Entropy Problems For Linux In the Cloud 179
CalTrumpet writes "Our research group recently spoke at Black Hat USA on the topic of cloud computing security. One of the interesting outcomes of our research was the discovery that the combination of virtualization technologies and public system images results in a problem for random number generation on guest operating systems. This is especially true for Linux, since its PRNG uses only a small set of entropy-gathering events, and virtual Linux images often generate SSH host keys within seconds of their initial boot. The slides are available; the PRNG vulnerability material begins at slide 63."
Getting creative (Score:3, Interesting)
Why is this done in software at all? (Score:3, Interesting)
Why can't the CPU contain a register which holds a random number which is updated with every clock cycle?
Not surely (Score:4, Interesting)
Generating SSH keys involves interaction via at least keyboard and possibly mouse at a terminal.
SSH host keys are often generated automatically when the init script notices there aren't any.
Big problem, but addressable (Score:4, Interesting)
Java code that does cryptography or generates UUIDs (in the hope that they will be a truly universal key for something) operates under similar problems. JavaScript is even worse; all it has is the time, perhaps the user's window-size (not very random if maximised) and mouse-movements, and the built-in random() method, which is not expected to be of cryptographic quality.
Re:Why is this done in software at all? (Score:4, Interesting)
Why can't the CPU contain a register which holds a random number which is updated with every clock cycle?
Some do have something like that [via.com.tw], although it's only about 800kbps instead of 4 bytes per cycle.
evidence that cloud is a fad? (Score:2, Interesting)
Eh? (Score:4, Interesting)
If you "need" cloud computing, then you're bright enough to install an entropy daemon on one of the machines and maybe even slap a hardware-based RNG on it (probably worth sourcing a VIA or similar just for this purpose, to be honest). It's not hard.
Anything else, your "randomness" really doesn't matter and the standard entropy will be just fine.
Re:Getting creative (Score:5, Interesting)
There's little solid matter left. Nobody really knows why; the legends tell of ancient, sprawling empires releasing great monsters that consume worlds and deliver energy to fuel their eons-old wars in the cold between the stars. Several human colonies survived the Last Scourge. One even knew something of their people's history. This colony of merchant-scholars thrived in an old space-borne city drifting about a great lightyears-long dust cloud inexplicably left untouched by the wars. The city was old, very old, built by a generation of master engineers who etched their likenesses in the great canvases of the city's impervious white construction. Quiet machinery lurked untouched in the mysterious depths of the undercity, seen only by outcasts wandering alone through those vast echoing chambers.
The city provided everything the civilization needed. Somehow (so much seemed like magic to them that even the usually-curious humans grew bored of speculation) their reservoirs filled with water, their air recycled, and their waste disappeared down bottomless shafts. All of their needs were filled, but they craved expansion and exploration. They were able to harvest some limited chemical energy from the food supplied by the city, and build using scrap. Still, entropy was a problem in the dust cloud of Linux.
Re:GoDaddy VPS - SSH keys identical (Score:1, Interesting)
A better question would be if you changed your known hosts file to assign the key to another VPS IP and ssh'd to that IP, do other servers have the same key?
Personally, the first thing I would have suspected if this happened to me is that this "wipe and rebuild" backs up part of /etc
Re:Getting creative (Score:3, Interesting)
Re:Getting creative (Score:3, Interesting)
You should. It is well written and has good ideas in it.