[Gllug] entropykey: why did nobody ever mention this thing before?
James Courtier-Dutton
james.dutton at gmail.com
Tue Aug 3 19:53:23 UTC 2010
On 2 August 2010 01:23, Nix <nix at esperi.org.uk> wrote:
> [not quite OT: the makers of this thing are very Linux-friendly,
> more specifically Debian-friendly ;) and it seems like the sort
> of thing Linux people might well need; also it's so nifty I have
> to rave about it]
>
> I just bought an Entropy Key (from <http://www.entropykey.co.uk/>. Why
> did nobody mention the existence of this thing before? Why is nobody
> shouting about it from the rooftops? It's very rare I find a device that
> plainly does everything *right*, with interface software I can't
> complain about at all (free software, nice coding style, very good
> documentation for both the hardware and software, easy network
> export/import of entropy, flexible enough to do everything I can imagine
> and easy to extend thanks to using a Lua-based inner loop, you name it).
> The hardware design appears to be pleasantly paranoid, and the device
> itself is plainly not made out of thin tinfoil as some of these things
> are (dropping it on the floor isn't going to smash it).
>
> And it fixes a real problem: headless boxes and VMs ending up with
> sod-all entropy because pretty much nothing other than keyboard and
> mouse input is considered an acceptable entropy source these days:
> notably network cards aren't. Disk I/O patterns and interrupt patterns
> are, but these do not provide much entropy at *all*, particularly not if
> you've got a lot of memory so you hardly need to touch the disk in
> normal operation, or if you're using a solid-state disk so have had to
> stop the system collecting randomness from the disk timings entirely.
> This tends to mean that all your headless servers end up almost devoid
> of entropy, which is not good. Your VMs have even less chance of getting
> meaningful entropy.
>
Most random number generators are used by encryption functions for key
material of some sort.
Does anyone know why commercial encryption products seem to ignore
TEMPEST considerations.
For description of TEMPEST see http://en.wikipedia.org/wiki/TEMPEST
That is about the most correct definition of it I can find except that
is gets it wrong in the first paragraph.
It seems to correct it in a later paragraph by adding "TEMPEST is not
an acronym".
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list