Richard Moulds, General Manager at Whitewood Security, explains why we can’t afford to leave random numbers to chance to protect our data.
When is a random number not a random number? The problem with answering this question is that it is impossible to tell a truly random number from one that isn’t. The number Pi, 3.14 3.14159265358979323846…..etc., looks random, but we know it isn’t.
This seems trivial, but random numbers are more important to us than you might think. Random numbers are used widely in computer systems for applications from gaming to adding texture to graphics and statistical modelling. But the most obvious case where randomness is critical is with cryptography, which increasingly underpins the security of our sensitive data. The use of encryption has become ubiquitous in modern IT environments and plays a vital role in emerging technologies such as blockchain and bitcoin services and in helping to comply with the EU’s General Data Protection Regulation (GDPR). If organisations can demonstrate that data was encrypted, they don’t have to disclose that they lost it.
Random numbers are used to make the encryption keys that lock and unlock access to data or systems. Billions of keys are made every day and almost every web connection, email, credit card transaction or IoT communication relies on them. We tend to believe that as long as something is encrypted, it must be safe. But if the cyber criminals can steal or calculate these keys, it’s game over as far as data security is concerned. While organisations are getting better at keeping keys secure, guessing keys is getting easier as computers get faster. And if quantum computing becomes a reality, its unique processing capabilities will make key cracking a walk in the park.
The only way to mitigate the risk of keys being cracked, both now and in the future, is to make sure the random numbers that we use to generate keys are truly random. Most of us don’t know and don’t care how random numbers are generated; they are largely taken for granted. In practice, most random numbers are generated by computer operating systems. And that’s where the problem lies. By definition, software is deterministic; it’s pre-programmed it’s not designed to act randomly, if it does something random, we call it a bug!
To trigger behaviour that is even vaguely random, the operating system looks for sources of external randomness – more properly called entropy – the statistical measure of disorder within a set of data. Entropy is usually sourced by sampling some aspect of the computer’s physical environment. Everything from user mouse clicks, radio noise and timing jitter in the hardware to sounds captured by a microphone or video captured by a camera, all yield some amount of entropy.
But what happens when you move to the cloud environment? By abstracting the application from the physical world, it cuts off its main supply of entropy. There simply aren’t many sources of natural randomness behind the walls of a data centre. The same is true with the Internet of Things where devices can also suffer from entropy starvation since they tend to be low power and low-cost devices, designed for a specific task and with very limited access to randomness. It’s just another example of where security takes a back seat and specialist security functions like key generation are frequently overlooked.
So, if we are going to be sure of keeping our data secure wherever our applications run, we need to create a source of entropy or randomness that will span our entire application environment and stand the test of time, even withstand the arrival quantum computers.
Ironically, quantum mechanics may also provide the solution. Quantum entropy sources exploit random behaviour at the sub-atomic level, which is fundamentally random and unpredictable by any attacker, even with unlimited resources. Only quantum systems are able to produce output values that are truly unpredictable and independent from one another. This is because the behaviour of the universe at the smallest scale – the quantum level – is fundamentally unpredictable.
But simply building a trusted source of quantum entropy isn’t enough. The next challenge is to deploy it. Unfortunately, specialist hardware components are not a great fit in modern IT environments that are increasingly virtualised, containerised or hosted in public clouds where commoditisation and standardisation are the name of the game. Similarly, adding extra hardware to low cost IoT devices is likely to be commercially unacceptable.
The concept of “entropy-as-a-service” might provide the solution. It’s a concept where entropy is delivered over the network from a centralised source. Over time, we might come to see shared entropy servers as essential ‘utility’ service in a data centre, following a similar model to how time and date services are delivered over the network to servers and appliances today. From a security point of view, entropy generation is too important to be left up to individual machines.
What is clear though is that anything other than true randomness introduces risk. It’s tempting to take random numbers for granted but that would be a mistake. Our reliance on cryptography continually raises the bar for generating true random numbers and therefore completely unpredictable and uncrackable keys. Complete confidence in your security systems can only come from a consistent supply of true entropy across your entire application environment. Randomness can no longer be left to chance.