Cryptography is an increasingly vital component of technology for businesses, governments, and end users, as threats to sensitive data continue to grow in sophistication. Given the critical role that web browsers play in our daily digital interactions, Germany’s Federal Office for Information Security (BSI) initiated a study analyzing the use of random bit generators (RBGs)—the foundation of cryptographic applications—in modern web browsers. atsec conducted this study, focusing on the following browsers:
- Apple Safari: While the browser is closed-source, its RBG and entropy source were deduced based on well-defined assumptions.
- Google Chromium: The Chromium browser is open-source and serves as the core for the closed-source Google Chrome browser, as well as numerous other browsers.
- Mozilla Firefox: The Firefox browser is open-source.
Together, these three browsers account for more than 80% of all web traffic, making the study highly representative of the browser market.
Study Methodology
To analyze the RBG implementations across different browsers, atsec followed a structured process:
-
Identification of the RBG and Entropy Source
Each browser was analyzed to determine the RBG used and its entropy source. -
Architectural Analysis
The study examined how each RBG interacts with its entropy source, assessing key properties such as standards compliance, and seed and reseed mechanisms.
Note: While the entropy source was documented through references to the operating system service functions, it was not analyzed in-depth like the RBG itself. -
Deterministic RBG Component Evaluation
The deterministic RBG component was analyzed for compliance with the AIS 20/31 version 3.0 DRG.3 specification. Specifically, the study assessed:
– The 9-tuple defining the RBG operation for generating random bits.
– The 4-tuple defining the RBG initial seed operation.
– The 4-tuple defining the RBG reseed operation. -
Functional Usage Analysis
The study also examined how browsers employ their RBGs in key cryptographic functions, including:
– TLS Provider
– QUIC Provider
– Web Crypto API
– WebRTC Stack with DTLS-SRTP
This approach provided a comprehensive view of how each browser’s RBG functions and its effectiveness in real-world applications. Worth noting, long-term secret generation—which is typically performed outside of browsers and their supporting tools—was excluded from the study’s scope.
Key Findings and Impact
The study found that:
- The designs of the RBGs were sound.
- Their connections with entropy sources were secure.
- Their use in cryptographic mechanisms was effective.
In simpler terms, the most widely used browsers implement strong cryptographic mechanisms that contribute to the security of everyday digital interactions. However, as with any security-related research, improvements are always possible: The study identified multiple findings aimed at enhancing RBG usage in the assessed browsers, all of which were shared with the respective developers for further refinement.
Acknowledgments
We extend our sincere gratitude to BSI for commissioning this study, which provides valuable insights into the security of a fundamental service. Additionally, we would like to acknowledge Stephan Müller for his outstanding work in conducting the research.
If you’re interested in collaborating with atsec on future research initiatives, we’d love to hear from you! Feel free to reach out via email—we’re always eager to engage with the cryptographic community.
