The Cloud Might Have Trouble with Encryption

Ralph DeFrangesco

Researchers from iSec Partners have pointed out a possible flaw with cloud computing, just in case we need another. The researchers have described a situation in which there might not be enough randomness in order for encryption to be fully effective.


Here is their concern: Encryption uses random bits to encrypt data. Random number generators get their data from entropy pools. Entropy pools gather their data, or unpredictable random noise, from a number of sources: local processes, file access, device access, page hits, keyboard clicks, and mouse movements, to name a few. The noise is broken down into a set of random bits that is then used for encryption.


The researchers claim that servers used in cloud computing do not generate enough random bits because they typically do not have keyboards or mice attached. Adding to the problem is that they tend to be single-use, short-term servers and because of this anomaly, they are not in operation long enough to create strong keys.


If an attacker were to set up their own virtual machine with a cloud provider, they might be able to guess the encryption keys because the entropy pool could be similar. This would greatly reduce the amount of calculations needed to guess the complete key.


I feel the probability of this actually happening is small, partly because the researchers at iSec Partners have not been able to guess an encryption key based on this problem. However, I would not rule it out, since the human mind is endless in its abilities.

Add Comment      Leave a comment on this blog post
Aug 13, 2009 7:09 AM Richard Lewis Richard Lewis  says:


I would turn this statement around and say that cloud providers need to demonstrate adequate randomness for their nail-up tear-down environments. You don't mention them, but it is possible to get genuine chip-based random number generators which generate those numbers from thermal noise, etc, and those should be more than adequate for the task without needing to rely on other extraneous input such as mice and keyboards.

So summarising, the question really is: What are cloud providers using to ensure adequate randomness?


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.