Cyber Security training from QA

How random is random?

How random something is relies on more than just thinking of a number, it relies on a multitude of tiny, imperceptible variables produced by the natural world around us, and there are some really cool ways of collecting them.


Mark Amory | 15 November 2017

Encryption is used everywhere in modern online communications – for most people, encryption is most often seen when being used to secure payments made when shopping online, or when logging in to an account, but there are many other places where encryption is used. For example, encryption is used by companies such as Google and Amazon when transferring information between data centres across the globe, encryption is used by ATMs when you make a withdrawal to connect to your bank securely, and encryption is used in mobile telephone networks to prevent eavesdropping on calls made. There is a term often used – "Ubiquitous encryption" – it means that encryption is everywhere (you just don't notice it).

Encryption is all about transforming data in such a way that it prohibits any unauthorised party from decrypting the data and revealing the original content.

To do this, a mathematical algorithm is used to transform the original data (the clear text) into the output data (the cipher text). At the heart of a good, strong encryption algorithm is a key – the key determines how the algorithm converts the clear text into the cipher text.

The key is the single most important part of the whole process, if someone can predict the key being used with an algorithm, then they can decipher the data.

The question therefore, is how do you make a good key?

The answer lies in randomness.

Many software programs use random numbers, but how random is random?

Any man-made program that produces a random number runs the risk of not being truly random, it will have an element of predictability in it. It is pseudo-random. In some applications, this pseudo-randomness will suffice, but in those situations mentioned at the beginning, the risk of someone being able to predict the randomness is not one that can be accepted.

So, how do we make a truly random key?

The answer, in most cases lies with physics.

Have you ever listened to a radio station that drops out of tune? The hiss you hear is static generated by many things such as fluctuations in the heat properties of different components in the radio itself, but mainly by the radio antenna picking up external noise, some of which is Cosmic noise – radio waves generated by the billions of stars in the cosmos.

Some cryptographic random number generators use this noise as a way of generating a seed value for their random number generator. This produces a very large, very random value which would be almost impossible to predict, or recreate.

The company Cloudflare, has a number of ways in which they generate randomness, in their San Francisco head-office they have a wall of lava lamps constantly bubbling away which is videoed 24/7. Snapshots of the video are digitised and the output is used to generate the random seed for the keys they use in the services they provide to customers all over the globe. In another office, they use another video stream of a 3-axis, chaotic pendulum to generate random patterns.

So, there are random values, and there are random values. How random something is relies on more than just thinking of a number, it relies on a multitude of tiny, imperceptible variables produced by the natural world around us, and there are some really cool ways of collecting them.

At QA we have developed the most comprehensive end-to-end Cyber Security training portfolio providing training for the whole organisation, from end user to executive board level courses as well as advanced programmes for security professionals.

Visit www.qa.com/cyber for more information

 

Mark-Amory

Mark Amory

Senior Learning Consultant

After leaving a career as a mechanical & electrical engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft office and Adobe products. In-line with his background as an engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics; a field he has remained in ever since. As a natural progression of his career saw Mark start to explore the security aspect of his existing competencies, and since 2005 has specialised in the cyber security domain. Mark has been the author of a number of QA cyber security courses, and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH and is currently undergoing the process of becoming an NCSC Certified Cyber Professional.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.