How random is random?

Encryption is used everywhere in modern online communications – for most people, encryption is most often seen when being used to secure payments made when shopping online, or when logging in to an account, but there are many other places where encryption is used. For example, encryption is used by companies such as Google and Amazon when transferring information between data centres across the globe, encryption is used by ATMs when you make a withdrawal to connect to your bank securely, and encryption is used in mobile telephone networks to prevent eavesdropping on calls made. There is a term often used – "Ubiquitous encryption" – it means that encryption is everywhere (you just don't notice it).

Encryption is all about transforming data in such a way that it prohibits any unauthorised party from decrypting the data and revealing the original content.

To do this, a mathematical algorithm is used to transform the original data (the clear text) into the output data (the cipher text). At the heart of a good, strong encryption algorithm is a key – the key determines how the algorithm converts the clear text into the cipher text.

The key is the single most important part of the whole process, if someone can predict the key being used with an algorithm, then they can decipher the data.

The question therefore, is how do you make a good key?

The answer lies in randomness.

Many software programs use random numbers, but how random is random?

Any man-made program that produces a random number runs the risk of not being truly random, it will have an element of predictability in it. It is pseudo-random. In some applications, this pseudo-randomness will suffice, but in those situations mentioned at the beginning, the risk of someone being able to predict the randomness is not one that can be accepted.

So, how do we make a truly random key?

The answer, in most cases lies with physics.

Have you ever listened to a radio station that drops out of tune? The hiss you hear is static generated by many things such as fluctuations in the heat properties of different components in the radio itself, but mainly by the radio antenna picking up external noise, some of which is Cosmic noise – radio waves generated by the billions of stars in the cosmos.

Some cryptographic random number generators use this noise as a way of generating a seed value for their random number generator. This produces a very large, very random value which would be almost impossible to predict, or recreate.

The company Cloudflare, has a number of ways in which they generate randomness, in their San Francisco head-office they have a wall of lava lamps constantly bubbling away which is videoed 24/7. Snapshots of the video are digitised and the output is used to generate the random seed for the keys they use in the services they provide to customers all over the globe. In another office, they use another video stream of a 3-axis, chaotic pendulum to generate random patterns.

So, there are random values, and there are random values. How random something is relies on more than just thinking of a number, it relies on a multitude of tiny, imperceptible variables produced by the natural world around us, and there are some really cool ways of collecting them.

At QA we have developed the most comprehensive end-to-end Cyber Security training portfolio providing training for the whole organisation, from end user to executive board level courses as well as advanced programmes for security professionals.

Visit www.qa.com/cyber for more information