TryTRY
BuyBUY
Utimaco
de
TRYour free HSM simulator
BUYget a quote

Next event

24/07 | Webinar

Webinar: Securing Transactions in the Banking Infrastructure with Atalla Payment HSM

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

Home / solutions / applications / random number generator (RNG)

random number generator (RNG)

True random numbers are the foundation of strong, unique encryption keys. A random number generator (RNG) is a function or device (computational or physical) designed to generate a succession of numbers or characters. These are selected by pseudo, deterministic or pure randomness and therefore cannot be predicted. Utimaco HSMs implement a hybrid random number generator complying with AIS 31 DRG.4 requirements for the highest level of security. A physical quantum noise-based random number generator (PTG.2) is used as the entropy source for seeding this deterministic RNG.

Utimaco HSMs random number generator (RNG)

A random number generator is a must for highest security when using HSMs

True random numbers are a must for ensuring the highest security and reliability

Random number generation plays an important role for numerous products and services and the cryptographic applications they rely on.

Making the difference: PRNG – DRNG – TRNG

Two categories of random number generators exist. Many computer-generated random numbers use pseudo random number generators (PRNG) aka deterministic random number generators (DRNG). They produce random-looking yet deterministic sequences of numbers. While these algorithms can create long runs of numbers with good random properties, a poorly designed DRNG may show . Security evaluation schemes specify evaluation criteria for such DRNGs. In practice, these types of random numbers can be sufficiently strong for many applications.

But they are not as random as numbers generated by coin tosses or rolls of a dice, or by true random number generators (TRNG). Such true random numbers form at the core of strong encryption. The generated random numbers are based on an electrical, optical or quantum phenomenon, such as measuring thermal noise. Therefore, they do not show any predictable pattern and are most suited to generate highly secure cryptographic keys. Implementing a DRNG that is regularly re-seeded with entropy from a TRNG combines the best of both types, i.e. the speed of the DRNG and the true randomness from the TRNG.

In conclusion, protecting sensitive or critical information requires a TRNG.

For more details on the difference between PRNG, DRNG and TRNG, read our blog post “Why do you need true random number generation?”

What are the main uses of a RNG?

  • in IT security applications
  • Key generation for government purposes, e.g. passports and eID cards
  • Lottery systems & gaming
  • Nonce generation for use in cryptographic protocols
  • Chip manufacturing and seeding of device-specific keys, e.g. for NFC (Near Field Communication) or device IDs

Trust in externally validated random number generators

Vulnerabilities and implementation errors of random number generators are not unheard of. You should therefore consider implementing certified solutions and software/hardware components. Cryptographic RNG implementations have to fulfill strict requirements, e.g. in accordance with the BSI (German Federal Office for Information Security) AIS 31. These define a standardized evaluation methodology to assess functionality classes and security properties of random number generators. Class 4 is the highest class for deterministic random number generators (DRG). A RNG complying with DRG.4 requirements is a so-called hybrid RNG: It offers maximum mathematical complexity for calculating random numbers and continuously inserts entropy from a true random number generator. In the functionality class of true, physical random number generators, PTG.2 represents the highest security level.

The AIS 31 standard defines different functionality classes for random number generators:

  • PTG – Physical RNG with internal tests that detect a total failure of the entropy source and non-tolerable statistical defects of the internal random numbers
  • DRG – Deterministic RNG with (enhanced) forward secrecy, and additional (enhanced) backward secrecy depending on the DRG level
  • NTG – Non-physical true RNG with entropy estimation

Why use Utimaco HSMs for random number generation?

Utimaco HSMs implement a hybrid random number generator complying with DRG.4 requirements, the highest level of security for DRG. A physical quantum noise-based random number generator of the highest security class PTG.2 is used as the entropy source for seeding this deterministic random number generator.

  • True randomness (passes all randomness tests, including DIEHARD and AIS 31)
  • Utimaco’s HSM compliance with the AIS 31 standard has been validated in several different contexts. One of the evaluation certificates for Utimaco CryptoServer CSe is available here.
  • Easy integration (e.g. via PKCS#11)
  • Physical security through active tamper protection

Start now: try our free-of-charge, fully functional simulator!

Ready to take off?

Download our HSM simulator!

Register for free
Take me there

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

Find a partner

Share this page