AES256 & Math.random: Security Risks

G5 Cyber Security

2 weeks ago

TL;DR

Using Math.random as a source of randomness for AES256 encryption is extremely insecure and easily crackable. This guide explains why, and how to avoid the problem.

Why Math.random is Bad for Encryption

AES256 requires strong, unpredictable random numbers (a cryptographic-quality random number generator) for its keys and initialization vectors (IVs). Math.random isn’t one of them. Here’s why:

Predictable: Math.random is based on a deterministic algorithm. Knowing the seed value allows you to predict all future values.
Short Period: The sequence of numbers generated by Math.random eventually repeats. This makes it easier for attackers to guess keys.
Poor Distribution: It doesn’t produce a uniform distribution, meaning some numbers are more likely than others.

How an Attack Works

An attacker can exploit the weaknesses of Math.random in several ways:

Seed Recovery: If the seed used by Math.random is known or can be guessed (e.g., based on timing information), the entire key stream can be reconstructed.
State Reconstruction: Even without knowing the exact seed, an attacker might be able to reconstruct the internal state of the random number generator after observing a sufficient number of outputs.
Brute Force (Reduced Key Space): The limited randomness significantly reduces the effective key space, making brute-force attacks feasible.

Step-by-Step: Demonstrating the Problem

This example shows how easily a key generated with Math.random can be compromised (simplified for illustration). Do not use this code in production!

Generate a Key (Insecurely):

const crypto = require('crypto');
const keyLength = 32; // AES256 requires 32 bytes
let insecureKey = '';
for (let i = 0; i < keyLength; i++) {
  insecureKey += Math.floor(Math.random() * 256).toString(16).padStart(2, '0');
}
console.log('Insecure Key:', insecureKey);

Encrypt Data:

const cipher = crypto.createCipheriv('aes-256-cbc', insecureKey, Buffer.from('initialization_vector'));
let encryptedData = cipher.update(Buffer.from('Sensitive data')).toString('hex');
encryptedData += cipher.final('hex');
console.log('Encrypted Data:', encryptedData);

Attempt to Decrypt (with a guessed seed):

// In reality, this would involve more sophisticated techniques to recover the seed.
const guessedSeed = 12345; // Example guess
let keyFromSeed = '';
for (let i = 0; i < keyLength; i++) {
    keyFromSeed += Math.floor((Math.random() * 256) % 256).toString(16).padStart(2, '0'); //Recreate the key based on seed.
}

const decipher = crypto.createDecipheriv('aes-256-cbc', keyFromSeed, Buffer.from('initialization_vector'));
let decryptedData = decipher.update(Buffer.from(encryptedData, 'hex')).toString('utf8');
decryptedData += decipher.final('utf8');
console.log('Decrypted Data:', decryptedData);

With a correct or close-enough seed guess (or through more advanced techniques), the decryption will succeed, revealing the sensitive data.

How to Generate Secure Random Numbers

Use Cryptographically Secure APIs: Use your operating system’s built-in random number generators.
Node.js: The crypto module provides secure random number generation.

const crypto = require('crypto');
const keyLength = 32;
const key = crypto.randomBytes(keyLength);
console.log('Secure Key:', key.toString('hex'));

Browser: Use the window.crypto.getRandomValues() method.

const array = new Uint8Array(32);
window.crypto.getRandomValues(array);
console.log('Secure Key:', Array.from(array).map((x) => x.toString(16)).join(''));

Initialization Vector (IV): Always generate a unique, random IV for each encryption operation.

Important Considerations

Never reuse keys or IVs: This compromises the security of your entire system.
Proper Key Management: Store and handle keys securely (e.g., using hardware security modules).
Library Choice: Use well-vetted cryptography libraries that provide secure random number generation by default.