The title is actually a quote from John Von Neumann. And while it's over half a century old, it is still indicative of the difficulty faced by those that are forced to generate random data.
When I teach a certain awareness course for developers, one of the basic messages is to not to try to reinvent crypto components, but use proven good ones. Basically, it's just way too hard to get it perfectly right for the mere mortals among us.
In crypto you basically have 4 basic building blocks: the symmetric and asymmetric cyphers, the hash functions and the (pseudo) random number generator. With those, you can build whatever you need.
Lately the random number generator in windows seems to be under scrutiny. Basically some crypto researchers are calling it broken and the press reports that Microsoft mostly seems to deny it's a problem.
While it's rather easy to make fun of Microsoft in this, take a look at what Microsoft employees write about PRNGs and the NIST recommendation: http://rump2007.cr.yp.to/15-shumow.pdf.
Still security professionals will need to position themselves on the issue in the long run.
What do you think about it, why? Let us know and we'll summarize the best replies we get.
Nov 16th 2007
1 decade ago