By Richard Moulds
We all love services. Throughout history we’ve consumed services when we either can’t do or prefer not to do something ourselves. When you think about it, it’s quite surprising how little we actually do for ourselves!
That same attitude is now well established in the world of corporate IT, where the ‘as-a-service’ model has a heck of a lot going for it. Cloud services are probably cheaper, more flexible and more reliable than doing it yourself. In short, services are just easier.
Unfortunately, ‘easy’ is not a word that springs to mind when we think about crypto and key management. My colleagues and I at Whitewood are trying to change that with our new entropy-as-a-service offering at getnetrandom.com.
It’s probably true that most security pros never give entropy a second thought. There’s a general awareness that entropy is what makes random numbers random but few have the time to worry about where it comes from, how it’s used and what’s the difference between something working and something not working – something safe and something not.
But there’s a growing sense that entropy and randomness are topics that deserve our attention and even some action. NIST are working on a new set of standards and the SANS Institute who produce an annual prediction of the most dangerous attacks for the coming year included weak random number generation in their list of the top seven threats (I wrote about the SANS prediction here).
Recognizing the threats associated with entropy and random numbers is one thing – but doing something about them is quite another. It’s a poorly documented topic and hard to know where you would even start. Random number generators are buried in the depths of the operating system, there are virtually no tools to reliably measure the quality of the random numbers they generate, and no alarm bells go off when something goes wrong.
The very nature of random numbers means that fixing randomness and entropy starvation is not something that can be done reactively. If we could simply generate lots of keys and throw away the ones that aren’t very random life would be good, but sadly it doesn’t work that way. When it comes to improving random numbers we have to be proactive.
But as we all know, being proactive is tricky when there are always so many other things that we need to react to. Proactive measures have to be easy, otherwise they never happen. How many of us would proactively take the flu shot if it meant a week of special diets and rigorous exercise?
That brings me back to entropy-as-a-service. Wouldn’t it be nice if your applications, and particularly your crypto applications (SSL/TLS, SSH, encryption, payments, PKI, DRM, blockchain to name just a few) could get access to pure quantum entropy all the time? It would be even better if the quality of that entropy was independent of the machines those apps were running on and better still if it didn’t require plugging in new hardware or changing a line of code. Well now, that capability exits, and best of all, it’s free!
Try it out yourself! Head over to getnetrandom.com, download our netRandom client and start streaming your own quantum entropy for free. The received entropy is fed directly into the Linux entropy pool where it’s used to rapidly re-seed existing OS-based random number generators such as /dev/random and /dev/urandom (don’t worry, we’ll have the same thing for Windows very soon).
One of the nice things about entropy is that it’s always additive; you don’t have to rely on any single entropy source. Network-delivered entropy from Whitewood acts as a supplementary source to be combined with whatever local entropy you already have. It spreads your risk, boosts quality and brings consistency across VMs, containers, devices – whatever and wherever.
For the first time you’ll be able to track the total entropy you consumed, how demand changed over time and measure the randomness of the entropy you received, all from your personal admin page on getnetrandom.com.
At the risk of overusing my flu shot analogy, think of the quantum entropy streamed from getnetrandom.com as inoculating your existing systems from making weak keys. Like any proactive measure, our new entropy-as-a-service is focused on peace of mind, instilling the confidence that your crypto and non-crypto applications alike all have access to true random numbers whenever they need them. It’s as easy as that.