Why Random Numbers Are Important For Security

 

Kurt Seifried, [email protected], Copyright Kurt Seifried 2000


January 26, 2000 - Modern computer security requires some level of encryption to be applied to various kinds of data, for example secure web transactions, or SSH. But something that often goes ignored is the fact that all good crypto relies on some degree of randomness, which if not fulfilled properly can lead to a significant loss in the strength of encryption.

Most encryption algorithms require a source of random data, even some symmetric ciphers (where the secret is shared), either to generate new private/public keypairs, for session keys, for padding, or for other reasons. Most computers do not have a hardware based random number generator (RNG) available, so programmers have had to resort to software based techniques, to generate random numbers as best they can. Because these random numbers are generated in software, they are very rarely truly random, they are typically pseudo random (that is they appear random, but are not totally random). To generate random data you need a source of entropy, or random input. Some software RNG's will ask you to move the mouse, or type on the keyboard as a source of that entropy, others will take events such as hard drive activity, or network activity for their source of entropy. This typically works quite well for end user workstations (for example generating keypairs in PGP for Windows, or /dev/random in UNIX), but can be a problem in some cases, such as diskless network appliances with a network card, some flash ram, and a CPU. A network appliance that performs encryption (increasingly popular as VPN's grow) has no good sources of entropy, apart from network based events, which an attacker could manipulate to their advantage. Hardware RNG's produce truly random data (well close enough that analysis can't prove it otherwise), and software RNG's do not.

So why is this important? Well your 168 bit 3DES encryption of network packets might not be working as advertised if the random data it uses to perform the encryption isn't truly random. If you are moving sensitive corporate data over the VPN, a good hardware based RNG is worth the money as compared to your R&D plans being snagged by a competitor. Additionally most software based RNG's cannot create a lot of good data (most hardware based RNG's as well have limits), so if the machine is carrying a heavy crypto workload (say multiple tunnels, or many SSL based connections for an e-commerce site) you might need to purchase one of the higher end (and consequently more expensive) hardware based RNG's. While expensive, a good hardware RNG can result in a lower insurance rate for e-commerce sites and similar endeavors (generally speaking the more money you spend making something safer the likelier an insurance company is to insure it at a reasonable rate). Please note however that while a hardware based RNG will increase security, it can be rendered useless if there are other flaws in the system (say storing credit card numbers in a text file). Properly deployed a hardware RNG is a good security enhancement.

So just how does a hardware RNG work? I'm glad you asked (or this article would be too short to post). Generally speaking there are a few things that generate random events that you can measure and are truly random. One of the best sources of random events is radioactive decay, however there are some major problems with this, such as getting radioactive material, storing it safely, and getting your boss to sign the PO. There are also numerous laws regarding the purchase, transport, and so on of radioactive material, so generally speaking unless you are a government or major corporation this is out of reach. A good alternative that is popular with some manufacturers (due to it's minimal power requirements) is to measure the thermal noise of a resistor. One example of this is Intel, whose 810 chipset (and future 8xx chipset) has a built in hardware RNG, which can be accessed via software such as RSA's BSAFE Crypto-C and Crypto-J products (essentially RSA components for software like secure web servers that use SSL). There are several problems with the Intel hardware RNG, the primary one being that you must access the RNG through a software component that Intel charges a licensing fee for (I assume if you have to ask what it costs you are to poor to pay for it), so chances are it will not be available for Linux, *BSD and other OpenSource operating systems. A similar device is the ComScire QNG hardware RNG, which uses the same technique (measures thermal noise in a resistor) and connects to the computer via a parallel port, it generates 10 to 20 kilobits per second, which would be suitable for a medium sized secure web server or similar. The main advantage of this product however is the ease of use, plug it into the parallel port, install some drivers and off you go (drivers are only available for DOS and NT from the company, however there are independently written Linux drivers available and they will give you the necessary technical specifications to write drivers if you ask), so you can use it on an existing system (for example as an upgrade to an existing e-commerce server), this device is also relatively inexpensive, at $295 USD. The next major family is based on an electrical circuit consisting of several transistors or diodes that are wired up in such a way that they generate random electrical noise. This can then be fed straight into an serial port with a good UART, or some additional hardware can translate it into a string of bits and feed it to a serial or parallel port. The advantage of these is they are ridiculously easy to design and manufacture, using commodity parts (you can build your own with minimal effort), and the simpler something is, the easier it is to audit and protect. There are a variety of these on the market, the SG100 being a good example, it produces a stream of noise which is fed directly to the serial port, the UART converts it into digital form and then software can make use of the bitstream. This product is extremely cheap (at $140 USD), and software examples are available (so it's the only hardware RNG that will support UNIX easily I believe, the rest only seem to support MS products).

Summary

Most people don't need a hardware based random number generator, but the need is growing. As e-commerce grows in popularity and consumers start pounding on your site, chances are the random data used to establish session keys and the like will be of reduced quality (especially at peak times). However the real area where hardware RNG's will be needed is for IPSec (IP Security, encrypted TCP-IP networks), especially for high security environments where connections are rekeyed often and there are many connections (like 300 remote users telecommuting to work). While the chances of an attacker intercepting the data stream and decrypting it - as opposed to just breaking in to your server, are slim, the possibility exists (and will grow in future).
Kurt Seifried ([email protected]) is a security analyst and the author of the "Linux Administrators Security Guide", a source of natural fiber and Linux security, part of a complete breakfast.

 

http://www.protego.se/sg100_en.htm - SG100 random number generator
http://home.rmi.net/~comscire/ - ComScire QNG random number generator
http://bukharin.hiof.no/~hnh/qng/qng.c - ComScire QNG source code for Linux
http://valley.interact.nl/av/com/orion/home.html - ORION random number generator
http://www.fringeware.com/AtomAge/ - Atom-Age random number generator
http://www.tundra.com/index_prod.cfm?tree_id=100385 - Random bit generator in a chip
http://www.intel.com.ec/design/chipsets/rng/faq.htm - General Intel documentation on their hardware RNG
http://www.rsasecurity.com/products/bsafe/intel/ - Press release on the RSA software that can use the Intel RNG
http://world.std.com/~wware/hw-rng.html - Random noise generator information
http://webnz.com/robert/true_rng.html - Random number generators information


Back

Last updated 6/24/2002

Copyright Kurt Seifried 2000