Home / Series / Chaos Communication Congress / Aired Order / Season 33 / Episode 90

How do we know our PRNGs work properly?

Pseudo-random number generators (PRNGs) are critical pieces of security infrastructure. Yet, PRNGs are surprisingly difficult to design, implement, and debug. The PRNG vulnerability that we recently found in GnuPG/Libgcrypt (CVE-2016-6313) survived 18 years of service and several expert audits. In this presentation, we not only describe the details of the flaw but, based on our research, explain why the current state of PRNG implementation and quality assurance downright provokes incidents. We also present a PRNG analysis method that we developed and give specific recommendations to implementors of software producing or consuming pseudo-random numbers to ensure correctness.

English
  • Originally Aired December 29, 2016
  • Runtime 60 minutes
  • Production Code 8099
  • Created December 28, 2016 by
    Administrator admin
  • Modified December 28, 2016 by
    Administrator admin