Cryptography Session 1
Networking Fundamentals Session 2
1 of 4

Predictable Generation

Predictable Generation

  •  Suppose a system needs to generate a secret key. Where to get this key?
  • One way is to use Pseudo Random Number Generator. They are called “pseudo” because they are
    not truly random. Try Google/GPT for “how to generate a random number in phyton”. They likely
    would recommend a method that generates random numbers based on current time. That method is
    very fast but generates “reversible” sequences. If the attacker knows the generation process, the
    attacker might be able to predict the key. See https://cwe.mitre.org/data/definitions/330.html

Real-life e.g.

• CVE-2020-7010: Cloud application on Kubernetes generates passwords using a weak random number generator
based on deployment time.
• CVE-2009-3238: Random number generator can repeatedly generate the same value.
• CVE-2008-0141: Application generates passwords that are based on the time of day.

  •  A correct method is to use a secure pseudo random number generator.

One could get secure random numbers from truly random sources, e.g. Hardware
Random Number generator.

 

 

http://www.entropykey.co.uk/

 

 

© 2024 National Cybersecurity R&D Laboratory (NCL)