Random numbers in secure communications
We routinely rely on secure systems in our everyday life. Online banking, online shopping, instant messaging and video calling; all these activities require strong security to prevent eavesdropping. Amongst many other tools, cryptography is the main method used to secure these activities. Cryptography provides confidentiality and integrity to personal data, and authentication and anonymity to the communication.
Unpredictable random numbers are vital for cryptographic operations. They are used to make ‘keys’, complex unique codes authentication protocols, digital signature algorithms, etc. Use of poor, predictable random numbers can lead to disastrous results, allowing unwanted parties to access secret communication.
RSA, a widely used public-key cryptographic algorithm, uses large prime numbers to form a pair of public and private keys. These prime numbers are chosen at random, one of them is kept secret, and the product of them can be shared publicly. As this product is a very large number it is difficult to factorise and work out which prime numbers it was formed from. However, if the prime numbers are predictable, it is shown that the factorisation process, and hence retrieving the secret prime number gets easier for an attacker. A recent attack showed that the factorisation is practically possible due to a bad random number generator for prime numbers in the RSA library on a widely used security chip. The possible usage domain of this attack was message protection, secure browsing, Trusted Platform Modules, software signing, identity documents, etc. (technical details can be found here).
Another popular algorithm ECDSA, is used for digital signatures to prove that a given set of data, e.g. a message, media file, program etc. came from a specific source. It relies on cryptographically secure random integers. When random numbers are generated poorly, and the integers used are guessable, then a nefarious party can alter or replace digitally signed data packets without being detected. This problem was observed in Android’s Secure Random library resulting in Bitcoins being stolen from digital wallets where the faulty Android library was used.There’s more information here.
Random numbers are important in virtual private network (VPN) connections as well. Each VPN connection is encrypted with a secret key. A recent attack showed that any VPN traffic implemented on Fort iOS 4.3.0 to Fort iOS 4.3.18 can be decrypted due to its use of bad random numbers. More here.
Quantum Base has developed a simple random number generator. When it is incorporated into electronic devices it will prevent cyber-attacks that target poor random number generation. Find out more here.
Did you know that without random numbers anyone could access your private communications?