You’re convinced your SSL sessions are secure, aren’t you? Well, perhaps you shouldn’t be.
At the recent DIGS DC event in Zurich, Gilles Trachsel, Partner Executive at IDQ, gave a keynote presentation outlining the inherent vulnerabilities associated with SSL applications based on a poor source of entropy.
Here’s a little known fact for you… your SSL application is only as good and secure as the underlying random number generator (RNG).
Nowadays, most organisations rely upon the use of OpenSSL, OpenSSH or OpenVPN to secure remote access to their business-critical data and applications. One thing that these systems have in common is that they sit on a Linux platform and create their security encryption keys by pulling random numbers from the Linux kernel.
In order to guarantee absolute security, the random number generator must not be vulnerable to prediction or bias. A random number, by definition, should be unpredictable.
Now, this might seem like a relatively simple task. After all, the clue is in the name right? Random number generator. In reality, true randomness is not easy to come by. In the real world, truly random number generation, from start-up is difficult to achieve. In part, this is because machines and operating systems (like Linux) are, at their heart, deterministic.
In order to be truly secure, any OpenSSL application needs access to highly secure keys the moment the Linux system starts. Take a web server, for example. The moment it boots you want the SSL libraries, which secure connections to the website, to be able to generate truly random and unpredictable key sequences.
Unfortunately, it’s been proven that Linux cannot guarantee this high level of randomness at start-up. This ultimately exposes your organisation to unnecessary risks and security breaches.
Random number generation is a critical security and reliability criterion in many demanding SSL applications running in your data center today. A suitable source of entropy must be implemented in order to make these applications truly and instantly secure.
To find out more about data centre encryption solutions and quantum cryptography, contact IDQ direct on +41 22 301 83 71 or email email@example.com
A copy of the presentation is available to DOWNLOAD HERE