[Cryptography] "Entropy as a Service: A New Resource for Secure Development"

jamesd at echeque.com jamesd at echeque.com
Sat Aug 31 18:32:45 EDT 2019

On 2019-08-29 5:25 am, Tom Mitchell wrote:
> On Sat, Aug 24, 2019 at 6:40 PM Jerry Leichter <leichter at lrw.com 
> <mailto:leichter at lrw.com>> wrote:
>     OK, this one has me puzzled.  I can't figure out if they are talking
>     about better entropy generators running within individual machines,
>     or some kind of centralized entropy generation service (secured
>     how?) or ... what, exactly.
>     I guess everything the becomes a buzzword is someone's business
>     opportunity....
>     https://www.business2community.com/cybersecurity/entropy-as-a-service-a-new-resource-for-secure-development-02230605
> In this room of experts this service seems silly.
> They say: "Companies can even use EaaS outside a development context. 
> Comparing keys generated through software-based resources against new 
> entropy reveals whether those keys are actually secure. Instead of 
> assuming cryptography is secure, EaaS tests it objectively. " and 
> testing one key or even a dozen is foolish logic.

You cannot test for entropy.  You have to have theory that explains that 
the entropy is derived from a known good source.

If, for example, you have a microphone input connected to a resistor 
instead of a microphone, it will generate large amounts of truly random 
entropy derived primarily from thermal noise.  Hash it on bootup, you 
get a true random seed.  Use the seed as an encryption key, and encrypt 
an endless stream of zeroes to get an endless stream of unpredictable 
bits. From time to time, reseed.

This email has been checked for viruses by Avast antivirus software.

More information about the cryptography mailing list