Registration prices for the Vancouver Summit increase April 1. Register now to save 50%      REGISTER TODAY

Entropy (or lack thereof) in OpenStack Instances

The lack of quality sources of entropy in cloud computing environment is a problem that has gained considerable attention this year, and has consequences that permeate the entire fabric of cryptography in enterprises.  Virtual machines typically lack physical hardware devices that provide random noise, such as microphones, wireless adapters, or serial bus interrupts.  Monitoring network interrupts generated by traffic (such as ARP requests) is one of the few sources of unpredictable input in cloud networks, but even that traffic can be somewhat scarce in some networks.  Without sufficient randomness, servers routinely generate vulnerable TLS certificates and predictable RSA/DSA private SSH keys.

In this session, we’ll discuss a draft RFC, proposing a network protocol for peer-to-peer exchange of randomness, review an open source implementation of that protocol in C, consider the results of some entropy quality tests, propose its inclusion as an OpenStack Incubator project. We’ll consider the opportunity for collaboration among cloud guests to interchange randomness in ways that defy predictably from outside observers, internal users, as well as offline users.

We'll also discuss other potential solutions to the problem, such as passing through Intel's new DRNG to guests, extending Nova to seed guests with better entropy through a virtio or disk device, as well as other suggestions brought by attendees.

Speakers: Dustin Kirkland

Oct 15

Oct 16

Oct 17

Oct 18

Oct 19

Nov 05

Nov 07