Cryptographic Key Generation – It’s Time To Pay Attention

Cryptographic Key Generation

When we think about cryptographic keys, we tend to think about closely guarded secrets. Keys are the only thing that keeps the attacker away from your encrypted data. Some keys are usually treated with the appropriate level of respect. Security professionals in the payments industry, or those that have deployed a PKI, know all too well about the importance of defining and auditing certain key management processes.

But in this article I’m focused on all of the other keys: the billions of keys that are created on the fly, automatically, every second. The ones used in SSL, SSH, file and disk encryption and a thousand other applications. How are those keys generated? Who’s responsible for making sure that they’re good enough to do their job? How do we make sure that nothing’s taken for granted?

When I talk about keys being ‘good enough’, what I mean is, are they truly random? When keys are less than perfectly random they start to become predictable, and predictability is the enemy of all cryptography – it makes the attacker’s job a lot easier.

Where Do The Numbers Come From?

Cryptographic Generation

So, where do the random numbers that are used to generate keys come from? In almost all cases they’re generated by the operating system. The trouble is that software only does what it’s programmed to do; it doesn’t do random things.

To help randomize random number generation algorithms, the operating system scavenges randomness (more properly called entropy) from wherever it can, ideally by sampling some aspect of its physical environment; the real world. Entropy can come from many sources, some better (more random) than others. Everything from mouse clicks by the user, to keyboard clicks and timing jitter in the computer hardware can all yield entropy.

The trouble is that capturing entropy and converting it into statistically random numbers (equal proportions of independent ones and zeros) is not easy and it’s getting harder. Random number generation spans the entire stack from the hardware to the OS to the application. It’s a complex picture that is made even harder by virtualization and containerization layers that are specifically designed to abstract the things that need randomness (the applications) for the places where randomness actually exists (the hardware and the local environment).

Unfortunately these various layers are often ‘owned’ by different people or teams. In cloud environments the hardware layer might be completely opaque, owned and operated by a service provider. The trend is strongly oriented towards these highly abstracted deployment models, which raises the question, “Who owns the job of making sure that random number generation is done right?

Looking at the Hardware

The hardware guys have no idea what applications will run on any given box or how much entropy each will require. The OS has no idea how many random numbers will be required or how to prioritize the needs of individual applications (you’d like to believe the crypto apps get the best random numbers). And the applications have no idea if they are getting the quality of random numbers that they asked for, and almost never have the ability to raise alarms if they don’t.

The reality is that each successive layer in the stack makes the assumption that everything below (the hardware, the OS etc.) is doing its job in creating, capturing and processing entropy. Worse still, the existing tools for assessing the quality of entropy and the randomness of random numbers are notoriously unreliable and hard to use. In practice there’s no easy way to find out if the various layers are doing their job. The end result is that applications that use random numbers to generate keys have no ability to attest to their quality – either in real-time or retrospectively.

It would be nice to think that the security team will save the day. After all, it is their job to take a holistic view. But is that realistic? How many security teams know the specifics of how individual applications access and use random numbers to generate keys? How can they possibly know how commercial software or security appliances work at that level of detail? Could a CISO ever answer the question of how many VMs or Containers are running at any point in time, never mind what proportion of them are satisfying the entropy demands of their crypto apps? How many organizations have a policy about such apparently mundane tasks as generating random numbers?

Actually, some really do. Some require product security certifications such as FIPS 140, which includes provisions for random number generation, and a subset of these organizations invest in dedicated devices such as hardware security modules (HSMs). But now we are in the territory of those special, regulated applications I mentioned at the beginning.

If we return to the mainstream – the millions of SSL stacks whirring away across the datacenter, the SSH keys generated on almost every system, the corporate web of VPNs – we need a generic solution, a solution that deals with random number generation and entropy on a grand scale. It will soon be hard to find an application that doesn’t need random numbers, and most will need crypto-strength randomness. Entropy sourcing and random number generation shouldn’t be left to chance; a best effort activity.

Entropy starvation and poor random number generation is a basic security hygiene issue and taking proactive steps to ensure that keys are truly random is a standard of due care.

By Richard Moulds

Yuri Sagalov

IT Culture Clash Where Employees Use Multiple Devices To Collaborate

Employees use multiple devices to collaborate It used to be that company IT decision makers could simply dictate the software that business units would use. However, in today’s business the IT culture clash where employees ...
Anita Raj

The Criticality of Data Governance in a Multi-cloud Environment

The Criticality of Data Governance Multi-cloud has emerged as an enterprise favorite in almost no time.  In fact, Security Boulevard  makes a reference to a Forrester Research Report which confirms that almost 86 percent of ...
Jen Klostermann

Enterprises Starting To Embrace Blockchain-as-a-Service (BaaS)

Blockchain as a Service (BaaS) Many global companies have already implemented Blockchain-as-a-Service (BaaS) into their cloud offerings. There isn't any question that offering BaaS can serve as a differentiator for many companies. Not to mention, ...
Aruna Headshot

66% Say They’d Switch Vendors in Order to Get an Intelligent Online Meeting Solution

People are getting frustrated with online and video meetings. In fact, according to a recent survey, 85% say they are challenged with these types of poor experiences and 74% say they’re not too happy about ...
Jeremy Daniel

Find Competitive Advantage through AWS by Partnering With The Experts

Setting up your cloud configuration is too important to not involve the experts MediaTemple & CloudTweaks Thought Leadership Brand Series So many great business ideas fail at the moment when strategy must turn to execution ...
Mark Rochester

Why Remote Migrations are Essential for Business Continuity

Remote Business Continuity We are approaching a banner year for the cloud. The COVID-19 pandemic has highlighted the importance of cloud technology to enable resilience and business continuity, and it will be a critical time ...