNG has a constant, small entropy and you get none past number bits equal to that entropy. Even so, most of the entropy comes from the seed and if you do not have physical RNG to make the seed you are left with virtually no entropy. In cryptography, due to the Kerckhoffs principle entropy of any PRNG is at equal to the length of the seed and an enemy has only to gues the seed, not the whole “random” sequence. In pactice, due to the fact that all important classes of PRNG’s have been cryptanalyzed, given a small number of output bits one is able to calculate all parameters of a RNG and continue the sequence.

Imagine this: you produce a lot of numbers applying a mathematical formula starting from a single number. So you know that al these numbers are connected by a simple math formula. Then suddenly you pretend you suffered amnesia and ask your self whether these are random. Then you test them and finding no flaws you conclude they are random. Isn’t that really a stupid game ? I know, people play other stupid games too. For example they buy a (worhtless) ticket and then all money is gathered and given to one lucky poor idiot somewhere in another state. And then they do it again ! There is roughly the same amount of intelligence and learning ability involved in both games….

I believe that future is in abandoning PRNGs for any use. They have been serving us as a temporary solution (in absence of a better one) for far too long. It is clear that a PRNG is not random by definition and that too much human intellectual energy has been wasted on a futile topic already.

By: E.R. @ LI

E.R. @ LI — Sat, 17 Mar 2012 00:32:36 +0000

This is one of those meaningless questions without a better context. For most applications of ‘random’ the answer is they are more than good enough. Security is a system issue and seldom a problem with the RNG. A few people out on the edges of statistics need a H/W RNG.

By: J.U. @ LI

J.U. @ LI — Sat, 17 Mar 2012 00:32:15 +0000

@Jeremy – I certainly wouldn’t use a pseudo-random number generator when security is the issue. However, for software verification/validation testing, repeating the exact input sequence which elicites a supposedly fixed bug can be useful.

By: J.S. @ LI

J.S. @ LI — Sat, 17 Mar 2012 00:29:51 +0000

I don’t really understand why people still insist on using software PSEUDO random number generators, which are difficult to implement correctly,poorly understood and are at best poor sources of entropy, when you can simply use a real random source such as a reverse biased P-N junction followed by some form of hash function to produce a very good random number generator with very high entropy per bit.

By: J.K. @ LI

J.K. @ LI — Tue, 13 Mar 2012 15:08:57 +0000

Using the RTC has been a practice for a long time. It’s clearly not secure (some early online gaming sites that used it have been seriously cheated) but it’s a quick and lazy way to get different number sequences from different runs. Not secure, but sometimes useful.

By: D.S. @ LI

D.S. @ LI — Tue, 13 Mar 2012 15:08:40 +0000

I’ve seen one of these PRNG algorithm that generates the number from the date stored in RTC as a salt. I don’t consider it safe and why would people do that. What do you think?

By: JSN @ LI

JSN @ LI — Tue, 13 Mar 2012 15:08:25 +0000

Along the lines of what Ray is saying, RSA’s public stance is that their algorithm is “secure”, but a lot of implementations use weak RNGs…

By: RVDW @ LI

RVDW @ LI — Mon, 12 Mar 2012 01:34:10 +0000

PRNGs are OK for things like filling memory or averaging the power direction of a communication line. I especially like to use a PRNG to “expand” true random numbers by using the true random numbers as a seed. PRNGs are usually much faster than the cheap hardware random number generators in SOCs.

For encryption, even hardware RNGs are not random enough, because black-hats can bias power rails, apply UV or electric fields, etc. They need to be supplemented with XORed multiple sources using different methods.

By: J.V. @ LI

J.V. @ LI — Sun, 11 Mar 2012 05:52:31 +0000

Sometimes I’ve put in a hook for using different PRNGs and compared them. If I’m getting very different behavior then how sensitive is the result to the assumptions I’m making? It could be that assuming completely random behavior is not a valid assumption. So I might try a very “good” PRNG, a fairly lousy PRNG that still has some good distribution qualities, and maybe also a custom-made PRNG that allows me to model some observed behavior that may or may not be typical. At least I might get a sense of how sensitive the simulation is to the model of randomness I’m using. The other things that could be done (and this may pose some other difficulties for embedded software) is to have the RNG wrapper pull from recorded data generated from a physical random source, instead of calculating the values… You can “replay” the run nondeterministically and still potentially have a run that is uncontaminated by the inherent order lurking in a PRNG. If there is a limit on how much recorded data that can be accessed, there may be some algorithmic ways of extending the period of a run based on recorded data.