Welcome!

Cloud Security Authors: Kevin Jackson, Ed Featherston, Pat Romanski, Elizabeth White, Shelly Palmer

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Random Clouds, or Rather, Random Numbers in the Clouds

Generation of cryptographic quality random numbers is a difficult science

In the last week or two, the security community has been abuzz with two different papers on the security of RSA keys. It turns out there are tens of thousands of RSA keys out there that are weak: they share a prime modulus with another public key, allowing both keys to be factored (i.e. broken) in a matter of minutes. The dust seems to have settled by now, and the root cause appears to be poor generation of these keys, in other words, low quality random number generators. How does this issue relate to cloud security, Porticor’s forte? Read on…

Random Clouds, or rather, Random Numbers in the Clouds

A True Random Number Generator (xkcd.com)

Generation of cryptographic quality random numbers is a difficult science, well beyond the scope of this blog. Unfortunately, the old saying applies: you get what you pay for. In the case of crypto randomness, the more initial randomness (a.k.a. entropy) you stir into the pot, the better the quality of the random numbers you will get out of it. And the stronger your cryptographic system will become.

The current research is the latest in a long history of cryptanalysis by exploiting faulty random number generators (RNGs). Starting with the early days of SSL, there have been many such attacks on crypto-systems. Perhaps the best known, but certainly the most embarrassing, is the Debian/openssl bug, where for almost two years, any RSA keys on Debian and Ubuntu systems were taken from the space of 215 keys, and were thus trivial to guess. Lucky for us, this was fixed in mid-2008.

Back to the new research: it turns out most of the weak keys are related to that essential ingredient of the stew, initial entropy. Before it can spit out good encryption keys, the RNG needs to be affected by real-life events, such as key-presses, network packets, disk rotations. Now, many systems start out by creating RSA keys (often in the form of certificates) very early on, as early as a few seconds after the system has been turned on. In the case of a PC, there’s already a useful amount of entropy available before any new software is installed. So where do we expect the lack of entropy to be a problem?

Random Clouds, or rather, Random Numbers in the Clouds

Magnetic Random Number Generator for Your Fridge

  • In embedded appliances, which boot up from a “burned” factory image and immediately create some keys.
  • In virtual systems (cloud instances), which boot up from stock software images and immediately go off to create some crypto keys.

All is not lost. When designing a complex virtual system, you can apply some industry best practices to obtain a solid randomness pipeline. This is essential if cryptography is a central part of your application’s security. And with the prevalent use of SSL, this is true for most modern systems.

  • Use the Linux /dev/random and /dev/urandom generator. This generator underwent serious scrutiny. Even though some minor weaknesses were found, it is generally believed to be sufficiently strong for crpytographic uses.
  • Whenever an appliance is booted, and that includes its first-time boot, it should receive an injection of randomness from a central randomness source, which may be your management subsystem. This allows the appliance to generate strong keys as soon as it starts out.
  • The management subsystem itself needs to receive a significant amount of real entropy from user and network interaction.
  • When generating a Master Key for a customer project, combine the strong randomness that you made available on the virtual appliance together with the weak randomness in the user’s browser (unfortunately JavaScript RNGs are still very low quality, but we are hoping to see some improvement). Although this is uncommon in cryptographic engineering, in this case you get the best of the two sources.

It may not be a surprise that all these best practices are implemented in Porticor’s VPD appliance and our Virtual Key Management service. We put significant effort into ensuring that our cryptographic subsystems are fed with crypto-grade randomness. This is yet another aspect of our relentless cloud security drive.

To summarize, the RSA algorithm is as strong as ever, and you definitely need a crypto-grade random number generator to use it securely. This is far from trivial in the cloud, and is yet another reason to get cloud security from the experts.

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
What does it look like when you have access to cloud infrastructure and platform under the same roof? Let’s talk about the different layers of Technology as a Service: who cares, what runs where, and how does it all fit together. In his session at 18th Cloud Expo, Phil Jackson, Lead Technology Evangelist at SoftLayer, an IBM company, spoke about the picture being painted by IBM Cloud and how the tools being crafted can help fill the gaps in your IT infrastructure.
"C2M is our digital transformation and IoT platform. We've had C2M on the market for almost three years now and it has a comprehensive set of functionalities that it brings to the market," explained Mahesh Ramu, Vice President, IoT Strategy and Operations at Plasma, in this SYS-CON.tv interview at @ThingsExpo, held June 7-9, 2016, at the Javits Center in New York City, NY.
"delaPlex is a software development company. We do team-based outsourcing development," explained Mark Rivers, COO and Co-founder of delaPlex Software, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
Traditional IT, great for stable systems of record, is struggling to cope with newer, agile systems of engagement requirements coming straight from the business. In his session at 18th Cloud Expo, William Morrish, General Manager of Product Sales at Interoute, outlined ways of exploiting new architectures to enable both systems and building them to support your existing platforms, with an eye for the future. Technologies such as Docker and the hyper-convergence of computing, networking and sto...
SYS-CON Events announced today that LeaseWeb USA, a cloud Infrastructure-as-a-Service (IaaS) provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LeaseWeb is one of the world's largest hosting brands. The company helps customers define, develop and deploy IT infrastructure tailored to their exact business needs, by combining various kinds cloud solutions.
The cloud market growth today is largely in public clouds. While there is a lot of spend in IT departments in virtualization, these aren’t yet translating into a true “cloud” experience within the enterprise. What is stopping the growth of the “private cloud” market? In his general session at 18th Cloud Expo, Nara Rajagopalan, CEO of Accelerite, explored the challenges in deploying, managing, and getting adoption for a private cloud within an enterprise. What are the key differences between wh...
It’s 2016: buildings are smart, connected and the IoT is fundamentally altering how control and operating systems work and speak to each other. Platforms across the enterprise are networked via inexpensive sensors to collect massive amounts of data for analytics, information management, and insights that can be used to continuously improve operations. In his session at @ThingsExpo, Brian Chemel, Co-Founder and CTO of Digital Lumens, will explore: The benefits sensor-networked systems bring to ...
SYS-CON Events announced today the Enterprise IoT Bootcamp, being held November 1-2, 2016, in conjunction with 19th Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA. Combined with real-world scenarios and use cases, the Enterprise IoT Bootcamp is not just based on presentations but with hands-on demos and detailed walkthroughs. We will introduce you to a variety of real world use cases prototyped using Arduino, Raspberry Pi, BeagleBone, Spark, and Intel Edison. Y...
Large scale deployments present unique planning challenges, system commissioning hurdles between IT and OT and demand careful system hand-off orchestration. In his session at @ThingsExpo, Jeff Smith, Senior Director and a founding member of Incenergy, will discuss some of the key tactics to ensure delivery success based on his experience of the last two years deploying Industrial IoT systems across four continents.
Much of IT terminology is often misused and misapplied. Modernization and transformation are two such terms. They are often used interchangeably even though they mean different things and have very different connotations. Indeed, it is somewhat safe to assume that in IT any transformative effort is likely to also have a modernizing effect, and thus, we can see these as levels of improvement efforts. However, many businesses are being led to believe if they don’t transform now they risk becoming ...
Identity is in everything and customers are looking to their providers to ensure the security of their identities, transactions and data. With the increased reliance on cloud-based services, service providers must build security and trust into their offerings, adding value to customers and improving the user experience. Making identity, security and privacy easy for customers provides a unique advantage over the competition.
SYS-CON Events announced today that Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity – cryptographic keys and digital certificates – so they can’t be misused by bad guys in attacks...
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
"Tintri was started in 2008 with the express purpose of building a storage appliance that is ideal for virtualized environments. We support a lot of different hypervisor platforms from VMware to OpenStack to Hyper-V," explained Dan Florea, Director of Product Management at Tintri, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...
For basic one-to-one voice or video calling solutions, WebRTC has proven to be a very powerful technology. Although WebRTC’s core functionality is to provide secure, real-time p2p media streaming, leveraging native platform features and server-side components brings up new communication capabilities for web and native mobile applications, allowing for advanced multi-user use cases such as video broadcasting, conferencing, and media recording.
IoT generates lots of temporal data. But how do you unlock its value? You need to discover patterns that are repeatable in vast quantities of data, understand their meaning, and implement scalable monitoring across multiple data streams in order to monetize the discoveries and insights. Motif discovery and deep learning platforms are emerging to visualize sensor data, to search for patterns and to build application that can monitor real time streams efficiently. In his session at @ThingsExpo, ...
There will be new vendors providing applications, middleware, and connected devices to support the thriving IoT ecosystem. This essentially means that electronic device manufacturers will also be in the software business. Many will be new to building embedded software or robust software. This creates an increased importance on software quality, particularly within the Industrial Internet of Things where business-critical applications are becoming dependent on products controlled by software. Qua...
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2016 Silicon Valley. The 19th Cloud Expo and 6th @ThingsExpo will take place on November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Interne...