Have a Random New Year

CISO-in-a-Box CISO-in-a-Box

Randomness is important.  You use it in the physical world when you shuffle a deck for a game of cards or roll a D12 for a result in Dungeons & Dragons.  But you need it even more in the digital world, and it's more difficult to come by.  You need randomness to select one-time-use keys that you share for symmetrical encryption, to select strong passwords or passphrases, to run fair games at things like online poker and casino games.

The problem is, that for all the miraculous things it can do with random input, software is very bad at generating it.  Algorithms are deterministic, even if they are designed to be difficult to predict. When you use a function like RAND() in Excel, or get randomized challenges in low-stakes gaming, you're usually getting the output of what's called a pseudo-random number generator (PRNG).  The PRNG takes a numerical value, called a seed, and generates a series of new values from it.  If the seed is known, then the new values are easy to predict.  If the seed is not known, it's a lot more difficult -- but not impossible.  If you reuse the same seed you get the same sequence.  This property can be useful sometimes, for example, if you want to be able to reproduce a series of plays in a game.  But mostly, it's a very bad flaw in any process that needs randomness.

PRNGs are fine when it doesn't matter.  But when it matters you need to harness the unpredictability of the physical world.  One great Internet resource, random.org, uses atmospheric noise to generate its random numbers.  At that site, random bits are available anytime you want, in many forms.  Some are free and some are available to paid members.  It's an important function for the safety of the Internet as a whole, and it's worth supporting. Another use of physical randomness is in EFF's Dice passphrase scheme.  If you read the instructions, you'll see that they really don't want you using a computer -- which might be compromised -- in any step of the selection of a password/passphrase that matters. Internet companies have to generate thousands of strong keys per second for encrypted sessions.  Cloudflare, for example, found a very groovy way to solve this problem:

So my New Year's wish to you: keep it random!

This article was updated on 2023-05-13 10:18:04

CISO-in-a-Box

Infosec geekosaurus.  All opinions my own.

Information security since 2005.  IT... well into my second millenium.