Much Ado About Randomness

Presented at The Next HOPE (2010), July 17, 2010, 5 p.m. (60 minutes)

Access to random bits is required by almost every security protocol. A common assumption in cryptography is that all parties have access to a perfect random source. Then we can prove that signatures are unforgeable, SSL is secure, and life is good. In practice, the situation is quite different as demonstrated by recent exploits of Debian OpenSSL library, WEP, and Netscape 1.1 keys. This talk will try to bridge the gap between theory and practice. The discussion will include what it means for a number to be “random” and demonstrate how some open source tools, as well as custom tools, can be used to find programs with poor sources of randomness.

Presenters:

• Dr. Aleksandr Yampolskiy
  Dr. Aleksandr Yampolskiy is a head of security and compliance at a well-known e-commerce company. Prior to this position, he has been a lead technologist for authentication/authorization and IDM products in several Fortune 100 companies. He's been cited in The New York Times, Yale Scientific, and published half a dozen articles in top security conferences. He's been hacking programs for as long as he can remember. He has a B.A. in mathematics from NYU, and a Ph.D. in cryptography from Yale.

Links:

• https://infocon.org/cons/2600/The Next Hope (2010)/The Next HOPE (2010) - Much Ado About Randomness.mp4
• https://www.youtube.com/watch?v=EBA7mSAMCr0

Similar Presentations:

• Summercon 2014 / Exploiting Randomness: Fun Attacks Using a Compromised Random Number Generator
• May Contain Hackers (MCH2022) / drand: publicly verifiable randomness explained
• 33C3 (2016) / Wheel of Fortune: Analyzing Embedded OS Random Number Generators