May 15, 2017

Cryptographic Key Generation – It’s Time To Pay Attention

By Richard Moulds

Cryptographic Key Generation When we think about cryptographic keys, we tend to think about closely guarded secrets. Keys are the only thing that keeps the attacker away from your encrypted data. Some keys are usually treated with the appropriate level of respect. Security professionals in the payments industry, or those that have deployed a PKI, know […]

Cryptographic Key Generation

When we think about cryptographic keys, we tend to think about closely guarded secrets. Keys are the only thing that keeps the attacker away from your encrypted data. Some keys are usually treated with the appropriate level of respect. Security professionals in the payments industry, or those that have deployed a PKI, know all too well about the importance of defining and auditing certain key management processes.

But in this article I’m focused on all of the other keys: the billions of keys that are created on the fly, automatically, every second. The ones used in SSL, SSH, file and disk encryption and a thousand other applications. How are those keys generated? Who’s responsible for making sure that they’re good enough to do their job? How do we make sure that nothing’s taken for granted?

When I talk about keys being ‘good enough’, what I mean is, are they truly random? When keys are less than perfectly random they start to become predictable, and predictability is the enemy of all cryptography – it makes the attacker’s job a lot easier.

Where Do The Numbers Come From?

Cryptographic Generation

So, where do the random numbers that are used to generate keys come from? In almost all cases they’re generated by the operating system. The trouble is that software only does what it’s programmed to do; it doesn’t do random things.

To help randomize random number generation algorithms, the operating system scavenges randomness (more properly called entropy) from wherever it can, ideally by sampling some aspect of its physical environment; the real world. Entropy can come from many sources, some better (more random) than others. Everything from mouse clicks by the user, to keyboard clicks and timing jitter in the computer hardware can all yield entropy.

The trouble is that capturing entropy and converting it into statistically random numbers (equal proportions of independent ones and zeros) is not easy and it’s getting harder. Random number generation spans the entire stack from the hardware to the OS to the application. It’s a complex picture that is made even harder by virtualization and containerization layers that are specifically designed to abstract the things that need randomness (the applications) for the places where randomness actually exists (the hardware and the local environment).

Unfortunately these various layers are often ‘owned’ by different people or teams. In cloud environments the hardware layer might be completely opaque, owned and operated by a service provider. The trend is strongly oriented towards these highly abstracted deployment models, which raises the question, “Who owns the job of making sure that random number generation is done right?

Looking at the Hardware

The hardware guys have no idea what applications will run on any given box or how much entropy each will require. The OS has no idea how many random numbers will be required or how to prioritize the needs of individual applications (you’d like to believe the crypto apps get the best random numbers). And the applications have no idea if they are getting the quality of random numbers that they asked for, and almost never have the ability to raise alarms if they don’t.

The reality is that each successive layer in the stack makes the assumption that everything below (the hardware, the OS etc.) is doing its job in creating, capturing and processing entropy. Worse still, the existing tools for assessing the quality of entropy and the randomness of random numbers are notoriously unreliable and hard to use. In practice there’s no easy way to find out if the various layers are doing their job. The end result is that applications that use random numbers to generate keys have no ability to attest to their quality – either in real-time or retrospectively.

It would be nice to think that the security team will save the day. After all, it is their job to take a holistic view. But is that realistic? How many security teams know the specifics of how individual applications access and use random numbers to generate keys? How can they possibly know how commercial software or security appliances work at that level of detail? Could a CISO ever answer the question of how many VMs or Containers are running at any point in time, never mind what proportion of them are satisfying the entropy demands of their crypto apps? How many organizations have a policy about such apparently mundane tasks as generating random numbers?

Actually, some really do. Some require product security certifications such as FIPS 140, which includes provisions for random number generation, and a subset of these organizations invest in dedicated devices such as hardware security modules (HSMs). But now we are in the territory of those special, regulated applications I mentioned at the beginning.

If we return to the mainstream – the millions of SSL stacks whirring away across the datacenter, the SSH keys generated on almost every system, the corporate web of VPNs – we need a generic solution, a solution that deals with random number generation and entropy on a grand scale. It will soon be hard to find an application that doesn’t need random numbers, and most will need crypto-strength randomness. Entropy sourcing and random number generation shouldn’t be left to chance; a best effort activity.

Entropy starvation and poor random number generation is a basic security hygiene issue and taking proactive steps to ensure that keys are truly random is a standard of due care.

By Richard Moulds

Richard Moulds

5 Azure Cost Management Strategies

What Is Azure Cost Management? Azure cost management refers to the practices and processes that [...]
Read more
Steve Prentice

Get Smarter – The Era of Microlearning 

The Era of Microlearning Becoming employable and then staying employable requires ongoing, up to date [...]
Read more

Azure Free Tier vs. AWS Free Tier: Which Provides More Value?

Cloud computing has become a cornerstone for the digital transformation of businesses. From startups to [...]
Read more
Metasploit-Penetration-Testing-Software-Pen-Testing-Security

Leading Cloud Vulnerability Scanners

Vulnerability Scanners Cyber security vulnerabilities are a constant nuisance and it certainly doesn’t help with [...]
Read more
Jeff DeVerter

Charting the Course: An Interview with Rackspace’s Jeff DeVerter on AI and Cloud Innovation

Rackspace’s Jeff DeVerter on AI & Cloud Innovation In an insightful conversation with CloudTweaks, Jeff [...]
Read more

A.I. is Not All It’s Cracked Up to Be…At Least Not Yet!

Exploring AI’s Potential: The Gap Between Aspiration and Reality Recently Samsung releases its new Galaxy [...]
Read more

SPONSORS

Interviews and Thought Leadership

Daniel Barber

Q&A Daniel Barber – 2024 AI + Data Privacy Predictions

2024 AI + Data Privacy Predictions In a recent interview with CloudTweaks, Daniel Barber, Co-Founder and CEO of DataGrail, shared insightful perspectives on the evolving landscape of AI and privacy. [...]
Read more
Algirdas Stasiūnaitis

The Future of Cybersecurity: Insights from Cyber Upgrade’s Founders

AI and Cybersecurity: Innovations and Challenges In the rapidly evolving landscape of technology, where artificial intelligence and cybersecurity shape the future of our digital world, CloudTweaks is pleased to present [...]
Read more

Digital Solutions for Legal Matchmaking: The Role of AI in Connecting Clients with Lawyers

The Role of AI in Connecting Clients with Lawyers The legal industry is transforming significantly in today’s digital age, embracing [...]
Read more

CrowdStrike and Dell unleash an AI-powered, unified security vision

Dell and CrowdStrike are joining forces today to help businesses battle against cyberattacks using AI to protect against generative AI, stealth social engineering and [...]
Read more

Embracing Governance to Navigate 2024’s Tech Trends

Mastering Governance Strategies for Success The start of a new year is a fitting time for goal-setting, and IT managers [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.