Home / Series / BSides Las Vegas / Aired Order / Season 2014 / Episode 27

Untwisting the Mersenne Twister: How I killed the PRNG

Applications rely on generating random numbers to provide security, and fail catastrophically when these numbers turn out to be not so “random.” For penetration testers, however, the ability to exploit these systems has always been just out of reach. To solve this problem, we've created “untwister:” an attack tool for breaking insecure random number generators and recovering the initial seed. We did all the hard math, so you don't have to! Random numbers are often used in security contexts for generating unique IDs, new passwords for resets, or cryptographic nonces. However, the built-in random number generators for most languages and frameworks are insecure, leaving applications open to a series of previously theoretical attacks. Lots of papers have been written on PRNG security, but there's still almost nothing practical you can use as a pentester to actually break live systems in the wild. This talk focuses on weaponizing what used to be theoretical into our tool: untwister. Let's finally put rand() to rest.

English
  • Originally Aired August 5, 2014
  • Created July 23, 2019 by
    Administrator admin
  • Modified July 23, 2019 by
    Administrator admin
Name Type Role
Dan Petro Guest Star
moloch Guest Star