[Cryptography] "Entropy as a Service: A New Resource for Secure Development"
waywardgeek at gmail.com
Sun Aug 25 07:07:20 EDT 2019
On Sat, Aug 24, 2019 at 6:40 PM Jerry Leichter <leichter at lrw.com> wrote:
> OK, this one has me puzzled. I can't figure out if they are talking about
> better entropy generators running within individual machines, or some kind
> of centralized entropy generation service (secured how?) or ... what,
> I guess everything the becomes a buzzword is someone's business
> -- Jerry
> The cryptography mailing list
> cryptography at metzdowd.com
It's just a bad paper
<https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=920992>, and a
confusing article based on it. Here's the heart of their protocol:
The client makes a HTTP GET request to the EaaS server, with the number of
> bytes of random data to return, and its own public key, which is used to
> encrypt the returned payload.
Pretty funny. Encryption requires a secret that potential attackers do not
know. To get such entropy, use this protocol. To use this protocol, you
require a secret (the private key) that potential attackers do not know...
I run into this silly concept now and then. IIRC, the "Entropy Key" even
has an Entropy-as-a-Service feature for encrypting random numbers to
multiple servers in a data center. It cracks me up that folks who know
enough to make a decent TRNG don't understand why you can't just do a DH
key exchange, and send the remote server the entropy it needs to do a
secure DH key exchange.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography