The Sad History of Random Bits
Abstract
In this paper we examine the history of using random numbers in computer programs. Unfortunately, this history is sad because it is replete with disasters ranging from one of the first pseudo-random number generators, RANDU, being very bad to the most recent efforts by the NSA to undermine the pseudo-random number generator in RSA's BSAFE cryptographic library. Failures in this area have been both intentional and unintentional, but unfortunately the same sorts of mistakes are repeated. The repeated failures in getting our "random numbers" correct suggests that there might be some systemic reasons for these failures. In this paper we review some of these failures in more detail, and the 2006 Debian OpenSSL Debacle in great detail. This last event left users of Debian and its derivatives with seriously compromised cryptographic capabilities for two years. We also illustrate how this failure can be exploited in an attack. We also modify the concept of a system accident developed in the work of Charles Perrow [1]. We identify some system failures in building pseudo-random number generators and offer some suggestions to help develop PRNGs and other code more securely.
Recommended Citation
G. Markowsky, "The Sad History of Random Bits," Journal of Cyber Security and Mobility, vol. 3, no. 1, pp. 1 - 26, River Publishers, Jan 2014.
The definitive version is available at https://doi.org/10.13052/jcsm2245-1439.311
Department(s)
Computer Science
Keywords and Phrases
Bitcoin; Booby trap; BSAFE; Cryptography; Debian; Dual_EC_DRNG; PRNG; Pseudo-random numbers; Security breach; Software engineering; SSH; SSL; System accident
International Standard Serial Number (ISSN)
2245-1439
Document Type
Article - Journal
Document Version
Citation
File Type
text
Language(s)
English
Rights
© 2014 River Publishers, All rights reserved.
Creative Commons Licensing
This work is licensed under a Creative Commons Attribution-Noncommercial 4.0 License
Publication Date
01 Jan 2014