The Sad History of Random Bits
In this paper we examine the history of using random numbers in computer programs. Unfortunately, this history is sad because it is replete with disasters ranging from one of the first pseudo-random number generators, RANDU, being very bad to the most recent efforts by the NSA to undermine the pseudo-random number generator in RSA's BSAFE cryptographic library. Failures in this area have been both intentional and unintentional, but unfortunately the same sorts of mistakes are repeated. The repeated failures in getting our "random numbers" correct suggests that there might be some systemic reasons for these failures. In this paper we review some of these failures in more detail, and the 2006 Debian OpenSSL Debacle in great detail. This last event left users of Debian and its derivatives with seriously compromised cryptographic capabilities for two years. We also illustrate how this failure can be exploited in an attack. We also modify the concept of a system accident developed in the work of Charles Perrow . We identify some system failures in building pseudo-random number generators and offer some suggestions to help develop PRNGs and other code more securely.
G. Markowsky, "The Sad History of Random Bits," Journal of Cyber Security and Mobility, vol. 3, no. 1, pp. 1-26, River Publishers, Jan 2014.
The definitive version is available at http://dx.doi.org/10.13052/jcsm2245-1439.311
Keywords and Phrases
Bitcoin; Booby trap; BSAFE; Cryptography; Debian; Dual_EC_DRNG; PRNG; Pseudo-random numbers; Security breach; Software engineering; SSH; SSL; System accident
International Standard Serial Number (ISSN)
Article - Journal
© 2014 River Publishers, All rights reserved.
Creative Commons Licensing
This work is licensed under a Creative Commons Attribution-Noncommercial 4.0 License