What is entropy?
if you ask a chemist or physicist, entropy is disorder or heat. If you ask an electrical engineer, entropy is both of those but it is also a measure of potential information content.
James Glieck’s wonderful book The Information addresses this in detail, but the short version is that an unpredictable data stream carries more information. A highly predictable data stream carries very little information as you were already expecting its contents.
What’s the security connection?
A number of processes need good sources of entropy. We need pure randomness to generate unguessable keys for network connections and file encryption. Truly random numbers are needed for Diffie-Hellman secret values for key negotiation, and for the initialization vectors used during encryption.
Without truly random numbers, TCP connections can be hijacked because their initial sequence number could be predicted, and DNS information can be spoofed and DNS server caches poisoned with bogus data because query and response IDs could be predicted.
An operating system contains an entropy engine, a software module that generates what we hope is reasonably random data. This is used by the operating system for TCP, and can be used by applications.
But a computer program by itself is deterministic. Zero entropy. The operating system must gather entropy by monitoring mechanical processes like disk controller I/O timing, packet arrival timing from the Ethernet interface, and human use of the keyboard and mouse.
What if this is inadequately random, or can’t produce random bits fast enough?
Physics to the rescue!
Researchers at the Australian National University have built a device that observes the appearance and disappearance of virtual sub-atomic particles in a vacuum. What’s more, they have connected the apparatus to the Internet! Their media announcement is here, and you can access their truly random number generator here. You can download as much as you would like, and everyone gets their own independent bit stream.
Unlike other physics-based truly random sequence generators (anyone for counting decay events from the radioactive material in smoke detectors or lantern mantles?), the ANU device produces random bit streams at 1 Gbps. It could go faster, but they have already saturated the bandwidth in their lab. They are looking into commercializing the design, hoping to shrink it from a laser lab tabletop to the size of a thumb drive.
Learning Tree’s Introduction to Computer and Network Security and Cloud Security Essentials courses discuss the importance of careful key generation and careful TCP and DNS implementation. No laser safety glasses required!