[Cryptography] "Entropy as a Service: A New Resource for Secure Development"
jamesd at echeque.com
jamesd at echeque.com
Sat Aug 31 18:32:45 EDT 2019
On 2019-08-29 5:25 am, Tom Mitchell wrote:
>
> On Sat, Aug 24, 2019 at 6:40 PM Jerry Leichter <leichter at lrw.com
> <mailto:leichter at lrw.com>> wrote:
>
> OK, this one has me puzzled. I can't figure out if they are talking
> about better entropy generators running within individual machines,
> or some kind of centralized entropy generation service (secured
> how?) or ... what, exactly.
>
> I guess everything the becomes a buzzword is someone's business
> opportunity....
>
> https://www.business2community.com/cybersecurity/entropy-as-a-service-a-new-resource-for-secure-development-02230605
>
>
> In this room of experts this service seems silly.
>
> They say: "Companies can even use EaaS outside a development context.
> Comparing keys generated through software-based resources against new
> entropy reveals whether those keys are actually secure. Instead of
> assuming cryptography is secure, EaaS tests it objectively. " and
> testing one key or even a dozen is foolish logic.
You cannot test for entropy. You have to have theory that explains that
the entropy is derived from a known good source.
If, for example, you have a microphone input connected to a resistor
instead of a microphone, it will generate large amounts of truly random
entropy derived primarily from thermal noise. Hash it on bootup, you
get a true random seed. Use the seed as an encryption key, and encrypt
an endless stream of zeroes to get an endless stream of unpredictable
bits. From time to time, reseed.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
More information about the cryptography
mailing list