By Michael Redding, CTO Quantropi
Anyone working in cybersecurity circles is becoming accustomed to hearing the term “entropy-as-a-service.” But what do we really mean by “entropy,” and what is entropy-as-a-service all about?
Entropy is inextricably linked to cryptography. And in our digital era, cryptography has become recognized as the foundation for securing the burgeoning volumes of data flowing across the internet. Ensuring that sensitive information isn’t accessed or breached by unauthorized parties requires strong cryptography, which, in turn, depends on robust entropy.
Entropy refers to the “randomness” of the raw bytes collected by systems for use in algorithms that require random numbers. If a system lacks good entropy, it’s unable to robustly, which can render it vulnerable to compromise.
Recognizing the need to embed strong cryptography in worldwide business communications, the National Institute for Science and Technology (NIST) has recommended creating new sources of encryption entropy that are geared to today’s complex computing environments – and the ever-growing sophistication of cyber threats.
Entropy-as-a-service (EaaS) promises to fulfill this mandate. By leveraging the power of cloud computing, it can generate “endless” amounts of entropy with truly random characteristics. Developers can draw on this data when building and securing applications or use it as a tool to conduct cybersecurity testing.
What is Entropy?
Entropy is a scientific concept that’s typically associated with a state of disorder, randomness, or uncertainty. Entropy in cybersecurity is understood as the measure of the randomness or diversity of the binary numbers collected by an operating system or application for use in generating cryptographic keys.
If a data set has comprehensive levels of entropy, no meaningful patterns may be found in it. On the other hand, low-entropy data sets allow for the possibility that future values (cryptographic keys) created from them could be predicted.
As entropy grows – both in quality and quantity – the cryptographic keys generated from it become harder to guess or derive, and so the level of encryption improves. With that in mind, using a high-entropy source for generating cryptographic keys is critical in cybersecurity.
Why is Entropy So Important?
We now know what entropy is, but why is entropy in cybersecurity even a concern? Why is high entropy a requirement for a secure cryptographic system?
Well, pretty much any cryptographic system uses random numbers to generate its encryption and decryption keys. We take these random numbers from the so-called pseudorandom number generators, or PRNGs.
Why “pseudorandom?” That’s because the random numbers used in modern cryptography are not truly random – they are produced by special mathematical algorithms. To get a random number, you supply a PRNG algorithm with a source number called a seed. The algorithm takes the seed, does some predefined mathematical operations on it, and gives you your “random” number.
PRNG algorithms leverage a variety of sources of seeds to produce a large collection of random numbers. Sources of random seeds include the current time, keyboard or mouse input, and hardware statistics. PRNG algorithms can take these values and convert them into “random” numbers. And because the range of possible values in seed sources can be vast, PRNGs can produce a huge variety of different numbers. The sheer quantity of possible outputs makes the numbers appear random (though in reality, they are not).
We’ve successfully used PRNGs for decades, but they have a glaring problem in cybersecurity – they are deterministic, meaning that they produce the exact same “random” numbers if given the exact same seed. This means that pseudo-random numbers (and hence cryptographic keys) could potentially be predicted by an attacker.
To offset this, we can increase the entropy of our seeds by collecting them from a larger variety of sources. The more diverse our seeds are, the higher their entropy is, and the less likely it is that attackers will be able to figure out your random numbers and cryptographic keys.
Up until recently, finding new sources of encryption entropy was relatively easy. For quite a while, PRNGs were more than fine for cybersecurity, but this is about to change soon – drastically.
Sources of Entropy Are Growing Thinner and Thinner
The advent of cloud computing and other technological advancements such as the Internet of Things (IoT) has changed the way we perceive entropy in encryption. That’s because the level of interaction that people have with these devices and systems is limited (if any), so there is an insufficient supply of unpredictable behavior to leverage as a raw randomness source.
The alternative is to use the randomness functions available in the machine operating system or application programming language, but these machine generated data sets have been shown to have entropy below desired levels. This makes it a significant challenge to provide a sufficiently robust source of entropy to meet cryptographic needs.
The quantum threat makes the issue even more serious. Quantum computers will be so powerful that our current sources of entropy may turn out to be not random enough. Quantum computers might be able to easily derive the output of PRNGs, entirely defeating their purpose.
We have to find new entropy sources that can create the volumes of quality random data we need to bolster our security defenses for cloud computing environments, IoT devices, and other embedded systems.
The leading minds in our cybersecurity community have proposed that the solution to the shortage of reliable sources of true entropy may be found by tapping into other external sources of entropy based on a variety of very specialized hardware solutions dedicated to the task of generating bulk strong random numbers. Once generated from the hardware entropy source, these blocks of raw random can be used locally or distributed across a network. And here’s where quantum entropy comes into play.
The Next Frontier: Quantum Entropy
Quantum computers are one of the most notable and exciting technological advancements of recent years. But while they will bring a lot of good to the world, they will also create new exposure risks since they can quickly solve the complex math problems that form the foundation of today’s information security. Even Google has said that quantum computing could “end encryption” in the near future. And as we mentioned above, one of the ways in which quantum machines could defeat encryption is by predicting the output of PRNGs.
Quantum entropy is the answer to the vulnerability of traditional PRNGs to future quantum computers. Quantum-based encryption entropy can leverage the randomness of physical processes at quantum levels to generate truly random numbers that never repeat and cannot be predicted. You can then use these true random numbers to generate robust cryptographic keys.
Now, some people consider the quantum threat to be at least a decade away, so why even bother with quantum entropy? At Quantropi, we believe that the threat is coming sooner rather than later and that every organization needs to harden its defense against the quantum threat as soon as possible. To this end, businesses can adopt one of the many quantum services available on the market – however, they are more often than not far from ideal.
While many companies can generate very strong “quantum” entropy (raw data sets approaching a level of nearly pure randomness, according to a number of benchmark tests published by NIST and other standards bodies), a lingering challenge has been able to distribute it in a manner impervious to quantum attack/theft at high speed over the internet.
Much research and commercial development is focused on solving this issue with approaches such as Quantum Key Distribution (QKD), but they so far remain short of practical and scalable deployments. Quantum entropy might remain unattainable for the vast majority of businesses for quite a while because of its technological and budget requirements. With that said, even if you can’t afford to have on-premises quantum protection, quantum entropy-as-a-service can help you reap the benefits of ultra-high entropy without completely revamping your infrastructure.
What is Quantum Entropy-as-a-Service?
Entropy-as-a-service (EaaS) is an on-demand, cloud-based service that generates and distributes a high-quality supply of entropy for cloud platforms, SaaS and distributed applications, IoT devices, and other embedded computer systems. Entropy-as-a-service provides unique “seeds” that allow random numbers to be securely generated to form strong cryptographic keys.
Quantum entropy-as-a-service (QEaaS) enhances standard EaaS with quantum sources of entropy. QEaaS gives developers the means to embed robust, quantum-ready entropy into the cryptographic keys used by their applications or devices, thus ensuring they’re hardened to withstand any attempts on the part of cybercriminals to breach them or compromise the data they hold.
What’s the value of EaaS for businesses looking for better, more high-quality sources of entropy? Well, the specialty hardware capable of generating strong entropy can be expensive, hard to acquire, or have the wrong form factor for various deployment needs. Embedding strong sources of entropy into IoT devices, laptops, or cell phones can be impractical or even impossible because of the cost and size constraints of special entropy-generating hardware.
Entropy-as-a-service (like Software-as-a-Service before it) solves many of the cost, availability, and complexity challenges involved, freeing the IT professional or Application Developer from unnecessary overhead. Quantum entropy-as-a-service takes EaaS one step further and introduces truly random seeds to dramatically enhance the security of your cryptographic keys.
Benefits of Quantum Entropy-as-a-Service for Developers
QEaaS and EaaS in general is a boon to developers seeking to bolster the quality of their encryption efforts and ultimately better protect user data. That’s because entropy-as-a-service provides them with instant and continuous access to the desired entropy.
So, instead of searching in vain for elusive or expensive entropy sources, they can focus their energies on developing applications and taking them to market swiftly – safe in the knowledge that they have based their data and communications protection on the best foundation possible. QEaaS delivers a continuous supply of new entropy that’s free from any patterns or sequences that cybercriminals can forecast and take advantage of when trying to guess or break cryptographic keys.
Quantum Entropy-as-a-Service with Quantropi’s SEQUR™
The SEQUR™quantum service embodies the QEaaS offering of Quantropi. One of Quantropi’s three TrUE quantum data protection technologies, SEQUR™ enables developers, governments, and enterprises to provision and distribute quantum entropy across any network while keeping it completely secure from classical or quantum theft.
This means better data security today and peace of mind knowing that bad actors with quantum computers in the future will not be able to steal your keys and access your data.
With SynQK synchronized quantum key distribution, SEQUR™ can deliver quantum entropy to any network-connected device, be it an on-premises desktop computer or an employee’s personal device. SynQK offers digital QKD functionality and can deliver true random numbers over the wire and wirelessly at distances up to 15,000 kilometers.
SEQUR™ and the whole line of Quantropi’s quantum-secure cryptographic solutions are available in QiSpace™ – a quantum-secure SaaS cybersecurity platform.
Interested in finding out more? Visit our website and get in touch!