[Cryptography] "Entropy as a Service: A New Resource for Secure Development"
John-Mark Gurney
jmg at funkthat.com
Mon Aug 26 00:58:53 EDT 2019
Jerry Leichter wrote this message on Sat, Aug 24, 2019 at 20:50 -0400:
> OK, this one has me puzzled. I can't figure out if they are talking about better entropy generators running within individual machines, or some kind of centralized entropy generation service (secured how?) or ... what, exactly.
>
> I guess everything the becomes a buzzword is someone's business opportunity....
>
> https://www.business2community.com/cybersecurity/entropy-as-a-service-a-new-resource-for-secure-development-02230605
>From what I gather, it's an external service/server that the machine
talks to, to gether the entropy. It does look like there might be some
that are taking already existing HSM/smartcards and repackagine them...
These aren't needed for VM's, as there's alread a virt io standard for
randomness:
https://docs.oasis-open.org/virtio/virtio/v1.1/cs01/virtio-v1.1-cs01.html#x1-2700004
And that has the advantage of coming from the hyper visor that already
has to be trusted by the VM...
Network entropy is extermely limited in usefulness, as you don't have
enough entropy to setup a secure session, or it's passed in clear text,
and then it's minimally useful, as anyone snooping on it can see it...
If you have 256bits of entropy, you can never exhaust it's entropy...
Either use virtio entropy, or a TRNG via USB/smartcard, or your
processor entropy... Don't be fooled by some SOCs that supposedly
have an entropy source on them, as some of them have to be seeded by
the OS, so your OS still needs a secure source...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list