Bad Randomness: Protecting Against Cryptography's Perfect Crime

Learn how bad randomness attacks compromise cryptographic systems, key vulnerabilities in TLS/cryptocurrency, and best practices for protecting against these stealthy but devastating threats.

Key takeaways
  • Bad randomness attacks are extremely stealthy and difficult to detect since there’s no way to definitively prove if a number is truly random

  • Key attack vectors include:

    • Compromised random number generators (PRNGs)
    • Malware that patches/modifies random number generation
    • Certificate authority injection enabling man-in-the-middle attacks
    • Monitoring cryptocurrency transactions for addresses created with weak randomness
  • Bad randomness vulnerabilities affect multiple critical systems:

    • TLS/HTTPS encryption
    • Bitcoin/cryptocurrency wallets
    • Authentication systems
    • Digital signatures (ECDSA)
  • Recommended protections include:

    • Distributing random number generation across multiple parties (MPC)
    • Deriving randomness deterministically from existing entropy when possible
    • Protecting PRNG implementations from tampering
    • Reducing unnecessary randomness requirements in protocols
  • Humans are poor sources of entropy and should not generate random values manually

  • Perfect forward secrecy (PFS) alone is insufficient protection if initial randomness is compromised

  • The stealthy nature of bad randomness attacks makes them “perfect crimes” - they are both lethal to security and virtually undetectable

  • Even a single bit of randomness leakage can compromise an entire cryptographic system

  • Bad randomness attackers actively monitor for vulnerable implementations to exploit in real-time

  • Protection requires both securing random number generators and architecting systems to be resilient against compromised randomness