The systems used to create random numbers for web encryption aren’t tough enough, according to researchers.
Generating scrambled numbers is an essential security measure used to prevent online fraud and identity theft.
Vulnerabilities of the system
Security analyst Bruce Potter and researcher Sasha Wood presented their evidence at the Black Hat security event that was recently held in Las Vegas. The gathering is a well-known fixture on the social calendar of hackers and digital security experts.
The pair’s study found weaknesses in widely used software on Linux-based web server systems that creates strings of data used as a “seed” for generating random numbers.
Pools of data
Generating unpredictable random numbers involves a server using mouse movements and keyboard presses, amongst other stimulus, to create a binary stream of numbers. This “pool” of data is the basis of the actual number generation.
Potter explained that “entropy” is the key factor in the process, using the example of an unshuffled pack of cards being predictable but a shuffled pack having more entropy because it’s harder to know where each card is.
The same is true of data pools where the higher the entropy, the harder it is to predict the random number that will be produced.
Linux servers pose risk
Potter went on to say that the entropy of the data streams on Linux servers was often very low because of a lack of raw information, adding that server security software did little to check the level of entropy.
“This seemed like just an interesting problem when we got started but as we went on it got scary,” said Potter