Monday, February 1, 2016

Got Entropy? Moar Cryptography and Security Hints for Beginners

My first post an introduction to cryptography leads us to this second post which will get into random numbers (wow, exciting!) which are absolutely essential to crypto.  Most of what we see in computer programs and on calculators, as well as statistical programs is pseudo-random numbers from a pseudo-random number generator (PRNG).  What is really needed to ensure randomness is a hardware random number generator (HWRNG).  What is the difference between the two and sources of quality entropy is the topic addressed here.

PRNG are what your programmable calculator is able to provide.  The problem is, PRNG provide deterministic output.  Patterns can be ascertained with sufficient analysis.  While that may not be your threat model and PRNG output is good enough for you, you may still want to consider stepping up your game with HWRNG.  These systems generate true random output based off of external conditions.  Inputs to HWRNG can be the decay of radio isotopes (hey, new use for an out of service smoke detector?  Uranium mine tailings?) thermal conditions, video inputs even.

A few talented people are providing USB format HWRNG that you can buy and use to generate true random numbers for your computer, automatically.  The low cost option is described HERE where he details using a software defined radio/TV dongle as a source of entropy for the RNG function.  You may already have one lying around, looking for a new use.

Reddit has a subreddit on entropy, you can see the bright kids working it out here/ You can purchase an external USB RNG here.

A radio frequency shielded RNG with additional info can be found HERE.

If you need some entropy, quick and dirty for a science project or other use, try the website for your customizable RND string.  You can even roll your own from the supplies and instructions at  That level of skill is a bit beyond my competence level, though.

Infinite Noise true random number generator

A slightly larger form factor and perhaps more function can be had in other products, like the True RNG Pro  .  The cost is more, just shy of $100.

The bottom line on random number generation is USE IT.  These devices and technologies allow you to greatly improve your system's RND outputs, hence your security.  Also understand that if you see a series of random numbers published or posted anywhere, they are no longer useful as random numbers for the purposes of security.  The RAND book "A Million random Digits with 100,000 Normal Deviates" is sufficient for statistical work and research, but again... it is in the public domain and is not useful for security.  It makes for something interesting to take a peek at, though.

Self-Study guide to practical cryptography for the new learner, some math skills required to complete the exercises at the end of key lessons.

Retired Marine Mustang Officer Partyzantski was a qualified USMC Aviation Electronic Warfare Officer (EWO) assigned to EA-6B Prowlers and graduated with the highest academic average for his year group from the US Navy Cryptography school Corry Station. He still finds cryptography an endlessly fascinating subject.  You can follow him on Twitter @Partyzantski.

Thanks for visiting, reading and hopefully sharing with others.  Purchasing books or completing other shopping needs through our Amazon portal is greatly appreciated and helps us get our message out to educate more people!  You can follow us on Twitter @stopshoutblog or email us.  Questions, comments and concerns always welcome! All comments are moderated, but will post when we have time to review them.

1 comment:

Anonymous said...

I'm not a big math person, but the Amazon reviews were positive and implied you just need average math ability, so I ordered the self-study book. Thanks for these common sense self-education pieces, they are really, really appreciated !!