As security and privacy concerns become an above the fold concern for the public at large and enterprises continue to grapple with targeted intrusions, cryptography is becoming a ubiquitous and necessary characteristic of modern IT systems. While the primitives and core algorithms are well understood, there are still numerous concerns regarding properly encrypting data that transcend decisions such as public vs. private key or key length. Underlying nearly every modern cryptosystem is the need to have cryptographically strong random numbers. Key generation and inclusion of nonces to prevent replay are two areas where lack of quality random numbers can completely destroy the security provided by the underlying cryptosystem.
For decades, we have used Pseudo Random Number Generators (PRNGs) as a surrogate for truly random numbers. While these PRNGs have been generally sufficient for historic cryptographic usage, they are only as good as their underlying entropy source. With advances, such as Perfect Forward Secrecy in TLS (and its wide scale deployment), entropy usage has skyrocketed. Unfortunately, enterprises dont have any understanding of their entropy requirements and entropy usage in the systems we use every day. How much entropy does an OpenSSL PFS transaction actually use? What are the sources of entropy used in your front line webservers? How does entropy creation vary in different versions of Linux? These are all important questions with no clear answer.This talk aims to shine light on the core concerns of entropy creation and entropy utilization. We have analyzed a wide variety of systems, including different versions of the Linux and FreeBSD kernel, OpenSSL, OpenSSH, OpenVPN, and other crypto systems and documented their requirements for random numbers and required amount of entropy to function correctly. The team will also present findings entropy consumption for a variety of TLS modes including the impact of PFS. We will also present analysis of the quality and quantity of entropy sources available on common desktop, laptop, server, and mobile hardware. Finally, the team will also release the first version of our open source software, libentropy, that provides a unified interface for OpenSSL to manage sources of entropy and report status of entropy creation and utilization.