Arsgera - Fotolia
Entropy source controls obtained from keyboard strokes, mouse movements and other physical noises can be used to generate cryptographic keys from random bits.
Entropy is one way to reduce hacking attempts against an enterprise and increase overall security within an IT system. If you use a cloud-based system, entropy as a service can boost your security.
For example, consider keyboards as physical sound sources. All keyboards have firmware that tells them how to work. When a key is pressed, the firmware sends a signal for that key. Many keyboards with basic firmware can't be updated; in the event the keyboard stops working, it will send low or no entropy. If you can update the firmware, make sure the update won't lower your entropy or open the door for other attack avenues.
A developer should establish a trusted hardware root on a client computer to receive entropy from local, independent noise sources. However, dependent noise sources, such as packet arrival times in a communication network and hard drive access times, shouldn't be considered because they don't require direct human activity. As a result, these can be more easily tracked, and hackers can detect a pattern to formulate a plan of attack.
Let's explore some background info on entropy, as well as how entropy as a service can safeguard your information.
Low entropy, low security
Low-power, low-performance devices either don't require an interaction with physical sources of entropy or have limited interaction with them. These constraints can result in a low entropy level and unsafe cryptographic keys.
IoT devices, for example, have insufficient memory to enable full cryptography, and they can't provide a pseudo-random number generator with sufficient entropy. Lightweight cryptography won't prevent an attack on weak cryptographic keys.
Another cause of low entropy is cloud-based systems that don't interact with the client-side physical sources of entropy. Cloud service providers use a single image of a guest virtual machine and create multiple instances in response to user demand. These instances have a limited ability to generate entropy because of the hardware's lack of direct connection between user activity and independent physical sources. Also, these instances depend on CPU and network access timing in a hypervisor and not on physical entropy sources.
The NIST recommends entropy as a service to provide strong cryptographic keys for cloud-based applications and embedded IoT devices. An entropy-as-a-service server targets virtual machines and containers that can't properly generate strong cryptographic keys.
The server stores entropy from client-side physical sources and waits for a client system to send a request for a public key. The server generates a random value and signs it with the entropy-as-a-service private key before it is sent to the client.
According to the NIST, entropy as a service is based on an internet service architecture that provides secure time and entropy sources to IoT devices. The architecture consists of three main components:
- a quantum entropy device, such as a keyboard;
- an entropy-as-a-service server; and
- a hardware root-of-trust device -- such as a Trusted Platform Module, Intel Identity Protection Technology or ARM TrustZone -- in the client system.
An entropy-as-a-service application should be available to ensure proper communication between the architecture components.
Entropy as a service, however, doesn't use client-based entropy sources to generate keys. Instead, it only allows client systems to generate strong cryptographic keys. The entropy-as-a-service server doesn't gain any insight into the client keys.
Entropy as a service provides fresh timestamps and entropy to IoT devices when they boot up. Be sure to test client systems for proper cryptographic key generation.
An enterprise can have more than one entropy-as-a-service provider. There isn't a singular setup or deployment rulebook, which means that each provider has specific intricacies and capabilities that an enterprise should research before it makes a decision.
Here are some to consider.
- Crypto4A, headquartered in Canada, offers the QAOS security platform. It implements all of NIST's recommendations. This entropy-as-a-service provider uses a specially developed hardware security module to implement multiple entropy sources. The module is used to feed quantum-based data into a random number generator as specified in NIST SP 800-90.
- Whitewood, an American developer of cybersecurity products, created netRandom, which receives random data from the Whitewood Entropy Engine. The software supplements existing local entropy sources within Linux and Windows instances. It can be deployed as a cloud service or as part of a private data center infrastructure in compliance with NIST SP 800-90.
- QuintessenceLabs, an Australian security company, offers its qStream product to provide quantum-generated entropy at high speeds for pseudo-random number generators. The company also offers the qRand Quantum Injector to address the problem of entropy starvation. In addition to NIST SP 800-90, the company is compliant with the Key Management Interoperability Protocol and FIPS 140-2 Level 3.