Monday September 16, 2013

That's All It Took To Weaken The Encryption

Paul Ducklin wrote up a fascinating story behind a vulnerability in the secure messaging app, Cryptocat. His summary:

And that, my friends, is why PRNGs [Pseudorandom Number Generators] are important, and why they should be tested thoroughly every time you build and ship the latest version of your software. A PRNG which passes the Chi-squared test may very well still be deeply flawed, but one that fails, and which produces such clear visual regularities, is definitely unfit for purpose. Random number generators, as the joke goes, are far too important to be left to chance.

The number generator had a bug that generated zeros at slightly higher frequency than other digits. That’s all it took to weaken the encryption.