Slashdot Mirror

← Back to Stories (view on slashdot.org)

Entropy Problems For Linux In the Cloud

Posted by kdawson on from the mehr-Zufälligkeit dept.

CalTrumpet writes "Our research group recently spoke at Black Hat USA on the topic of cloud computing security. One of the interesting outcomes of our research was the discovery that the combination of virtualization technologies and public system images results in a problem for random number generation on guest operating systems. This is especially true for Linux, since its PRNG uses only a small set of entropy-gathering events, and virtual Linux images often generate SSH host keys within seconds of their initial boot. The slides are available; the PRNG vulnerability material begins at slide 63."

11 of 179 comments (clear)

  1. Getting creative by Brian+Gordon · · Score: 2, Interesting

    How about getting signed entropy from a trusted server on the network/internet? How about putting that microsecond-accurate system clock to use?

    1. Re:Getting creative by Brian+Gordon · · Score: 4, Interesting

      I think of some primitive post-human civilization struggling to industrialize amid the ruins of the heat-dead universe.

      There's little solid matter left. Nobody really knows why; the legends tell of ancient, sprawling empires releasing great monsters that consume worlds and deliver energy to fuel their eons-old wars in the cold between the stars. Several human colonies survived the Last Scourge. One even knew something of their people's history. This colony of merchant-scholars thrived in an old space-borne city drifting about a great lightyears-long dust cloud inexplicably left untouched by the wars. The city was old, very old, built by a generation of master engineers who etched their likenesses in the great canvases of the city's impervious white construction. Quiet machinery lurked untouched in the mysterious depths of the undercity, seen only by outcasts wandering alone through those vast echoing chambers.

      The city provided everything the civilization needed. Somehow (so much seemed like magic to them that even the usually-curious humans grew bored of speculation) their reservoirs filled with water, their air recycled, and their waste disappeared down bottomless shafts. All of their needs were filled, but they craved expansion and exploration. They were able to harvest some limited chemical energy from the food supplied by the city, and build using scrap. Still, entropy was a problem in the dust cloud of Linux. ....

    2. Re:Getting creative by Brian+Gordon · · Score: 2, Interesting

      From my fingers 3 hours ago, you insensitive clod. But if you liked it, maybe I should write similar teasers for some story ideas I've had sitting in a text file for a few months.....

    3. Re:Getting creative by the_womble · · Score: 2, Interesting

      You should. It is well written and has good ideas in it.

  2. Why is this done in software at all? by BadAnalogyGuy · · Score: 3, Interesting

    Why can't the CPU contain a register which holds a random number which is updated with every clock cycle?

    1. Re:Why is this done in software at all? by Timothy+Brownawell · · Score: 3, Interesting

      Why can't the CPU contain a register which holds a random number which is updated with every clock cycle?

      Some do have something like that, although it's only about 800kbps instead of 4 bytes per cycle.

  3. Not surely by Kaseijin · · Score: 3, Interesting

    Generating SSH keys involves interaction via at least keyboard and possibly mouse at a terminal.

    SSH host keys are often generated automatically when the init script notices there aren't any.

  4. Big problem, but addressable by lamber45 · · Score: 3, Interesting
    The nice thing about Linux is that you can develop whatever entropy-producing process you want and write its output to /dev/urandom to add more entropy to the pool. For instance, a boot script could issue an HTTP request to a website backed by a hardware random-number generator (access-control to only machines in the cloud by IP range). It is something to be worried about, though.

    Java code that does cryptography or generates UUIDs (in the hope that they will be a truly universal key for something) operates under similar problems. JavaScript is even worse; all it has is the time, perhaps the user's window-size (not very random if maximised) and mouse-movements, and the built-in random() method, which is not expected to be of cryptographic quality.

  5. evidence that cloud is a fad? by noric · · Score: 2, Interesting

    I'd like some evidence that cloud computing is a fad. Tens of thousands of companies, in dozens of industries, do not list "computing hardware, availability, and capacity management" as a core competency, making them prime cloud customers.

  6. Eh? by ledow · · Score: 3, Interesting

    If you "need" cloud computing, then you're bright enough to install an entropy daemon on one of the machines and maybe even slap a hardware-based RNG on it (probably worth sourcing a VIA or similar just for this purpose, to be honest). It's not hard.

    Anything else, your "randomness" really doesn't matter and the standard entropy will be just fine.

  7. Re:GoDaddy VPS - SSH keys identical by Anonymous Coward · · Score: 1, Interesting

    A better question would be if you changed your known hosts file to assign the key to another VPS IP and ssh'd to that IP, do other servers have the same key?

    Personally, the first thing I would have suspected if this happened to me is that this "wipe and rebuild" backs up part of /etc