Do You Have an Entropy Problem?
Consider a typical AES encryption key: 256 binary digits, arranged into one of an unthinkably large number of possible combinations. You feel safe using that key, because you know that it would take every computer in the world, working nonstop for longer than the age of the universe, to produce that exact same combination of digits. Assuming you keep it protected, the only people who will ever know the key are the ones who are supposed to have it.
But have you ever stopped to wonder where exactly that combination of digits came from? The people trying to steal your data may be wondering the same thing.
The process to create an encryption key starts with a "seed value," a relatively short data string collected from an external source. The seed value is run through a complex algorithm in a software-based pseudorandom number generator (PRNG) to produce a sequence of numbers that are meant to look and act random. This sequence of numbers is then used as input for the processing that creates the final encryption key.
The less predictable a PRNG’s output is, the higher entropy it is said to have. Higher entropy means stronger keys, and most of the PRNGs used for encryption today are strong enough that the National Institute of Standards and Technology has deemed them “cryptographically secure.” High entropy (very hard to predict), however, is not quite the same as full entropy (impossible to predict).
Why Only Pseudo Random?
A pseudorandom number generator needs some form of input (the “seed”) in order to produce its output. It’s critically important that seed values are unpredictable, because a pseudorandom number generator is a deterministic system. That means that if a PRNG is given the same seed multiple times, it will generate the exact same output every time. So if an attacker knows which PRNG algorithm was used to generate an encryption key and is able to determine the seed value, they can generate the same encryption key for themselves.
Given this vulnerability, seed data is typically taken from sources that are expected to be random, such as the movement of a user’s mouse or the timing of I/O events on a device hard drive. The output produced by a PRNG using these methods, while not truly random, is “random enough” for most applications, especially if the implementation meets the NIST standards for pseudorandom number generation.
When the stakes are high enough, however, the lack of true entropy becomes a liability. Organizations with sufficient resources and motivation (which typically means nation states) can compromise pseudorandom encryption keys in a variety of ways:
- Using brute-force attacks to duplicate keys created from low-entropy data. When a PRNG depends on easily-guessed seed values, such as the time of day, this can be accomplished in a matter of seconds using a consumer laptop. Attackers with access to supercomputers (or quantum computers, once they become available) may soon be able to force keys created by NIST-certified PRNGs.
- Inserting backdoors into PRNG algorithms. In 2014, for example, the NIST withdrew its certification of the once widely-used Dual_EC_DRBG algorithm over concerns that it contained a backdoor inserted by the NSA.
- Manipulating the physical processes (such as hard drive activity, keystrokes, or ambient sounds) that are measured to create seed data. This is out of reach for a typical criminal hacker, but may be worth the effort for a large organization when government secrets or billions of dollars are on the line.
While the standard approach to random number generation may be sustainable for most organizations (at least for now), the vulnerabilities of PRNGs will become more significant as attackers develop more sophisticated techniques and more powerful tools.
Full-Entropy Random Number Generation
The alternative to pseudorandom number generation is, of course, true random number generation.
Historically, true random numbers have been difficult to obtain, especially in the quantities needed to support large-scale cryptosystems. Common sources of entropy could only produce a few bits of data per second, which is why PRNGs were developed in the first place.
Now, thanks to a breakthrough on the part of our technology partners, QuintessenceLabs, PKWARE is able to offer full-entropy random number generation as an optional feature of our Smartcrypt Enterprise Manager Appliance. By measuring signal noise produced by quantum fluctuations, the Smartcrypt Enterprise Manager models 300r and 350 both provide 1Gb per second of true random data for use in key generation and other applications.
Full entropy random data provides the highest possible security against potential key attacks. Even quantum computers, while they may be able to break the asymmetric keys currently used in public key infrastructure, are expected to be ineffective against truly random AES-256 encryption keys.
To learn more about quantum random number generation and Smartcrypt’s other unique capabilities, check out the new Smartcrypt Appliances today.