[Cryptography] "Entropy as a Service: A New Resource for Secure Development"
John-Mark Gurney
jmg at funkthat.com
Mon Sep 2 14:41:47 EDT 2019
jamesd at echeque.com wrote this message on Sun, Sep 01, 2019 at 06:32 +0800:
> On 2019-08-29 5:25 am, Tom Mitchell wrote:
> >
> > On Sat, Aug 24, 2019 at 6:40 PM Jerry Leichter <leichter at lrw.com
> > <mailto:leichter at lrw.com>> wrote:
> >
> > OK, this one has me puzzled. I can't figure out if they are talking
> > about better entropy generators running within individual machines,
> > or some kind of centralized entropy generation service (secured
> > how?) or ... what, exactly.
> >
> > I guess everything the becomes a buzzword is someone's business
> > opportunity....
> >
> > https://www.business2community.com/cybersecurity/entropy-as-a-service-a-new-resource-for-secure-development-02230605
> >
> >
> > In this room of experts this service seems silly.
> >
> > They say: "Companies can even use EaaS outside a development context.
> > Comparing keys generated through software-based resources against new
> > entropy reveals whether those keys are actually secure. Instead of
> > assuming cryptography is secure, EaaS tests it objectively. " and
> > testing one key or even a dozen is foolish logic.
>
> You cannot test for entropy. You have to have theory that explains that
> the entropy is derived from a known good source.
>
> If, for example, you have a microphone input connected to a resistor
> instead of a microphone, it will generate large amounts of truly random
> entropy derived primarily from thermal noise. Hash it on bootup, you
> get a true random seed. Use the seed as an encryption key, and encrypt
> an endless stream of zeroes to get an endless stream of unpredictable
> bits. From time to time, reseed.
Heck, even a floating open mic input generates a few bits of noise. I have:
5 */3 * * * root dd if=/dev/dsp bs=4096 count=1 2>/dev/null | sha512 > /dev/random
in the /etc/crontab on one of my servers.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list