Q: Do you need a truly random number to ensure your cryptographic keys are safe?
Obviously there is a lot more to ensuring that your cryptographic keys are safe than random numbers but for the sake of this blog, I’d like to start with just the basics here and the basics of key generation, the random number generation, involves a very compelling aspect of mathematics.
If you think of a number between one and ten and then ask me to guess that number, is your choice of numbers random? What if you pick a number between one and ten zillion? Can a human really pick a random number, and if you pick the same number twice because it’s easy for you to remember, does this repetition eradicate the randomness of your choice? These are just some of the questions that come to mind when thinking about random number generation (and of course entropy). There are super-computers and some really clever software programs that can pick a number which is random, there are numerous series of zeros and ones and digital choices that are more or less random than those that rely on the quirks and subtle nuances found in the ever shifting nature of ambient noise, electrical pulsations or the ever elusive behavior inherent in quantum mechanics. These are just some of the complex theories and pursuits of mathematicians and physicists but I’d like to break the theory of random numbers down for the rest of the world so let’s begin with this very basic question – is it possible to create a random number that is so incredibly random that it cannot ever be guessed because a number so totally random is exactly what’s required if your intention is to create a cryptographic key that cannot be cracked which is essential if your intention is to keep your information locked down in such a way that no one can ever break in and see your key ‘in the clear’. If you want to ensure you have absolute privacy and security when dealing with cryptographic key generation there is only one way to do this and it requires an initial ‘seed’ that is picked randomly. Absolutely randomly. For this number to be truly random you need to go beyond dice, software or pseudo random number generation. You need to rely partially on some of the most basic aspects of physics and you don’t need a Phd to understand it.
Think of the coin game heads or tails. It is generally accepted that the result of heads or tails is random but the randomness of the coin toss actually comes from atmospheric noise which for many purposes is better than the pseudo-random number algorithms typically used in computer programs. But what would happen if the coin was flipped so that it is possible to watch it spinning in the air or if we knew the initial orientation of the coin then we were able to count the number of times the coin turned before being caught, then we could predict the outcome of the flip and possibly determine which side of the would be face up. We could no longer call it a random event. In security applications where there is a real risk of financial or physical consequence hardware generators are preferred over random algorithms. Personally I find the use of ‘pseudo’ and ‘random’ together in the same phrase to be a bit suspect.
Let’s consider the two principal methods used to generate random numbers. The first method, True Random Number Generation measures some physical phenomenon known to be absolutely random. [Any bias in the measurement process must also be dealt with to ensure true random output.] Examples of this might be measuring atmospheric noise, ambient noise and other electrical &/or quantum phenomena. There is no discernable pattern in true random number generation therefore each of these examples can be counted on to produce something that is truly random. Each and every time a reading is taken you will consistently come across a different output. A random number generator based on deterministic computation can never be seen as a truly random because the output is inherently predictable if all seed values are known. In practice and for many applications this can be seen as “random enough.” Sure, sometimes it’s fine to have a file cabinet that locks and other times this file cabinet requires a locked door, an alarm system, video surveillance and a team of armed guards surrounding the building.
The other principal method to consider is Pseudo Random Number Generation. One example of which is the Dual_EC_DRBG that relies on an elliptic curve. After careful study and analysis it had been determined that the random number in this method is actually not random at all because the curvature itself is predictable. Here’s how it works: Dual_EC_DRBG includes a list of constants that are used to define an elliptic curve on which a random number generator is based. These constants have a relationship with a second secret set of constants that can act as a type of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. So much for total secrecy. You are now wide open to attack and this is, without question, a ‘back door’.
If your requirements are to ensure there is absolutely no possible way to access that key then only True Random Number Generation will suffice. So if you really want to be certain that your cryptographic keys are safe then there is only one option; True Random Number Generation. You want to ensure that your random number actually is random otherwise you won’t be secure and access could be just a few quick calculations away. Keep your keys in lock down mode and insist on True Random Number Generation when your situation requires absolute certainty. Your Hardware Security Module is only as secure as it’s approach to the (somewhat) simple concept of ‘what is random.’ Absolute security is what you want in an insecure world and total assurance that what is ‘random’ truly is random so that your keys remain safe.
If you attended the Cartes show in Paris November 19th – 21st, 2013, https://www.cartes.com/ you might have caught me at our booth at Hall 4 M082. I gave a series of short talks about True Random Number Generation.