Testing, Testing, Testing, 1-2-3!
Remember when Microsoft opened up a large security hole on the Internet? What you’ve forgotten about that, already? Well, it happened with one of the first releases of Windows 10, and where around 1-in-every-30K users generated weak RSA encryption keys.
One thing I have learnt about software development is that testing and debugging often takes up the majority of my time. Why? Well, the actual coding part increasingly involves using fairly standard code and integrating libraries, but the complexity of the code often involves testing for a range of conditions. Unfortunately, a single bug in a program could thus bring down a company and even release sensitive data into the wild.
One area that I have found to be extremely weak is in the generation of random values, such as for encryption keys. While the randomization may be strong, most methods have other parameters that must be checked before the encryption keys are validated as usable. Now an interesting new paper from Daniel Shumow outlines how easy it might be to generate incorrect insecure parameters within a program, and illustrates this with RSA key generation [here]:
