Random Number Generator Attack - Attacks On Software Random Number Generators

Attacks On Software Random Number Generators

Just as with other components of a cryptosystem, a software random number generator should be designed to resist certain attacks. Exactly which attacks must be defended against depends on the system, but here are a few:

• If an attacker obtains most of the stream of random bits, it should be infeasible for them to compute any additional parts of the stream.
• If an attacker observes the internal state of the random number generator, they should not be able to work backwards and deduce previous random values.
• If an attacker observes the internal state of the random number generator, they will necessarily be able to predict the output until enough additional entropy is obtained. However, if entropy is added incrementally, the attacker may be able to deduce the values of the random bits that were added and obtain the new internal state of the random number generator (a state compromise extension attack).
• If an attacker can control the supposedly random inputs to the generator, they may be able to "flush" all the existing entropy out of the system and put it into a known state.
• When a generator starts up, it will often have little or no entropy (especially if the computer has just been booted and followed a very standard sequence of operations), so an attacker may be able to obtain an initial guess at the state.