The strength of any cryptographic system lies in its keys – the random stream of bits used by the cryptographic algorithm to transform plain text into cypher text and back again. Recently, the strength of these keys – particularly those used in PKI – have come into question.
The secret to a secure key is the amount of randomness, or entropy, used in the generation of the key. Take a pack of 52 playing cards for example. In an unshuffled pack, although there are 52 variables, you know what card is coming next. If you shuffle the pack, the random nature of the sequence makes it harder to predict the next card as there are a much larger potential number of possibilities.
On a very basic level, it is this principle that is used in the generation of encryption keys. In the case of cryptography, it is the random number generator used to seed the key generator that creates the entropy. The greater the degree of entropy, the more secure the key is.
Of course, as you might expect, not all cryptographic systems are created equal. When it comes to entropy there is randomness and then there is true randomness.
When researchers reported last year that the encryption keys used by millions of web servers could be much weaker than they ought to be, people started to call into question just how secure the information on the web is.
The problem arises from how the keys are created. Most systems use a process called ‘pseudo random number generation’ (PRNG). Why ‘pseudo’? Because conventional computers cannot generate true randomness. Information from inputs such as mouse movements, keyboard pressures, disc interrupts or system timers are all placed into a ‘pool’ of numbers, from which a ‘seed’ is picked. This ‘seed’ is then used in the PRNG which generates the keys.
However, researchers found that these machines were not generating enough information to produce truly random numbers. There wasn’t enough entropy.
Lack of entropy was also to blame in the recent incident at Lumiere Place Casino, where hackers were able to predict when the casino’s slot machines were more likely to pay out by analysing and decoding the encryption pattern built into the software that controls them. This meant a four-person team could earn upwards of $250,000 from casinos with these machines in a single week.
Repetition also plays its part in weak key production. Research carried out by SEC Consult found that millions of devices worldwide are endangered because of HTTPS Certificates and SSH Keys being reused. From their research, they found that their data set of 580 keys contained the private keys of more than 9% of all HTTPS hosts on the web and 6% of all SSH hosts, unlocking the data of a large proportion of the World Wide Web.
Interestingly, ‘bad randomness’ was not the issue with this case. Instead, the problem stemmed from the same key being embedded in the systems that are used for providing HTTPS and SSH access to the device, so all devices on that firmware were using the same keys.
The answer doesn’t lie in software-generated, pseudo-randomness, but in hardware. However, not all hardware random number generators are created equal. Many hardware random number generators still rely on classical physics to produce what looks like a random stream of bits. In reality, determinism is hidden behind complexity for RNGs that do not exploit quantum physics.
Contrary to classical physics, quantum physics is fundamentally random. It is the only theory within the fabric of modern physics that integrates randomness. Quantum Random Number Generators (like the Quantis range from IDQ) use these quantum-random properties to generate truly random numbers.
In addition, Quantum random number generators (QRNG) have the advantage over conventional randomness sources of being invulnerable to environmental perturbations and of allowing live status verification.
Discover more about random number generation in our white paper: What is the Q in QRNG?