May 12th 2016
Secure random number generation is an essential prerequisite for the use of cryptography in IT systems. In the recent past, a number of security vulnerabilities has surfaced in this context. This especially applies to mobile and embedded platforms, which usually provide insufficient entropy sources for the secure initialisation of the random number generator. In a scientific analysis, cryptosource has identified a number of conceptual security vulnerabilities in the random number generator of the widely used OpenSSL cryptographic library. Under certain circumstances, which are typically encountered on embedded platforms, they may lead to a considerable reduction of the security level of generated cryptographic keys. The work was presented at the renowned Eurocrypt conference in Vienna. Further details are available here.