Researchers say web encryption number generators are not strong enough

Next Story

Users warned to keep Facebook details safe

The systems used to create random numbers for web encryption aren’t tough enough, according to researchers.

Generating scrambled numbers is an essential security measure used to prevent online fraud and identity theft.

Vulnerabilities of the system

Security analyst Bruce Potter and researcher Sasha Wood presented their evidence at the Black Hat security event that was recently held in Las Vegas. The gathering is a well-known fixture on the social calendar of hackers and digital security experts.

The pair’s study found weaknesses in widely used software on Linux-based web server systems that creates strings of data used as a “seed” for generating random numbers.

Pools of data

Generating unpredictable random numbers involves a server using mouse movements and keyboard presses, amongst other stimulus, to create a binary stream of numbers. This “pool” of data is the basis of the actual number generation.

Potter explained that “entropy” is the key factor in the process, using the example of an unshuffled pack of cards being predictable but a shuffled pack having more entropy because it’s harder to know where each card is.

The same is true of data pools where the higher the entropy, the harder it is to predict the random number that will be produced.

Linux servers pose risk

Potter went on to say that the entropy of the data streams on Linux servers was often very low because of a lack of raw information, adding that server security software did little to check the level of entropy.

“This seemed like just an interesting problem when we got started but as we went on it got scary,” said Potter


Johnson Controls XP-9102-8304 METASYS, new in box. Expension module. picture
Johnson Controls XP-9102-8304 METASYS, new in box. Expension module.
Johnson Controls XTM-404-5 METASYS, new in box,. picture
Johnson Controls XTM-404-5 METASYS, new in box,.
Johnson Controls XP-9105-8304 METASYS, new in box. Expension module. picture
Johnson Controls XP-9105-8304 METASYS, new in box. Expension module.
JOHNSON CONTROLS METASYS DX 9100 8454 USED picture
JOHNSON CONTROLS METASYS DX 9100 8454 USED
Johnson Controls Metasys DX-9100-8454 Digital Controller picture
Johnson Controls Metasys DX-9100-8454 Digital Controller