The Issue with Entropy in Virtual Environments

November 25, 2017 | Views: 4762

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

First off, let’s talk about what entropy is and why we need it. Entropy is used for a randomization factor. When generating a hash, the more random the entropy is the more random the key is. This makes the key more unique and helps to avoid duplicate keys. Also when the keys are somewhat the same it’s possible to start finding patterns in the hash which can make it easy for an attacker to decrypt the key.

In a traditional environment PC’s have physical hardware such as your mouse, keyboard, CPU, etc., they could all be used during the entropy stage to get a random value for hashing. However, the issue now is that virtual environments have removed the physical component and the hardware is now virtual. Virtual hardware is less random than physical hardware which raises the issue of a truly random number set in a virtual environment.

To combat this issue some interesting approaches have been used such as using a wall of lava lamps. Funny, I know but the lava lamps are used to get some random values based on the movement of the wax bubbles in the lamp.

See Cloudflare’s lava lamp wall:

There have been other approaches such as using random noise from areas such as shopping malls and outdoor noise.  There are also oscillators that have been used to get values from. This affects IoT devices as well.

Entropy as a Service

There are now companies that offer entrophy as a service via an API or some other way. You can ask the provider for some randomness. One of these vendors is https://getnetrandom.com 

They have a free service and a paid service as well where you can get randomness while generating your encryption keys. You download a simple client that is windows and Linux compatible and when you need it you can get some truly random numbers according to the site. They also have a physical device for enterprise deployments. The issue of entropy currently may not be a critical one, but it is something to stay aware of as security professionals need to understand the implications of low entropy while generating keys.

www.seanmancini.com

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel