Endpoint
3/4/2016
01:15 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Truly Random Number Generator Promises Stronger Encryption Across All Devices, Cloud

So long pseudo-random number generator. Quantum mechanics brought us true randomness to power our crypto algorithms, and it's strengthening encryption in the cloud, datacenter, and the Internet of Things.

SAN FRANCISCO, RSA Conference -- In light of yet another SSL vulnerability this week, any improvements to the underpinnings of encryption would be welcome. One weakness of encryption algorithms -- one that simply increasing from 128-bit to 256-bit can't solve -- is that they are based on pseudo-random number generators; not truly random number generators.

Whitewood Encryption Systems, which launched in summer 2015, is changing that, by using quantum mechanics.

They generate truly random numbers by harnessing the entropy (randomness or disorder) of nature, which is much more random than any of the sources computing systems currently glean for entropy.

Two problems with old entropy collection

Entropy is collected at the hardware level, typically by actions like keystrokes and mouse movements. There are two troubles here.

One: keystrokes and mouse movements don't create enough entropy.

In a Linux kernel, the entropy is used to create random characters that are put in two special files: dev/random and dev/urandom. As Richard Moulds, Whitewood's vice-president of business development and strategy, describes it, dev/random is the good drinking water -- the true random numbers -- while dev/urandom may be fine for industrial uses, but you wouldn't want to drink it. If the two were faucets, the usual amount of entropy would produce a steady flow of dev/urandom, but only a few drips of the delicious dev/random. So, when an application -- even a cryptographic application -- calls for a random number, they might get one of those low-quality urandom ones.

Two: Since entropy is generated from hardware, every layer of abstraction from the hardware will have reduced access to entropy -- and that's troubling for anyone who uses virtualization.

"One bad reason to do virtualization," says Moulds, "is it's a firewall for entropy. In the virtual world, there ain't no randomness."

Sharing randomness

The product Whitewood launched with in August, the Entropy Engine, addresses the first problem. It turns the drip of drinking water into a steady flow.

The natural world has light and sound to draw entropy from, but certain environments aren't particularly changeable -- a datacenter, for example, is usually just full of white noise and immobile machinery -- so it's not a great source of randomness. So, what Whitewood does is put a quantum optical field right inside the server, and capture the randomness of the photons' naturally unpredictable behavior. (Photons are naturally prone to bunching up, unbunching, then bunching up again, causing the optical field to dim, brighten, and flicker in a completely random way.)

One of the products Whitewood launched at RSA this week, NetRandom, addresses the second problem.

As Raymond Newell, research scientist at Los Alamos National Laboratory and contributor to Whitewood's creation, explains, "We take the randomness we create and spread it across the network."

Before, Entropy Engine only worked on the local device. With NetRandom, they can feed randomness through the network and strengthen the encryption used by virtual machines, cloud instances, clients, servers, and embedded systems in Internet of Things devices. "One of them could support tens of thousands of virtual machines," says Newell.

Any application that uses cryptography can benefit, without needing to make any modifications; and without needing any help from their cloud service providers or IoT device manufacturers.

Newell believes this will be a boon for security on industrial control systems' and other embedded systems that are expected to last 10 to 20 years with minimal support. "One of the reasons we like quantum mechanics is because we're confident it's going to keep up," he says.

Whitewood also announced a partnership with wolfSSL, a company that sells stripped-down crypto toolkits for embedded systems that don't run full-blown operating systems -- like ATMs and IoT devices. The partnership will allow wolfSSL to provide that stronger encryption to customers.

Whitewood also announced an integration with Cryptsoft, an OEM provider of a key management integration protocol. The integration, says Newell, "allows to attest to the origin of the keys," which improves key management and can could further empower digital signatures.

Related content: 

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bpaddock
50%
50%
bpaddock,
User Rank: Strategist
3/14/2016 | 12:46:56 PM
Psyleron Random Number Generator and role of Consciousness in the Physical World
The Psyleron REG-1, a True Random Number/Event Generator, based on extrapolated quantum tunneling, has been around since 2005.

"One of the reasons we like quantum mechanics is because we're confident it's going to keep up..."


While it may keep up, a quantum based device may be open to unexpected influences (by the classical trained), such as those studied by the The Princeton Engineering Anomalies Research (PEAR) Lab.

"The Princeton Engineering Anomalies Research (PEAR) Lab was founded in 1979 by Robert G. Jahn, a professor of aerospace engineering and Dean of the School of Engineering and Applied Science at Princeton University. The lab's objective was to study the ability of consciousness to influence physical processes. The lab was managed by Brenda Dunne, a developmental psychologist trained at the University of Chicago, and had a full-time staff of half a dozen scientists as well as numerous interns and visiting researchers.

During its 28-year history, the lab worked to study and understand the anomalous impact that the mind seemed to have on physical devices, including electronic random event generators (REGs). Research was also conducted into remote perception, the ability of a person to perceive information that should be inaccessible through the standard senses."

See their books "Consciousness and the Source of Reality", "Quirks of the Quantum Mind" and "Margins of Reality: The Role of Consciousness in the Physical World". PEAR accumulated billions of bits of data from the REGs of many types and found the same outcomes over 28 years of study.


When PEAR was shutdown due to funding,  International Consciousness Research Laboratories (ICRL) started up to continue the work.


RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/7/2016 | 11:13:25 AM
Big step
There are definitely some improvements that need to be made but this is a huge step. Using hardware entropy to determine true randomness can open the doorway to breaking other forumulaic output derivatives.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You should see what I wear on my work from home days!
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.