[Cryptography] "Entropy as a Service: A New Resource for Secure Development"

Bill Cox waywardgeek at gmail.com
Sun Aug 25 07:07:20 EDT 2019

On Sat, Aug 24, 2019 at 6:40 PM Jerry Leichter <leichter at lrw.com> wrote:

> OK, this one has me puzzled.  I can't figure out if they are talking about
> better entropy generators running within individual machines, or some kind
> of centralized entropy generation service (secured how?) or ... what,
> exactly.
> I guess everything the becomes a buzzword is someone's business
> opportunity....
> https://www.business2community.com/cybersecurity/entropy-as-a-service-a-new-resource-for-secure-development-02230605
>                                                         -- Jerry
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography

It's just a bad paper
<https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=920992>, and a
confusing article based on it.  Here's the heart of their protocol:

The client makes a HTTP GET request to the EaaS server, with the number of
> bytes of random data to return, and its own public key, which is used to
> encrypt the returned payload.

Pretty funny.  Encryption requires a secret that potential attackers do not
know.  To get such entropy, use this protocol.  To use this protocol, you
require a secret (the private key) that potential attackers do not know...

I run into this silly concept now and then.  IIRC, the "Entropy Key" even
has an Entropy-as-a-Service feature for encrypting random numbers to
multiple servers in a data center.  It cracks me up that folks who know
enough to make a decent TRNG don't understand why you can't just do a DH
key exchange, and send the remote server the entropy it needs to do a
secure DH key exchange.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20190825/3f5bc3a1/attachment.htm>

More information about the cryptography mailing list