Ready to Start Your Career?

The Issue with Entropy in Virtual Environments

Sean Mancini's profile image

By: Sean Mancini

November 25, 2017

First off, let's talk about what entropy is and why we need it. Entropy is used for a randomization factor. When generating a hash, the more random the entropy is the more random the key is. This makes the key more unique and helps to avoid duplicate keys. Also when the keys are somewhat the same it's possible to start finding patterns in the hash which can make it easy for an attacker to decrypt the key.In a traditional environment PC’s have physical hardware such as your mouse, keyboard, CPU, etc., they could all be used during the entropy stage to get a random value for hashing. However, the issue now is that virtual environments have removed the physical component and the hardware is now virtual. Virtual hardware is less random than physical hardware which raises the issue of a truly random number set in a virtual environment.To combat this issue some interesting approaches have been used such as using a wall of lava lamps. Funny, I know but the lava lamps are used to get some random values based on the movement of the wax bubbles in the lamp.See Cloudflare's lava lamp wall:There have been other approaches such as using random noise from areas such as shopping malls and outdoor noise.  There are also oscillators that have been used to get values from. This affects IoT devices as well.

Entropy as a Service

There are now companies that offer entrophy as a service via an API or some other way. You can ask the provider for some randomness. One of these vendors is https://getnetrandom.com They have a free service and a paid service as well where you can get randomness while generating your encryption keys. You download a simple client that is windows and Linux compatible and when you need it you can get some truly random numbers according to the site. They also have a physical device for enterprise deployments. The issue of entropy currently may not be a critical one, but it is something to stay aware of as security professionals need to understand the implications of low entropy while generating keys.www.seanmancini.com
Schedule Demo