Wherein another serious problem which besets software-based security systems, the lack of secure random numbers, is addressed. Random Number Generation 157
The best means of obtaining unpredictable random numbers is by measuring physical phenomena such as radioactive decay, thermal noise in semiconductors, sound samples taken in a noisy environment, and even digitised images of a lava lamp. However few computers (or users) have access to the kind of specialised hardware required for these sources, and must rely on other means of obtaining random data.
The term “practically strong randomness” is used here to represent randomness which isn’t cryptographically strong by the usual definitions but which is as close to it as is practically possible.
Existing approaches which don’t rely on special hardware have ranged from precise timing measurements of the effects of air turbulence on the movement of hard drive heads , timing of keystrokes as the user enters a password , timing of memory accesses under artificially-induced thrashing conditions , timing of disk I/O response times, and measurement of timing skew between two system timers
(generally a hardware and a software timer, with the skew being affected by the 3-degree background radiation of interrupts and other system activity). In addition a number of documents exist which provide general advice on using and choosing random number sources .
Due to size constraints, a discussion of the nature of randomness, especially cryptographically strong randomness, is beyond the scope of this work. A good general overview of what constitutes randomness, what sort of sources are useful (and not useful), and how to process the data from them, is given in RFC
1750 . Further discussion on the nature of randomness, pseudorandom number generators (PRNG’s),