MODEL OF AN INCIDENT RESPONSE PLAN FOR INCIDENTS RELATED TO THE USE OF WEAK PSEUDORANDOM NUMBER GENERATORS
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1195Keywords:
pseudorandom number generator, Mersenne Twister, ChaCha20, Yarrow, pseudorandomness, seed, statistical requirements, data security, CI/CD, information security incidents.Abstract
The article analyzes pseudorandom number generators (PRNGs) in cryptography, considers their theoretical foundations, classification, and basic security requirements. In particular, it considers how deterministic algorithms based on the initial seed generate long sequences of bits that are practically indistinguishable from truly random ones, therefore, different types of generators were analyzed: from simple linear congruent generators (LCGs) and Mersenne Twister, which are well suited for modeling and numerical calculations, to cryptographically stable algorithms ChaCha20 and Yarrow, which provide unpredictability and resistance to predicting the initial sequence. A universal response plan for incidents involving vulnerabilities in pseudorandom number generators and an algorithm for automating responses to such incidents are proposed. The results of the study can be used by developers of cryptographic algorithms and information security specialists to improve the assessment of pseudorandom number generator choices for practical and educational purposes.
Downloads
References
Menezes, A. J., van Oorschot, P. C., & Vanstone, S. A. (1996). Handbook of applied cryptography. https://theswissbay.ch/pdf/Gentoomen%20Library/Cryptography/Handbook%20of%20Applied%20Cryptography%20-%20Alfred%20J.%20Menezes.pdf
Almaraz Luengo, E., & Román Villaizán, J. (2023). Cryptographically secured pseudo-random number generators: Analysis and testing with NIST statistical test suite. Mathematics, 11(23), 4812. https://www.mdpi.com/2227-7390/11/23/4812
Stoen, H. (2024). The Mersenne Twister and cryptographically secure PRNGs. https://simonrs.com/eulercircle/crypto2024/henry-mersenne.pdf
Internet Engineering Task Force. (2018). RFC 8439: ChaCha20 and Poly1305 for IETF protocols. https://datatracker.ietf.org/doc/rfc8439/
Ferguson, N., & Schneier, B. (2000). Notes on the design and analysis of the Yarrow cryptographic PRNG. https://scispace.com/pdf/yarrow-160-notes-on-the-design-and-analysis-of-the-yarrow-47wqbflx00.pdf
National Institute of Standards and Technology. (2010). A statistical test suite for random and pseudorandom number generators for cryptographic applications (NIST Special Publication 800-22 Rev. 1a). https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-22r1a.pdf
National Institute of Standards and Technology. (2012). Computer security incident handling guide (NIST Special Publication 800-61 Rev. 2). https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
Susukailo, V. (2021). Use of DevSecOps approach for analysis of modern information security threats. Cybersecurity: Education, Science, Technique, 2(14), 26–35.
Dorrendorf, L., Gutterman, Z., & Pinkas, B. (2007). Cryptanalysis of the random number generator of the Windows operating system. https://www.cs.huji.ac.il/~dolev/pubs/thesis/msc-thesis-leo.pdf
Bikos, A., Nastou, P. E., Petroudis, G., & Stamatiou, Y. (2023). Random number generators: Principles and applications. Cryptography, 7(4), 54. https://www.mdpi.com/2410-387X/7/4/54
National Vulnerability Database. (2019). CVE-2019-1543 detail. https://nvd.nist.gov/vuln/detail/cve-2019-1543
Viega, J. (2003). Practical random number generation in software. https://www.acsac.org/2003/papers/79.pdf
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Данило Бугай, Ігор Власюк, Віталій Сусукайло, Євгеній Kurii
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
