Security Blog

Should e-commerce be grateful for xorshift128+?

Over the last days, there has been a bit of a talk on the web around a new algorithm created by the Italian mathematician Sebastiano Vigna, professor at Università Statale di Milano. An algorithm that soon will be installed in computers, tablets and smartphones from all corners in the world. It has been claimed that it will fix a potential security issue that, among other things, could jeopardize e-commerce. This triggered my interest and curiosity, if only because such an algorithm has been (quite inappropriately) hailed as sort of a “savior” for secure e-commerce, in that it would address a recently discovered bug in JavaScript related to the PRNG – the pseudo-random number generator.

Just as a quick explanatory note, the generation of random numbers through such type of algorithms is normally relied upon when large quantities of random digits are necessary. As an example, consider the need of injecting randomness in online gaming – e.g. lotteries, betting, casinos, poker and the like. Professor Vigna explains that generating number in a truly random way has always been hard and expensive. Therefore, specific algorithms have been defined in order to simulate the randomness that only physical processes could guarantee – e.g. consider the act of rolling the dice. Now, since that would be quite costly to reproduce – expensive hardware devices that, through various physical methods, are able to provide the generator with the necessary level of entropy – many algorithms have been suitably developed in the attempt to reach at least a decent level of randomness. Of course, the existence of an algorithm, no matter how complex or sophisticated, will always entail that the next digit can be somehow predicted, at least theoretically. This has given rise to the term “pseudo-random”, since not “truly random” according to a more rigorous definition.

Without going too deep into the bits, the weakness affects the basic method of generation enforced in the JavaScript function Math.random() to be specific. The story is: point blank someone has (strangely?) observed that after a while such a function had produced the somewhat same sequence of numbers. This has been deemed enough to start ringing the bells on compromised security. Now xorshift128+ has been developed, which has already replaced the old generator in JavaScript on some major browsers, such as Chrome, Safari and Firefox.

Now, clearly, with e-commerce being called into question so explicitly, it was pretty natural to expect that at least a bunch of question marks would automatically be raised. Someone has in fact even brought up PCI DSS compliance, like the impact of such an issue could be of relevance in the considered case. Well, let’s be very straight on this: this is not AT ALL a new SSL/TLS case or stuff. But before reaching the bottom line let me just very quickly illustrate the various approaches to random number generation.

Nowadays, random generators are generally speaking split into several categories, which include but are not limited to the aforementioned PRNG. Now, PRNG is the least sophisticated option and indeed, just because of that, it is normally not relied upon when dealing with sensitive or critical data. They are, in short, a cheaper way to get quick-and-dirty randomness for not so crucial purposes. For more critical purposes, we have more reliable options, such as CSPRNG (cryptographically secure pseudo-random number generator), a category of PRNG with features that make it way more suited for use in cryptography. Such mechanisms are slower, but you can quite safely generate a public/private key pair through them. Then, for very critical purposes, you also have TRNG (true random number generator), which as said above rely on physical devices in order to guarantee the maximum level of randomness.

So why in the world one would think that secure e-commerce is at stake just because of a weak PRNG implementation in a JavaScript function is a bit unclear to me. More in general, I wonder why in the world anyone would use Math.random() to protect cardholder data or address other critical functions that might impact one or more PCI DSS requirements. xorshift128+ or not. Please bring me the head of those who do that…:)

My most sincere congratulations go to professor Vigna and his team; they should surely pride themselves for a very good achievement. But, saying that security of online purchases was at risk and that xorshift128+ has rescued e-commerce is pretty exaggerated. Typical cheap sensationalism from blunt Media.

  • 24 Solutions AB
  • Smedjegatan 2C
  • SE-13154 Nacka, Sweden
  • +46 (0)8 535 24 100