Are Web Random Numbers Random Enough?

Researchers have found that web servers’ data scrambling systems could be much weaker than they ought to be.

17:53 10 August 2015

Web servers are using data scrambling systems as security measure to prevent data theft. However, research has found that computers used to generate the numbers often run dry, putting crucial information at risk.

 

Bruce Potter, the security analyst who carried out the research with researcher Sasha Wood, presented the results at the Black Hat security event in Las Vegas. He said: "This seemed like just an interesting problem when we got started but as we went on it got scary.”

 

The research focused on Linux-based web server software that generated strings of data to seed for random numbers. Large, hard-to-guess numbers are crucial in encrypting information and making sure that data is stored in memory to thwart attempts by hackers to predict what a machine is doing.

 

Generating good random numbers start with the server translating mouse movements, keyboard presses, and other things a machine does. Mr Potter said that normally, this pool of data would possess a high degree of a property known as “entropy.” Unfortunately, the entropy of the data streams on Linux servers, as Mr Potter learns, was often very low because the machines were not generating enough raw information for them.