entropy as a service
play

Entropy as a Service Unlocking the full potential of cryptography - PowerPoint PPT Presentation

May 01, 2023 •29 likes •199 views

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert Staples STVM/CSD/NIST A perspective: cryptography evolves very fast to provide security in cyberspace Emerging crypto technologies - lightweight crypto

  1. Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert Staples STVM/CSD/NIST

  2. A perspective: cryptography evolves very fast to provide security in cyberspace Emerging crypto technologies - lightweight crypto - lighter versions of legacy protocols - tinyDTLS, lightweight DTLS - post-quantum cryptography New crypto is cool but have we solved all known problems with conventional crypto?

  3. • In modern cryptography the algorithms are well-known • Security depends largely on the secrecy of the keys • Cryptographic keys must be (nearly) impossible to guess • Key generation and key management govern the strength and security of keys • Key generation is strongly dependent on entropy Courtesy of XKCD

  4. The big question Where are the keys coming from?

  5. Real World Examples 2013 • Factoring RSA keys from certified smart cards (Coppersmith in the wild) , • Bernstein, Chang, Cheng, Chou, Heninger, Lange, van Someren Problem: Low-quality hardware RNG, stuck in a short cycle: • 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 etc. Likely reasons for using this weak design : cost of high-quality hardware, the cost of licensing patents 5

  6. Real World Examples 2012 • Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices (Heninger, Durumeric, Wustrow, Halderman) Scanned 28 Mil TLS and 23 Mil SSH hosts on the Internet • - 0.75% of TLS certificates share keys - due to insufficient entropy during key generation - another 1.70% come from same faulty implementations • - able to obtain RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts • - public keys shared nontrivial common factors due to entropy problems • - able to obtain DSA private keys for 1.03% of SSH hosts - due to insufficient signature randomness 6

  7. Real World Examples 2016 • The Linux kernel dissected - four sources of kernel entropy: • • Device • • Input • • Interrupt • • Disk Strong demand for entropy through /dev/urandom (non-blocking) • “minimal” (no GUI) • Ubuntu Server • v14.04.3 64-bit w/ • Kernel v4.2.3 7

  8. Testing randomness is hard • Using a finite set of statistical tests on data samples can lead to misleading results – EXAMPLE: expand a well-known irrational number, e.g. π , and test the output bit sequence for randomness. Chances are, it will be reported as random. Using the statistical test approach makes it hard to automate the estimation of entropy – automation is critically important for the new CMVP NIST 8

  9. Our approach High-Quality entropy from a provably good source • How about delivering high-entropy random data from a provably good source to needy clients? • Public service providing high-entropy random data for use in cryptography - Entropy as a Service (EaaS) – - delivers entropy securely (no one can see) upon request from clients – - clients seed DRBG’s after mixing EaaS random data with local random data – - clients use the DRBG output to generate local keys independently from EaaS 9

  10. Our solution is • NOT a key generation service – - cryptographic keys are generated locally on the client using DRBG’s – - clients DRBG’s are seeded with random data resulting from mixing several independent sources, including local random data – - even if an attacker gains full control of one server, he/she will have no possibility of gaining meaningful insights into the clients’ keys • NOT similar to the NIST beacon – - EaaS does NOT record any incoming or outgoing record – - EaaS does NOT record any internally generated random data 10

  11. Our solution is 11

  12. A protocol sketch Client EaaS HTTP GET (w/ own public key and the number of requested random bytes) • • <response> • <entropy> • encrypted base64-encoded random blob • </entropy> • <timestamp></timestamp> • <dsig></dsig> • </response> 12

  13. Potential attacks and defenses • Attacks mitigated by protocol features and provisioning – - Message replay – - Man-In-The-Middle – - DNS poisoning 13

  14. Potential attacks and defenses • Attacks mitigated by mixing data from multiple EaaS instances – - Honest-but-curious EaaS instance – - Dishonest but non-colluding EaaS instances – - Dishonest and colluding EaaS instances 14

  15. Status and next steps Linux Kernel Entropy Revisited: • uses EaaS client to request random bits from EaaS server and seeds the image pool • C program, using the “RNDADDENTROPY” ioctl to add the entropy. 15

  16. Status and next steps • See project page at : http://csrc.nist.gov/projects/eaas/ – Functional prototype implemented • - demonstrated in September at the CIF 2015 in Washington, DC – Planning to stand-up a publicly accessible NIST EaaS in Q2, 2016 • - publish server and client sample code on GitHub – - allow people to look, enhance, adopt as they please – Conceive a public criteria for reputable EaaS hosts 16

  17. Questions?

Recommend

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION Entropy measures exponential complexity in a topological dynamical system: topological entropy very crude, entropy function on invariant

556 views • 23 slides
Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute of Communication Engineering National Taipei University Chapter Outline Chap. 2 Entropy, Relative Entropy, and Mutual Information 2.1 Entropy 2.2

752 views • 51 slides
ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF CHEMISTRY AND BIOCHEMISTRY, BYU, PROVO, UT 84602, POPOVIC.PASA@GMAIL.COM Thermodynamic entropy - S (J/K) At T=0K ideal crystal imperfect

560 views • 21 slides
Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of bits actually required to store data. Entropy is sometimes called a measure of surprise A highly predictable sequence contains little actual

293 views • 16 slides
Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual information f -divergence Mikael Skoglund 1/16 Entropy Over ( R , B ) , consider a discrete RV X with all probability in a countable set X B ,

538 views • 8 slides
Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J.

Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J.

Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J. A. Laeven Dept. of Econometrics and OR Tilburg University, CentER and Eurandom based on joint work with Mitja Stadje August 30, 2011 Entropy

442 views • 40 slides
Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy The Maximum Entropy (MaxEnt) method is a methodology to assign or update probability distributions to describe systems which are not completely

202 views • 17 slides
Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for

Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for

Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for describing low-level computation on modern CPUs (c) 2009 Entropy Wave Inc Motivation (c) 2009 Entropy Wave Inc Motivation Want maintainable assembly

611 views • 28 slides
1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less

1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less

Introduction to Information Retrieval Entropy: a basic introduction 1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less compressible High entropy = high randomness/low compressibility Low entropy =

236 views • 19 slides
1 Plasma Entropy In ideal MHD, specific entropy is conserved along a flow path: where:

1 Plasma Entropy In ideal MHD, specific entropy is conserved along a flow path: where:

Plasma Entropy in the Magnetosphere Joachim Raeder 1 , Kai Germaschewski 1 , LiWei Lin 1 Space Science Center, University of New Hampshire, Durham, NH 03824, USA Congre ASTRONUM, Biarritz, France, July 2, 2013 Basic Structure of the

499 views • 11 slides
Computing and Communications 2. Information Theory -Entropy Ying Cui Department of Electronic

Computing and Communications 2. Information Theory -Entropy Ying Cui Department of Electronic

1896 1920 1987 2006 Computing and Communications 2. Information Theory -Entropy Ying Cui Department of Electronic Engineering Shanghai Jiao Tong University, China 2017, Autumn 1 Outline Entropy Joint entropy and conditional

778 views • 50 slides
Entropy and gravitational interaction c 1 Milutin Blagojevi c i Branislav Cvetkovi 1 Institut

Entropy and gravitational interaction c 1 Milutin Blagojevi c i Branislav Cvetkovi 1 Institut

Introduction Black hole entropy in MB model Black hole entropy in PGT Entropy of conformally flat black holes Conclusion Entropy and gravitational interaction c 1 Milutin Blagojevi c i Branislav Cvetkovi 1 Institut za fiziku, Beograd

331 views • 31 slides
Maximum Entropy Beyond Fact to Explain Selecting Probability Maximum Entropy . . . Explaining a

Maximum Entropy Beyond Fact to Explain Selecting Probability Maximum Entropy . . . Explaining a

Need to Select a . . . Maximum Entropy . . . Simple Examples of . . . A Natural Question Maximum Entropy Beyond Fact to Explain Selecting Probability Maximum Entropy . . . Explaining a Value: . . . Distributions Explaining a . . . Need

446 views • 33 slides
Entropy Change in Entropy Reversible Isobaric Process Ideal Gas in a Reversible Process Free

Entropy Change in Entropy Reversible Isobaric Process Ideal Gas in a Reversible Process Free

Entropy Change in Entropy Reversible Isobaric Process Ideal Gas in a Reversible Process Free Expansion of an Ideal Gas Microscopic Interpretation of Entropy Entropy and the Second Law of Thermodynamics

466 views • 11 slides
Chapter 4 Entropy Rates of a Stochastic Process Peng-Hua Wang Graduate Inst. of Comm.

Chapter 4 Entropy Rates of a Stochastic Process Peng-Hua Wang Graduate Inst. of Comm.

Chapter 4 Entropy Rates of a Stochastic Process Peng-Hua Wang Graduate Inst. of Comm. Engineering National Taipei University Chapter Outline Chap. 4 Entropy Rates of a Stochastic Process 4.1 Markov Chains 4.2 Entropy Rate 4.3 Example: Entropy

256 views • 13 slides
Zero entropy systems Dominique Perrin May 12, 2016 Dominique Perrin Zero entropy systems May

Zero entropy systems Dominique Perrin May 12, 2016 Dominique Perrin Zero entropy systems May

Zero entropy systems Dominique Perrin May 12, 2016 Dominique Perrin Zero entropy systems May 12, 2016 1 / 22 Introduction Subject: symbolic systems of zero entropy, focusing on systems of linear complexity. How can we describe them? The

456 views • 22 slides
Entropy and mixing for Z d SFTs Ronnie Pavlov University of Denver www.math.du.edu/ rpavlov

Entropy and mixing for Z d SFTs Ronnie Pavlov University of Denver www.math.du.edu/ rpavlov

Measure-theoretic entropy Measures of maximal entropy Mixing for MMEs Entropy and mixing for Z d SFTs Ronnie Pavlov University of Denver www.math.du.edu/ rpavlov 1st School on Dynamical Systems and Computation (DySyCo) CMM, Santiago, Chile

1.1k views • 64 slides
Welcome to my talk on thermodynamic information geometry. My basic theme is that spontaneous

Welcome to my talk on thermodynamic information geometry. My basic theme is that spontaneous

Entropy fluctuations reveal microscopic structures George Ruppeiner New College of Florida 18-30 November 2019 5th International Electronic Conference on Entropy and Its Applications George Ruppeiner (New College of Florida) Entropy

624 views • 30 slides
Entropy of the Internal State of an FCSR in Galois Representation Andrea R ock INRIA Paris -

Entropy of the Internal State of an FCSR in Galois Representation Andrea R ock INRIA Paris -

Entropy of the Internal State of an FCSR in Galois Representation Andrea R ock INRIA Paris - Rocquencourt, France Fast Software Encryption Lausanne, February 12, 2008 Outline FCSR Entropy after one Iteration Final Entropy

467 views • 19 slides

More recommend