The accurate generation of random numbers (or more particularly pseudo random numbers) is central to much in computer security. Problems with random number generation are often found to be the cause of vulnerabilities, usually because someone has taken a short cut or used a source that they consider to be random when it's not. I was a little surprised to then see a paper that documents some problems with the random number generator (RNG) in OpenSSL.
OpenSSL is one of the most widely used libraries in computer security. It has had some problems in the past (such as Heartbleed) which were not only major concerns because of the nature of the problem but also because OpenSSL is used in many systems, particularly embedded systems that are hard to update. It's free software and open source so people have used it because they felt it was great if you were building a system to a low price whilst offering apparent security through the visibility of the code. Heartbleed taught everyone that open source does not equal scrutinised code.
The paper I read this week was entitled "An Analysis of OpenSSL’s Random Number Generator". The analysis revealed some issues.
