Random numbers generators play an important role in cryptography. It is important that the keys be chosen randomly, so that attackers cannot guess what the key will be. In practice it is rare to have a true random number generator. Computers are equiped with pseudorandom generators that are initiated with a seed. If the same algorithm is started with the same seed, then it produces an identical sequence of numbers - this is not what we want.
Many internet security applications depend on generating session keys (SSL for example). I read an article that describes an attack that works against a Netscape implementation of the SSL protocol. The attacker had to have access to the same Unix machine as the victim. If the attacker could notice the exact time that the random number was generated, she could calculate the same seed used to generate the key (the seed was based on the processor time and a sample of active processes in the kernel). This meant the SSL was not secure enough.
There is a description of the attack available here; and the c code also. Thanks to Dmitry for the links.
random.org has a service that provides truly random numbers. They sample atmospheric noise to generate the numbers. Find more details at the site.
Ronan Killeen
Back to home.