Where is the Focus on Randomness in Cryptography?
Co-authored by Nate Cote and Emmett Jorgensen
Too often we, as security professionals, aren’t asking all of the right questions when evaluating a new product or service. We’ve all heard of “256-bit AES” encryption and products secured with RSA keys of “x” size. Encryption key sizes have become commonplace metrics for evaluating security products utilizing cryptography – and many times become one of the primary pieces of information that drives product adoption by an organization. A serious question we should be asking about cryptographic products, however, is related to the effectiveness of the Random Number Generator (RNG).
How many people truly gather any information on the randomness of the cryptography implemented in a product or module? More specifically, is there any analysis of the effectiveness of the RNG? This is, after all, the engine of the entire process and perhaps the most critical piece of a product using cryptographic functionality. Unfortunately, this information is nearly never discussed since most people don’t understand the importance of RNG quality, and therefore don’t ask about it.
What does this really mean in everyday terms? The overall security of any device or product using cryptographic functions directly depends on the quality of the RNG implemented in the solution. The “encryption key” which typically protects the data in a module is generated from what should be a robust random number generator that is truly random. The idea behind this is that someone wishing to attack the encrypted data should need to attack against the full strength of the protection (like the entire 256-bits of security).
The risk in using an RNG that is not truly random stems from the ability of an attacker analyzing the encrypted data and potentially discovering patterns to the encryption. This could allow some type of reverse engineering of the encrypted data or keys. So, even though the device has “256-bit AES encryption”, it may not have anywhere close to that level of effective security. Patterns may begin to emerge, and every step may become easier than the next in deciphering the information, making it easier to connect the rest of the dots. The more random this initial value, the more secure the key, ciphertext, and other critical components are likely to be, and the more difficult for an attacker to find an easy way to attack the module.
So, how is one to actually understand if a product ultimately has a strong RNG?
There are some certifications from a variety of testing bodies that will help to ensure that the product has met at least a reasonable level of strength in the random number generator implementation. The National Institute of Standards and Technology (NIST) offers a Federal Information Processing Standard (FIPS 140-2) testing program which references some acceptable implementations of random number generators such as ANSI X9.31 (which has been used for quite some time though is getting a bit older) as well as a variety of options within the NIST SP800-90 Guidance set which are widely considered as more robust. In addition, Common Criteria, an international standard for computer security certification will oftentimes go much deeper into the analysis of how good the RNG is than other accreditation programs.
Using either of these certification processes is an excellent starting point for determining the overall security of a product and helps ensure the use of a well implemented RNG.
Ultimately, working with a security vendor that has engaged these certification bodies and has a solid reputation in the industry is a good start. If you still have concerns, ask a vendor how random their crypto is and see if you get a comforting response or a quizzical look – it may help give you the answer you have been looking for all along.