[Gllug] entropykey: why did nobody ever mention this thing before?

general_email at technicalbloke.com general_email at technicalbloke.com
Wed Aug 4 01:33:49 UTC 2010


On 03/08/10 20:53, James Courtier-Dutton wrote:
> On 2 August 2010 01:23, Nix<nix at esperi.org.uk>  wrote:
>    
>> [not quite OT: the makers of this thing are very Linux-friendly,
>>   more specifically Debian-friendly ;) and it seems like the sort
>>   of thing Linux people might well need; also it's so nifty I have
>>   to rave about it]
>>
>> I just bought an Entropy Key (from<http://www.entropykey.co.uk/>. Why
>> did nobody mention the existence of this thing before? Why is nobody
>> shouting about it from the rooftops? It's very rare I find a device that
>> plainly does everything *right*, with interface software I can't
>> complain about at all (free software, nice coding style, very good
>> documentation for both the hardware and software, easy network
>> export/import of entropy, flexible enough to do everything I can imagine
>> and easy to extend thanks to using a Lua-based inner loop, you name it).
>> The hardware design appears to be pleasantly paranoid, and the device
>> itself is plainly not made out of thin tinfoil as some of these things
>> are (dropping it on the floor isn't going to smash it).
>>
>> And it fixes a real problem: headless boxes and VMs ending up with
>> sod-all entropy because pretty much nothing other than keyboard and
>> mouse input is considered an acceptable entropy source these days:
>> notably network cards aren't. Disk I/O patterns and interrupt patterns
>> are, but these do not provide much entropy at *all*, particularly not if
>> you've got a lot of memory so you hardly need to touch the disk in
>> normal operation, or if you're using a solid-state disk so have had to
>> stop the system collecting randomness from the disk timings entirely.
>> This tends to mean that all your headless servers end up almost devoid
>> of entropy, which is not good. Your VMs have even less chance of getting
>> meaningful entropy.
>>
>>      
> Most random number generators are used by encryption functions for key
> material of some sort.
> Does anyone know why commercial encryption products seem to ignore
> TEMPEST considerations.
> For description of TEMPEST see http://en.wikipedia.org/wiki/TEMPEST
> That is about the most correct definition of it I can find except that
> is gets it wrong in the first paragraph.
> It seems to correct it in a later paragraph by adding "TEMPEST is not
> an acronym".
>    

If what you're doing is so sensitive that being tempested is a 
legitimate concern then you've probably got more to worry about than the 
quality of your entropy pool...

http://xkcd.com/538/

Roger.




-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list