More entropy!
Entropy is often described as a “measurement of disorder” in some contexts. Some people define entropy simply as a “counter” of the number of possible configurations on a given system, but before you close the tab on your browser, let’s not delve into complex matters such as the Boltzmann’s formula or anything like that… We would rather focus on what is information entropy and why is relevant in security, showing a practical example about how to augment the entropy when we generate cryptographic material with tools like Hashicorp Vault and a Hardware Security Module (HSM).
In computing, thanks to the contributions of Claude Shannon, the information entropy is defined as a measurement of the uncertainty associated with a random variable.
Adequate levels of entropy are critical in security as random number generation (RNG) plays a very relevant role for cryptographic applications. If the random numbers are predictable, the cryptographic material can be potentially compromised.
For some tasks is often enough with the levels of entropy that many operating systems such as Linux offers since its early versions through /dev/random and other similar devices. The source of entropy is often the environmental noise collected from device drivers.
For other tasks, those levels of entropy are not enough and need to be augmented to avoid a potential compromise. Many times is even a requirement of some regulatory frameworks and examples of these attacks are not that rare indeed, as the vulnerabilities and incidents of the pervasive MIFARE cards from NXP, the OpenSSL package of Debian or Sony with their Playstation 3 revealed the consequences of operating with inadequate levels of entropy, as insecure randomness is a vulnerability.
In order to augment the entropy, we will use the recently released version of Hashicorp Vault 1.3 and a cloud HSM that supports the PKCS11 interface in a public cloud provider.
For this example we will use a Cloud HSM cluster of a single instance on AWS that will be spun up in the eu-west-2 region (London):
After creating the cluster and the HSM instance within the cluster, we will initialise it. Make sure the Vault instance can talk with the HSM in order to start managing the HSM. Remember to check the Security Groups or you will spend some time wondering what is going on. It happened to a friend of mine ;)
Once the HSM cluster is up and running we can check it out:
ubuntu@ip-10–0–101–51:~$ pkcs11-tool — module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so -L
Available slots:
Slot 0 (0x1): Cavium Slot
token label : cavium
token manufacturer : Cavium Networks
token model : NITROX-III CNN35
token flags : login required, token initialized
hardware version : 3.1
firmware version : 2.4
serial num : 3.1G1741-ICM0002
pin min/max : 117440512/536870912And get connected to it:
ubuntu@ip-10–0–101–51:~$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
Ignoring E2E enable flag in the configuration file
Connecting to the server(s), it may take time depending on the server(s) load, please wait…
Connecting to server ‘10.0.101.14’: hostname ‘10.0.101.14’, port 2225…
Connected to server ‘10.0.101.14’: hostname ‘10.0.101.14’, port 2225.
E2E enabled on server 0(10.0.101.14)
aws-cloudhsm>We should create a new user for our test and then simply configure the seal and entropy stanzas of our vault instance:
seal "pkcs11" {
lib = "/opt/cloudhsm/lib/libcloudhsm_pkcs11.so"
slot = "1"
pin = "vault:mysecretpassword"
key_label = "entropy_demo"
hmac_key_label = "entropy_hmac_demo"
generate_key = "true"
}
entropy "seal" {
mode = "augmentation"
}Now everything is ready to leverage an external source of entropy such as our HSM cluster, so Vault will allow us to do encryption as a service with augmented entropy, just add the -external-entropy-access flag when you are enabling EaaS:
ubuntu@ip-10–0–101–51:~$ vault secrets enable -path=augmented-entropy-transit -external-entropy-access transit
Success! Enabled the transit secrets engine at: augmented-entropy-transit/That’s it! You can now leverage the entropy augmentation using Encryption as a Service.
