Questions for you:
- When transmitting sensitive information digitally, do you understand that security depends fundamentally on random key generation rather than clever algorithms, and that weak randomness catastrophically undermines encryption?
- Looking at security systems, do you recognise that the same mathematical randomness protects both personal banking and state secrets – the difference is key length and algorithm quality, not underlying principles?
- When implementing encryption, do you verify that keys are generated from proper cryptographic randomness sources, or do you assume all “random” key generation is equivalent?
- In evaluating security claims, do you understand that encryption strength comes from vast numbers of possible keys (2^256 combinations), making brute force attacks computationally infeasible, but only if keys are truly random?
Questions for your organisation:
Audit encryption key-generation practices: Most security breaches stemming from weak encryption result from poor random number generation, not algorithmic flaws. Conduct regular audits to verify that systems use hardware random number generators, that key generation accesses adequate entropy sources, that seed values are protected, and that generated keys pass statistical randomness tests. Don’t assume commercial products handle this properly – verify. Build procurement requirements mandating proof of proper random number generation. One predictable key compromises everything it protects.
Implement key rotation and session-based encryption: Never reuse encryption keys across sessions or time periods. Generate a new random key for each session, destroy when the session ends – providing perfect forward secrecy where compromised keys don’t expose past communications. Establish rotation policies: customer-facing systems daily minimum, internal systems weekly, long-term storage monthly. Apply to customer data transmission, inter-service communication, encrypted backups, and API communications. Automated rotation prevents human error and limits exposure windows.
Ban human-generated passwords for system authentication: People creating “random” passwords unconsciously introduce patterns – avoiding repetition, preferring memorable words, following predictable substitutions. This dramatically reduces security regardless of length requirements. Replace with: computer-generated random passwords in password managers, certificate-based authentication using cryptographic keys, or hardware token multi-factor authentication. For human-memorable credentials, use passphrases from random word selection (Diceware) rather than human composition. Audit and migrate existing human-generated credentials to cryptographically generated alternatives.
Build a proper key management strategy: Encryption fails when randomness or key management fails. Common mistakes: storing keys alongside encrypted data, using the same key organisation-wide, hardcoding keys in source code, and trusting third parties with keys. Address: where keys are stored (separate from data, hardware security modules for critical systems), who accesses keys (minimal access principle), how keys are backed up (encrypted with different keys), and rotation schedules. Remember, encryption is mathematical randomness protecting information – it requires proper random generation and disciplined key management to work.
Further reading
Encryption, cryptography, and key generation
The Code Book by Simon Singh – accessible history of cryptography explaining how random key generation became foundation of modern encryption, showing evolution from simple ciphers to mathematical randomness protecting digital communications.
Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno – practical cryptography guide emphasising critical importance of random key generation, demonstrating how encryption strength depends entirely on key randomness quality.
Applied Cryptography by Bruce Schneier – comprehensive cryptography reference including extensive discussion of key generation, random number sources, and why cryptographic security depends fundamentally on unpredictability.
TLS, session keys, and perfect forward secrecy
Bulletproof SSL and TLS by Ivan Ristić – technical guide to TLS explaining how modern internet security creates new random session keys for each connection, providing perfect forward secrecy protecting past communications even if keys compromised.
Serious Cryptography by Jean-Philippe Aumasson – modern cryptography introduction explaining how random key generation enables secure communication across untrusted networks, demonstrating practical implementation of encryption protocols.
Security Engineering by Ross Anderson – comprehensive security engineering textbook including detailed coverage of cryptographic protocols, key management, and importance of random number generation in maintaining security (available free online).
Random number generation and entropy sources
Fatal System Error by Joseph Menn – cybercrime investigation including examples of security breaches exploiting weak random number generation, demonstrating real-world consequences of inadequate key randomness.
Secrets and Lies by Bruce Schneier – security expert examining digital security showing why proper random number generation is critical foundation, discussing entropy sources and consequences of weak randomness.
Click Here to Kill Everybody by Bruce Schneier – discusses modern security challenges including why encryption depends on quality random number generation and how inadequate entropy sources in IoT devices create vulnerabilities.
About the image
A photo of some old keys. And before you start worrying that I’ve breached my own household security the locks, and indeed the doors, were sent for recycling back in 2017.
Photo montage and photo by Matt Ballantine, 2026
Random the Book 