Endpoint
3/4/2016
01:15 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Truly Random Number Generator Promises Stronger Encryption Across All Devices, Cloud

So long pseudo-random number generator. Quantum mechanics brought us true randomness to power our crypto algorithms, and it's strengthening encryption in the cloud, datacenter, and the Internet of Things.

SAN FRANCISCO, RSA Conference -- In light of yet another SSL vulnerability this week, any improvements to the underpinnings of encryption would be welcome. One weakness of encryption algorithms -- one that simply increasing from 128-bit to 256-bit can't solve -- is that they are based on pseudo-random number generators; not truly random number generators.

Whitewood Encryption Systems, which launched in summer 2015, is changing that, by using quantum mechanics.

They generate truly random numbers by harnessing the entropy (randomness or disorder) of nature, which is much more random than any of the sources computing systems currently glean for entropy.

Two problems with old entropy collection

Entropy is collected at the hardware level, typically by actions like keystrokes and mouse movements. There are two troubles here.

One: keystrokes and mouse movements don't create enough entropy.

In a Linux kernel, the entropy is used to create random characters that are put in two special files: dev/random and dev/urandom. As Richard Moulds, Whitewood's vice-president of business development and strategy, describes it, dev/random is the good drinking water -- the true random numbers -- while dev/urandom may be fine for industrial uses, but you wouldn't want to drink it. If the two were faucets, the usual amount of entropy would produce a steady flow of dev/urandom, but only a few drips of the delicious dev/random. So, when an application -- even a cryptographic application -- calls for a random number, they might get one of those low-quality urandom ones.

Two: Since entropy is generated from hardware, every layer of abstraction from the hardware will have reduced access to entropy -- and that's troubling for anyone who uses virtualization.

"One bad reason to do virtualization," says Moulds, "is it's a firewall for entropy. In the virtual world, there ain't no randomness."

Sharing randomness

The product Whitewood launched with in August, the Entropy Engine, addresses the first problem. It turns the drip of drinking water into a steady flow.

The natural world has light and sound to draw entropy from, but certain environments aren't particularly changeable -- a datacenter, for example, is usually just full of white noise and immobile machinery -- so it's not a great source of randomness. So, what Whitewood does is put a quantum optical field right inside the server, and capture the randomness of the photons' naturally unpredictable behavior. (Photons are naturally prone to bunching up, unbunching, then bunching up again, causing the optical field to dim, brighten, and flicker in a completely random way.)

One of the products Whitewood launched at RSA this week, NetRandom, addresses the second problem.

As Raymond Newell, research scientist at Los Alamos National Laboratory and contributor to Whitewood's creation, explains, "We take the randomness we create and spread it across the network."

Before, Entropy Engine only worked on the local device. With NetRandom, they can feed randomness through the network and strengthen the encryption used by virtual machines, cloud instances, clients, servers, and embedded systems in Internet of Things devices. "One of them could support tens of thousands of virtual machines," says Newell.

Any application that uses cryptography can benefit, without needing to make any modifications; and without needing any help from their cloud service providers or IoT device manufacturers.

Newell believes this will be a boon for security on industrial control systems' and other embedded systems that are expected to last 10 to 20 years with minimal support. "One of the reasons we like quantum mechanics is because we're confident it's going to keep up," he says.

Whitewood also announced a partnership with wolfSSL, a company that sells stripped-down crypto toolkits for embedded systems that don't run full-blown operating systems -- like ATMs and IoT devices. The partnership will allow wolfSSL to provide that stronger encryption to customers.

Whitewood also announced an integration with Cryptsoft, an OEM provider of a key management integration protocol. The integration, says Newell, "allows to attest to the origin of the keys," which improves key management and can could further empower digital signatures.

Related content: 

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bpaddock
50%
50%
bpaddock,
User Rank: Strategist
3/14/2016 | 12:46:56 PM
Psyleron Random Number Generator and role of Consciousness in the Physical World
The Psyleron REG-1, a True Random Number/Event Generator, based on extrapolated quantum tunneling, has been around since 2005.

"One of the reasons we like quantum mechanics is because we're confident it's going to keep up..."


While it may keep up, a quantum based device may be open to unexpected influences (by the classical trained), such as those studied by the The Princeton Engineering Anomalies Research (PEAR) Lab.

"The Princeton Engineering Anomalies Research (PEAR) Lab was founded in 1979 by Robert G. Jahn, a professor of aerospace engineering and Dean of the School of Engineering and Applied Science at Princeton University. The lab's objective was to study the ability of consciousness to influence physical processes. The lab was managed by Brenda Dunne, a developmental psychologist trained at the University of Chicago, and had a full-time staff of half a dozen scientists as well as numerous interns and visiting researchers.

During its 28-year history, the lab worked to study and understand the anomalous impact that the mind seemed to have on physical devices, including electronic random event generators (REGs). Research was also conducted into remote perception, the ability of a person to perceive information that should be inaccessible through the standard senses."

See their books "Consciousness and the Source of Reality", "Quirks of the Quantum Mind" and "Margins of Reality: The Role of Consciousness in the Physical World". PEAR accumulated billions of bits of data from the REGs of many types and found the same outcomes over 28 years of study.


When PEAR was shutdown due to funding,  International Consciousness Research Laboratories (ICRL) started up to continue the work.


RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/7/2016 | 11:13:25 AM
Big step
There are definitely some improvements that need to be made but this is a huge step. Using hardware entropy to determine true randomness can open the doorway to breaking other forumulaic output derivatives.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.