games like Solitaire more interesting, the use of randomness in
generating passwords and encrypting data is critical to
Until fairly recently, cpu's had no direct way to generate
random numbers. Intel's Pentium III introduced a hardware random
number generator that uses thermal noise "to generate high-quality
random and nondeterministic numbers" , but prior to that systems
that needed good random numbers had to rely on add-on boards or
other external input.
The problem, of course, is that the whole point of computer
programming is predicability: given the same input, a program will
always follow the same path to completion. That makes it impossible
to generate random numbers with an algorithm.
For all we know, it may be impossible, period. While thermal
noise from a semiconductor certainly seems random to us, if we
really understood the physics, it might not be at all. If string
theory is real, then the arrangement and orientation of these
"strings" might affect their vibration, which in turn affects the
behavior of electrons, etc. It's quite possible that the universe
is deterministic - we really aren't in any position to even guess
The real question is, does it matter? And the answer is both
"yes, it does" and "no, it doesn't", depending on why you asked. On
the one hand, we have apparently non-deterministic events like how
many visitors this web site will have today. That's an apparently
very random number, determined by perhaps hundreds of conflicting
factors such as news events, advent of security challenges, the
weather, Google rankings: well beyond any ability to calculate.
Yet, it's pretty easy for me to guess within a few hundred what
that number will be because in large enough populations, the random
behavior of individuals is unimportant: statistics and other
indicators can tell us what the general group behaviour will be.
From this point of view, it doesn't matter if individuals are
non-deterministic because group behavior is not. The same thing is true of
systems like our own Earth's weather; it's complexity makes
precise prediction impossible (at least now) but there are certainly
predictable patterns: here in Massachusetts, it WILL be warmer in
August than in December most days.
On the other side, things that really aren't random at all can
be quite random enough for a particular need. For example, if you
had to "randomly" select from a group of 60 items using a computer
program, a very simple way to do it would be to use seconds from
the current time: if your user runs the program at 23 seconds past
the minute, the program selects item 23. This isn't random at all;
it's very deterministic. If there was any reason for your users to
care about which of the sixy items were selected, they could find
ways to "cheat" your program fairly easily. But if it isn't
important, the selection may in fact be quite random enough for
your needs. The underlying method isn't random, but it appears to
be for the expected use, so the algorithm works. Apparent
randomness from a very non-random source.
That is the problem with computer generated "random" numbers:
they may not be very random at all. Almost all computer languages
have some method of selecting a random number, but in fact it's not
really random. This Perl script will generate the same results
every time it is run:
If you saw that run once, you'd think it was giving you random
numbers. Run it again and you get the same ten numbers. The numbers
will not change no matter how many times you run it, so obviously
they aren't random at all. That's because it is really only
pseudorandom. The argument given to srand seeds the random number
generator, and it will always generate the same numbers in the same
order for the same starting seed. However if we seed "srand" with
something more random (or more apparently random), we get better
This has every appearance of generating random numbers. Yet, a
cryptographer would warn you not to rely on that for encrypting
bank accounts, because just like our simplistic selection from the
sixty items, the seed actually isn't random and given sufficient
incentive, that flaw could be very costly.
So how do you get more random? Linux and other operating systems
may provide a "/dev/random" and "/dev/urandom". Don't assume you
know how these work: Mac OS X and Linux both have these, but the
man pages are quite different. If your use is casual (you aren't
protecting Fort Knox), the differences are probably unimportant,
but "man 4 random" is interesting reading anyway.
Perl has a "TrulyRandom" module that uses interrupt timing
discrepancies to get random numbers; but do we know that the
discrepancies are truly non-deterministic? Like the thermal
activity of a semiconductor, it might actually be predictable. With
sufficient knowledge and computing power, any of these things might
be as trivial as our "random second" implementation.
Many systems have the PRNG library - many
versions of SSH use that. If you've ever generated a GPG key, you probably remember this:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
These unpredicable actions on your part were used to seed the
random number generation.
Much attention is paid to the importance of avoiding
predicability in random numbers, and yet as we have seen from the
most recent ssh exploits, the random numbers used in encryption are
only a very small part of the total picture. It was other
weaknesses in the ssh code that were exploited, and the encrypted
keys were not important at all. The thickest deadbolts on your
front door are useless if the back door is wide open.