{"guid":"0d02bd82-f771-471c-b4bb-5e24b755b169","title":"How do we know our PRNGs work properly?","subtitle":null,"slug":"33c3-8099-how_do_we_know_our_prngs_work_properly","link":"https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8099.html","description":"Pseudo-random number generators (PRNGs) are critical pieces of security\ninfrastructure. Yet, PRNGs are surprisingly difficult to design,\nimplement, and debug. The PRNG vulnerability that we recently found in\nGnuPG/Libgcrypt (CVE-2016-6313) survived 18 years of service and several\nexpert audits. In this presentation, we not only describe the details of\nthe flaw but, based on our research, explain why the current state of\nPRNG implementation and quality assurance downright provokes incidents.\nWe also present a PRNG analysis method that we developed and give\nspecific recommendations to implementors of software producing or\nconsuming pseudo-random numbers to ensure correctness.\n","original_language":"eng","persons":["Vladimir Klebanov","Felix Dörre"],"tags":["Security"],"view_count":2767,"promoted":false,"date":"2016-12-29T11:30:00.000+01:00","release_date":"2016-12-29T01:00:00.000+01:00","updated_at":"2026-03-16T14:15:10.052+01:00","length":3515,"duration":3515,"thumb_url":"https://static.media.ccc.de/media/congress/2016/8099-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/2016/8099-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2016/0d02bd82-f771-471c-b4bb-5e24b755b169-timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2016/0d02bd82-f771-471c-b4bb-5e24b755b169-thumbnails.vtt","frontend_link":"https://media.ccc.de/v/33c3-8099-how_do_we_know_our_prngs_work_properly","url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_title":"33C3: works for me","conference_url":"https://api.media.ccc.de/public/conferences/33c3","related":[{"event_id":3601,"event_guid":"5a517be2-220b-4eb6-88c3-e7ef08c98ace","weight":32},{"event_id":3640,"event_guid":"700a07e7-a9c4-437b-a4c5-4491b23a9b4a","weight":31},{"event_id":3687,"event_guid":"5ae90a09-0b83-4357-bdb4-9afc04100c68","weight":66},{"event_id":3689,"event_guid":"1f7eb981-2819-4824-8f40-4ddde0be7bf3","weight":34},{"event_id":3692,"event_guid":"f21478d4-e8db-4f19-854c-2f74b5824706","weight":29},{"event_id":3694,"event_guid":"ef62eb53-cb69-42c6-aab0-bc9d3b0e1e92","weight":37},{"event_id":3695,"event_guid":"c300b194-2a85-4705-92aa-b4e789882303","weight":32},{"event_id":3697,"event_guid":"a431b8a5-b8af-4ccf-bba2-7b1d88a782fb","weight":39},{"event_id":3698,"event_guid":"994082de-ef8e-4f8e-8c46-ec0eb110b845","weight":50},{"event_id":3701,"event_guid":"155a622a-196e-4e05-a262-88f3a7726bbe","weight":35},{"event_id":3708,"event_guid":"aaec73e9-66b9-46d2-aa0f-9f43018198ea","weight":36},{"event_id":3715,"event_guid":"4c92b3f4-e32a-483b-9e5f-4e8201849284","weight":36},{"event_id":3731,"event_guid":"bc638f9f-0370-42f9-b83c-f85cca4ca38d","weight":32},{"event_id":3733,"event_guid":"855ab830-c6c0-4be7-b84c-31ba78e90e3c","weight":32},{"event_id":3734,"event_guid":"34ea8f1f-9fad-41aa-8424-e833f10e5e8b","weight":38},{"event_id":3762,"event_guid":"25e2df7d-5740-4c2f-bc34-986326d606fe","weight":37}],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"DRAFT_33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly.en_DRAFT.srt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2022-01-15T17:32:24.193+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/DRAFT_33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly.en_DRAFT.srt","url":"https://api.media.ccc.de/public/recordings/50606","event_url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":421,"length":3515,"mime_type":"video/mp4","language":"eng","filename":"33c3-8099-eng-How_do_we_know_our_PRNGs_work_properly.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-29T14:18:04.605+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-hd/33c3-8099-eng-How_do_we_know_our_PRNGs_work_properly.mp4","url":"https://api.media.ccc.de/public/recordings/14274","event_url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":460,"length":3515,"mime_type":"video/mp4","language":"deu","filename":"33c3-8099-deu-How_do_we_know_our_PRNGs_work_properly.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-29T14:18:24.883+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-hd/33c3-8099-deu-How_do_we_know_our_PRNGs_work_properly.mp4","url":"https://api.media.ccc.de/public/recordings/14275","event_url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":542,"length":3515,"mime_type":"video/mp4","language":"eng-deu","filename":"33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-29T14:18:45.088+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-hd/33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly_hd.mp4","url":"https://api.media.ccc.de/public/recordings/14276","event_url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":45,"length":3502,"mime_type":"audio/opus","language":"eng","filename":"33c3-8099-eng-How_do_we_know_our_PRNGs_work_properly.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2016-12-29T15:00:49.734+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/opus/33c3-8099-eng-How_do_we_know_our_PRNGs_work_properly.opus","url":"https://api.media.ccc.de/public/recordings/14282","event_url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":53,"length":3502,"mime_type":"audio/mpeg","language":"eng","filename":"33c3-8099-eng-How_do_we_know_our_PRNGs_work_properly.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2016-12-29T15:01:34.874+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/mp3/33c3-8099-eng-How_do_we_know_our_PRNGs_work_properly.mp3","url":"https://api.media.ccc.de/public/recordings/14283","event_url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":169,"length":3515,"mime_type":"video/mp4","language":"eng-deu","filename":"33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2016-12-29T15:03:06.988+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-sd/33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly_sd.mp4","url":"https://api.media.ccc.de/public/recordings/14284","event_url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":169,"length":3515,"mime_type":"video/webm","language":"eng-deu","filename":"33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2016-12-29T15:14:09.481+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/webm-sd/33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/14285","event_url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":420,"length":3515,"mime_type":"video/webm","language":"eng-deu","filename":"33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-29T18:49:01.058+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/webm-hd/33c3-8099-eng-deu-How_do_we_know_our_PRNGs_work_properly_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/14296","event_url":"https://api.media.ccc.de/public/events/0d02bd82-f771-471c-b4bb-5e24b755b169","conference_url":"https://api.media.ccc.de/public/conferences/33c3"}]}