Endpoint

3/4/2016
01:15 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Truly Random Number Generator Promises Stronger Encryption Across All Devices, Cloud

So long pseudo-random number generator. Quantum mechanics brought us true randomness to power our crypto algorithms, and it's strengthening encryption in the cloud, datacenter, and the Internet of Things.

SAN FRANCISCO, RSA Conference -- In light of yet another SSL vulnerability this week, any improvements to the underpinnings of encryption would be welcome. One weakness of encryption algorithms -- one that simply increasing from 128-bit to 256-bit can't solve -- is that they are based on pseudo-random number generators; not truly random number generators.

Whitewood Encryption Systems, which launched in summer 2015, is changing that, by using quantum mechanics.

They generate truly random numbers by harnessing the entropy (randomness or disorder) of nature, which is much more random than any of the sources computing systems currently glean for entropy.

Two problems with old entropy collection

Entropy is collected at the hardware level, typically by actions like keystrokes and mouse movements. There are two troubles here.

One: keystrokes and mouse movements don't create enough entropy.

In a Linux kernel, the entropy is used to create random characters that are put in two special files: dev/random and dev/urandom. As Richard Moulds, Whitewood's vice-president of business development and strategy, describes it, dev/random is the good drinking water -- the true random numbers -- while dev/urandom may be fine for industrial uses, but you wouldn't want to drink it. If the two were faucets, the usual amount of entropy would produce a steady flow of dev/urandom, but only a few drips of the delicious dev/random. So, when an application -- even a cryptographic application -- calls for a random number, they might get one of those low-quality urandom ones.

Two: Since entropy is generated from hardware, every layer of abstraction from the hardware will have reduced access to entropy -- and that's troubling for anyone who uses virtualization.

"One bad reason to do virtualization," says Moulds, "is it's a firewall for entropy. In the virtual world, there ain't no randomness."

Sharing randomness

The product Whitewood launched with in August, the Entropy Engine, addresses the first problem. It turns the drip of drinking water into a steady flow.

The natural world has light and sound to draw entropy from, but certain environments aren't particularly changeable -- a datacenter, for example, is usually just full of white noise and immobile machinery -- so it's not a great source of randomness. So, what Whitewood does is put a quantum optical field right inside the server, and capture the randomness of the photons' naturally unpredictable behavior. (Photons are naturally prone to bunching up, unbunching, then bunching up again, causing the optical field to dim, brighten, and flicker in a completely random way.)

One of the products Whitewood launched at RSA this week, NetRandom, addresses the second problem.

As Raymond Newell, research scientist at Los Alamos National Laboratory and contributor to Whitewood's creation, explains, "We take the randomness we create and spread it across the network."

Before, Entropy Engine only worked on the local device. With NetRandom, they can feed randomness through the network and strengthen the encryption used by virtual machines, cloud instances, clients, servers, and embedded systems in Internet of Things devices. "One of them could support tens of thousands of virtual machines," says Newell.

Any application that uses cryptography can benefit, without needing to make any modifications; and without needing any help from their cloud service providers or IoT device manufacturers.

Newell believes this will be a boon for security on industrial control systems' and other embedded systems that are expected to last 10 to 20 years with minimal support. "One of the reasons we like quantum mechanics is because we're confident it's going to keep up," he says.

Whitewood also announced a partnership with wolfSSL, a company that sells stripped-down crypto toolkits for embedded systems that don't run full-blown operating systems -- like ATMs and IoT devices. The partnership will allow wolfSSL to provide that stronger encryption to customers.

Whitewood also announced an integration with Cryptsoft, an OEM provider of a key management integration protocol. The integration, says Newell, "allows to attest to the origin of the keys," which improves key management and can could further empower digital signatures.

Related content: 

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bpaddock
50%
50%
bpaddock,
User Rank: Strategist
3/14/2016 | 12:46:56 PM
Psyleron Random Number Generator and role of Consciousness in the Physical World
The Psyleron REG-1, a True Random Number/Event Generator, based on extrapolated quantum tunneling, has been around since 2005.

"One of the reasons we like quantum mechanics is because we're confident it's going to keep up..."


While it may keep up, a quantum based device may be open to unexpected influences (by the classical trained), such as those studied by the The Princeton Engineering Anomalies Research (PEAR) Lab.

"The Princeton Engineering Anomalies Research (PEAR) Lab was founded in 1979 by Robert G. Jahn, a professor of aerospace engineering and Dean of the School of Engineering and Applied Science at Princeton University. The lab's objective was to study the ability of consciousness to influence physical processes. The lab was managed by Brenda Dunne, a developmental psychologist trained at the University of Chicago, and had a full-time staff of half a dozen scientists as well as numerous interns and visiting researchers.

During its 28-year history, the lab worked to study and understand the anomalous impact that the mind seemed to have on physical devices, including electronic random event generators (REGs). Research was also conducted into remote perception, the ability of a person to perceive information that should be inaccessible through the standard senses."

See their books "Consciousness and the Source of Reality", "Quirks of the Quantum Mind" and "Margins of Reality: The Role of Consciousness in the Physical World". PEAR accumulated billions of bits of data from the REGs of many types and found the same outcomes over 28 years of study.


When PEAR was shutdown due to funding,  International Consciousness Research Laboratories (ICRL) started up to continue the work.


RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/7/2016 | 11:13:25 AM
Big step
There are definitely some improvements that need to be made but this is a huge step. Using hardware entropy to determine true randomness can open the doorway to breaking other forumulaic output derivatives.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Post a Comment
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15759
PUBLISHED: 2018-11-19
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perfo...
CVE-2018-15761
PUBLISHED: 2018-11-19
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges...
CVE-2018-17190
PUBLISHED: 2018-11-19
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code ...
CVE-2018-1841
PUBLISHED: 2018-11-19
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.