By Michael Redding, CTO Quantropi
Anyone working in cybersecurity circles is becoming accustomed to hearing the term “entropy-as-a-service.” But what do we really mean by “entropy,” and what is entropy-as-a-service all about?
Entropy is inextricably linked to cryptography. And in our digital era, cryptography has become recognized as the foundation for securing the burgeoning volumes of data flowing across the internet. Ensuring that sensitive information isn’t accessed or breached by unauthorized parties requires strong cryptography, which, in turn, depends on robust entropy.
Entropy refers to the “randomness” of the raw bytes collected by systems for use in algorithms that require random numbers. If a system lacks good entropy, it’s unable to encrypt data robustly, which can render it vulnerable to compromise.
Recognizing the need to embed strong cryptography in worldwide business communications, the National Institute for Science and Technology (NIST) has recommended creating new sources of entropy that are geared to today’s complex computing environments – and the ever-growing sophistication of cyber threats.
Entropy-as-a-service (EaaS) promises to fulfill this mandate. By leveraging the power of cloud computing, it can generate “endless” amounts of entropy with truly random characteristics. Developers can draw on this data when building and securing applications or use it as a tool to conduct cybersecurity testing.
What is Entropy?
Entropy is a scientific concept that’s typically associated with a state of disorder, randomness, or uncertainty. In the context of cybersecurity, entropy is understood as the measure of the randomness or diversity of the binary numbers collected by an operating system or application for use in generating cryptographic keys.
If a data set has comprehensive levels of entropy, no meaningful patterns may be found in it. On the other hand, low-entropy data sets allow for the possibility that future values (cryptographic keys) created from it could be predicted.
As entropy grows – both in quality and quantity – the cryptographic keys generated from it become harder to guess or derive, and so the level of encryption improves.
Why is Entropy so Important?
In some traditional computing systems, people’s interactions with their devices, including their keystrokes, mouse movements, and network interactions are used as the raw input needed to create strong entropy. This unpredictable data is transformed into random numbers to be used in cryptographic functions.
However, the advent of cloud computing and other technological advancements such as the Internet of Things (IoT) has changed this paradigm. That’s because the level of interaction that people have with these devices and systems is limited (if any) so there is insufficient supply of unpredictable behavior to leverage as a raw randomness source. The alternative is to use the randomness functions available in the machine operating system or application programming language, but these machine generated data sets have been shown to have entropy below desired levels. This makes it a significant challenge to provide a sufficiently robust source of entropy to meet cryptographic needs.
As a result, we need to find new sources that can create the volumes of quality random data we need to bolster our security defenses for cloud computing environments, IoT devices, and other embedded systems.
The leading minds in our cybersecurity community have proposed that the solution to the shortage of reliable sources of true entropy may be found by tapping into other external sources of entropy based on a variety of very specialized hardware solutions dedicated to the task of generating bulk strong random numbers. Once generated from the hardware entropy source, these blocks of raw random can be used locally or distributed across a network.
What is Entropy-as-a-Service?
Entropy-as-a-service is an on-demand, cloud-based service that generates and distributes a high-quality supply of entropy for cloud platforms, SaaS and distributed applications, IoT devices, and other embedded computer systems. EaaS gives developers the means to embed robust entropy into the cryptographic keys used by their applications or devices, thus ensuring they’re hardened to withstand any attempts on the part of cybercriminals to breach them or compromise the data they hold.
Entropy-as-a-service provides unique “seeds” that allow random numbers to be securely generated to form strong cryptographic keys.
The specialty hardware capable of generating strong entropy can be expensive, hard to acquire, or not an appropriate form factor for various deployment needs. Entropy-as-a-service (like Software-as-a-service before it) solves many of the cost, availability, and complexity challenges involved, freeing the IT professional or Application Developer from unnecessary overhead.
Benefits of Entropy-as-a-Service (EaaS) for Developers
Entropy-as-a-service is a boon to developers seeking to bolster the quality of their encryption efforts and ultimately better protect user data. That’s because entropy-as-a-service provides them with instant and continuous access to the desired entropy.
So, instead of searching in vain for elusive or expensive entropy sources, they can focus their energies on developing applications and taking them to market swiftly – safe in the knowledge that they have based their data and communications protection on the best foundation possible. EaaS delivers a continuous supply of new entropy that’s free from any patterns or sequences that cybercriminals can forecast and take advantage of when trying to guess or break cryptographic keys.
The Next Frontier: Quantum EaaS
While we all welcome advancements in entropy-as-a-service, there’s no time to rest on our laurels. That’s because there’s a new threat on the horizon: advances in quantum computing.
Quantum computers are one of the most notable and exciting technological advancements of recent years. But they’re also creating new exposure risks since they can quickly solve the complex math problems that form the foundation of today’s information security. Even Google has said that quantum computing could “end encryption” in the near future.
At Quantropi, we believe that the threat is already here and that every organization needs to harden their defences against the “quantum threat.” While many companies can generate very strong “quantum” entropy (raw data sets approaching a level of nearly pure randomness according to a number of benchmark tests published by NIST and other standards bodies), a lingering challenge has been able to distribute it in an a manner impervious to quantum attack / theft at high speed over the internet. Much research and commercial development is focused on solving this issue with approaches such as Quantum Key Distribution (QKD), but they so far remain short of practical and scalable deployments.
Quantropi’s EaaS solution SEQUR™ enables developers, governments, and enterprises to provision and distribute quantum entropy (ultra-strong random numbers) across any network while keeping it completely secure from classical or quantum theft.
This means better data security today and peace of mind knowing that bad actors with quantum computers in the future will not be able to steal your keys and access your data.
Interested in finding out more? Visit our website and get in touch!