Randomness (or things humans do poorly)

1Password, like pretty much all cryptographic software, needs cryptographically secure random numbers to do its stuff securely. What it means for a number to be cryptographically secure, why 1Password needs such numbers, and where it gets those from will be the subject of a future article.

It’s been eight years, and I’m here to make good on that pledge with said article. Good things come to those who wait and all that, right? I won’t make any promises that what you’re about to read will be a “good thing” but let’s shoot for the stars.

That’s (not) so random

As I’ve alluded to with the title of this post, humans are notoriously terrible at creating randomness.

For example, if I ask you to choose a number between 1 and 10, statistics show about 30% of you will choose 7. There’s an excellent chance everyone will choose an integer, and not something like 3.8643, even though I didn’t specify you had to select a whole number.

So, then, what makes a number random? Strap yourselves in, things are about to get wild.

There are two kinds of random numbers: True and pseudorandom.

True random numbers are measurements of a random physical phenomenon, with compensation for possible biases in the measurement process.

Pseudorandom numbers start with a seed. The seed determines a short algorithmic value which, in turn, produces long sequences of seemingly random results. In actuality, the entire sequence can be reproduced if the seed value is known (hence the “pseudo” in pseudorandom).

What do you think would happen if you combined these two methods? You got it: A cryptographically secure random number that is very difficult for anyone (or anything) to predict.

Where’d you come from, you random thang?

All computers are equipped with chips that take “randomness” from the device itself. They might measure things like how many seconds after 7 p.m. you clicked your mouse, or how many times in one hour you pressed the H key. Your device stores those measurements (in numbers) for use by different applications.

1Password calls on the crypto/rand library for its encryption code. Since code can’t pull random numbers from thin air, crypto/rand calls on the system for some of that randomly generated goodness, and the security recipe begins to take shape.

You had me at “random”

As Jeffrey wrote those many moons ago, 1Password needs cryptographically secure random numbers to do its job.* That job, specifically, is the encryption of secrets via Advanced Encryption Standard (AES). And encryption relies on things being unpredictable to be unguessable.

1Password uses AES 256-bit keys generated by your app, on your device, by a cryptographically appropriate random number generator. That key becomes your vault key and is used to encrypt and decrypt the items in your vault.

I would love to get deeper into the weeds here, but this is a half-hour show. If you crave more information about the magic 1Password works with those random numbers, please check out the 1Password security design white paper.

Tales of the crypt(ography)

Merriam-Webster defines random as “lacking a definite plan, purpose, or pattern”. Some examples of randomness are bad, like random acts of violence. Some examples are good, like a winning lottery ticket. Some are integral to safety and security – there should be absolutely no identifiable pattern to the numbers that are used to secure your secrets.

I once read an article about things robots can’t do better than humans. Sadly, it was a pretty short list, but that’s another post for another blog. Not surprisingly, nearly every point involved emotion. While robots can’t express empathy, consider someone’s feelings, or gently deliver bad news, they are the masters of using natural phenomena to generate fairly unpredictable outcomes.

That said, humans are the entities that design and program these robots. Maybe there will come a day, many (many) years from now, when we can combine natural phenomena with “code” in our heads to generate randomness.

I guess we’ll have to leave that to chance.

*I intentionally omitted “securely” here because I feel it’s redundant. If 1Password is doing its job, it’s done securely.

Megan Barker

Security Scribbler