What is the issue with entropy in virtual environments ?

First off lets talk about what entropy is and why we need it,

Entropy is used for a randomization factor when generating a hash the more random the entropy is the more random the key is which makes the key more unique and avoids duplicate keys. Also when the keys are somewhat the same its possible to start finding patterns in the hash which can make it easy for an attack to decrypt the key.

 

encryption

In a traditional environment  PC’s have physical hardware such as your Mouse.Keyboard,CPU etc than could all be used during the entropy stage to get random value for hashing.

But the issue now is that virtual environments have removed the physical component and the hardware is now virtual. Virtual hardware is less random than physical hardware which raises the issue of a truly random number set  in a virtual environment.

To combat this issue some interesting approaches have been used such as using a wall of lava lamps …Funny I know but the lava lamps are used to get some random values based on the movement of the blobs or whatever you call the stuff in the lamp.

See cloudflares lavalamp wall https://www.youtube.com/watch?v=1cUUfMeOijg

There have been other aprocaches  such as using random noise from areas such as shopping malls and outdoor noise there are also osilators that have been used to get values from.

This is affects IOT devices as well

Entrophy as a service

There are now companies that offer entrophy as a service so via an api or some other way you can ask the provider for some randomness.

one of these vendors is https://getnetrandom.com 

They have a free service and a paid for service as well where you can get randomness while generating your encryption keys. You download a simple client that is windows and Linux compatible and when you need it you can get some truly random numbers according to the site.

they also have a physical device for enterprise deployments

 

The issue of entropy currently may not be a critical issue but it is something to keep aware of we as security pro’s need to understand the implications of low entropy while generating our keys

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.