Crypto-security company Whitewood launched Thursday netRandom Free, a cloud-based entropy service. netRandom Free is specifically designed to supplement and strengthen security systems in traditional data centers, virtualized cloud environments and embedded systems, such as the Internet of Things (IoT), where the risk of entropy starvation threatens security and risks data exposure and malicious attack.
netRandom Free is designed to act as a background network-based utility to supplement, not replace, existing entropy sources. With it, security professionals can be confident that applications have access to true random numbers consistently across distributed environments even when they have little or no control over the hardware platform and physical environments that traditionally act as the sources of entropy.
“Poor access to entropy and weakened random number generation has been highlighted by the SANS Institute as one of the 7 most dangerous attacks for 2017. Weak random number generation poses a unique threat since it is essentially undetectable. As with any undetectable vulnerability, we are forced to rely on prevention rather than monitoring and alerts — we need to take proactive rather than reactive measures,” said Richard Moulds, General Manager of Whitewood. “netRandom provides a simple enhancement that helps inoculate servers and virtual machines from generating poor random numbers and therefore weak encryption keys, without requiring changes to applications. Quantum entropy is the only true source of randomness and with our new netRandom Free service, we can now make that available to individuals and organizations of any size.”
The netRandom Free service is part of a broader product portfolio that includes on-premise entropy management systems and quantum random number generators (QRNG) for organizations that prefer to deploy their own dedicated or private security infrastructure.
Security applications and infrastructure, and particularly those that utilize encryption and other forms of cryptography, need access to high quantities of truly random numbers for generating keys that are impossible to predict. With an increasing number of applications running in environments that struggle to collect sufficient entropy to ensure true randomness, netRandom Free addresses the threat of entropy starvation by delivering on-demand, quantum entropy from a cloud-based server over standard IP networks.
The received entropy is used to continuously re-seed existing random number generators within Linux- and Windows-based instances and devices.
At the heart of the netRandom Free service is the Whitewood Entropy Engine, a quantum random number generator and entropy source that was jointly developed with the quantum security team at Los Alamos National Laboratory. This same technology is also available for deployment as dedicated on-premise systems for establishing private entropy services for corporate and government data centers, IoT networks and other distributed applications where direct control is of the upmost importance.
Currently, virtually all random numbers are generated within the operating system. The problem is that software can’t generate true random numbers. Software-based systems are deterministic and rely on capturing random signals or data from the physical world to act as randomizing ‘seeds’.
Due to this requirement, random number generation is traditionally considered to be a local issue. Individual computers capture entropy as best they can, create random numbers, and provide them to local applications. But that model is now changing.
The already widespread and growing use of cryptography raises the bar for randomness, and these current ‘best-effort’ approaches to random number generation are no longer sufficient. The trend towards virtualization and distributed IT environments abstracts our applications from the natural world and the entropy within it.
In the virtual world of headless systems running on shared hardware with dynamic replication, there can be little or no real entropy. This makes it virtually impossible to attest to the quality of key generation and system security without the ability to supplement that entropy supply from a trusted source.