“Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin. For, as has been pointed out several times, there is no such thing as a random number—there are only methods to produce random numbers, and a strict arithmetic procedure of course is not such a method.”
~John von Neumann
The takeaway: Access to high-quality entropy is required at every point of our digital infrastructure to ensure strong cybersecurity.
What Protects Your Data
Cybersecurity has been an imperative since the very first Internet hacks, but it has become more difficult to ensure in recent years. As organizations rely on more virtual machines, Internet of things (IoT) devices and web applications, more points of vulnerability are created and the importance of strong cryptography increases.
Entropy is what makes strong cryptography possible—it’s what makes cryptographic locks stronger and more difficult for hackers to pick.
What is Entropy?
In physics, entropy is a measure of randomness in a closed system. You can think of entropy as unpredictability. It’s not an absolute: you can have stronger entropy or weaker entropy.
In cryptography, entropy is used to produce random numbers, which in turn are used to produce security keys to protect data while it’s in storage or in transit.
The greater the quality of random number generation (RNG), the greater the quality of random keys produced, and thus the higher the security value of the key.
Traditional Sources of Entropy in Computing
The challenge for security teams is that computers aren’t very good at generating truly random numbers on their own, and the entropy needs to come from somewhere else. Here are some common sources:
- Human input such as mouse movements, keyboard stroke timings, video game controllers, etc.
- Timing of storage device interrupts, e.g. from a hard drive or solid state drive.
- Timing of network packets.
- Audio and video data (noise).
- Fan noise.
- Internal clock drift.
This random input and output (IO) is converted into usable data, collected, and stored by the operating system for later use. After a random number is used it can never be used again (as duplicates would be easier to crack), so a fresh random number must be generated. And this requires more entropy.
If the pool of random data becomes fully empty, it can cause long wait times when an app or process requests random data for encryption purposes. More entropy must be generated and collected before the request can be fulfilled.
The Problem With Gathering Entropy
In today’s world, many of our modern digital systems such as embedded devices, IoT devices, and virtual machines do not have direct human interaction.
The number of these devices now outnumbers the amount of people on the planet, and will continue to grow into the hundreds of billions over the coming years. The old assumption that you could always leverage a user as an easily-accessible and high-quality source of entropy in a digital system no longer holds. High-quality entropy is now a critical performance and security requirement.
Entropy is not only used to generate strong cryptographic keys—operating systems need it to run efficiently and securely. The very fabric of the Internet, the domain name system (DNS), needs it for random transaction IDs. Web application frameworks, which rely on the Java Virtual Machine, also need access to large quantities of entropy.
In essence, entropy is one of the foundations of the communication networks that enable our digital economy.
Entropy and Cybersecurity
Internet security can never take a break. As cybersecurity evolves, so do the hacking attempts. So how do we fight back?
We fight back with consistent sources of high-quality entropy.
Thankfully, it’s possible to ensure that the cybersecurity of your enterprise is safe and encrypted.
The National Institute of Science and Technology (NIST) has been hard at work to offer solutions to cybersecurity threats. With their Entropy-as-a-Service (EaaS), NIST offers next-level entropy designed to be collected and used by The Root of Qaos™, a quantum-ready cybersecurity appliance designed to protect your systems from the next generation of adversaries.