I gave two presentations today at the OpenStack Design Summit in sunny San Diego, CA, as we prepare for the Grizzly development cycle.
In this presentation, I spent about 40 minutes discussing several research papers over the last 6 years showing the problems with entropy and randomness in cloud computing. Namely:
- The Analysis of the Linux Random Number Generator (2006)
- The iSEC Partners Presentation at BlackHat (2009)
- Minding your P's and Q's (2012)
There's two pieces of the entropy problem in OpenStack and cloud computing that I'm interested in helping improve:
- Better initial seeds for the psuedo random number generator at instance initialization
- Better ongoing entropy gathering throughout the lifetime of the instance.
To the first point (better seeds), I suggested a series of technologies that could significantly improve the situation in OpenStack in the near term:
- The hypervisor could provide a random seed through a block device to the guest
- The hypervisor could expose a urandom device through the metadata service
- Actually, I'm sitting next to Scott Moser right now, who attended my talk earlier today and merely hours after my talk, he has already hacked this into the OpenStack metadata service :-) His merge proposal is here. This is why I love open source software...
- The user can pass their own locally generated seed to the instance through cloud-init and the userdata
- Additional seed data can be assembled through the aNerd protocol
- There's lots more to say about this one...I'll have another post on this soon!
As for improving the ongoing entropy gathering...
- Eventually, a new wave of cloud servers with modern CPUs will have Intel's DRNG feature and leverage the new rdrand instruction
- Unfortunately, we're probably a little ways off from that being widely available
- Colin King has benchmarked it -- really impressive performance!
- KVM's new virtio-rng driver is pretty cool too, allowing a server to pass through access to a hardware random number generator
- HAVEGE simply rocks, and should be installed in every cloud instance
- Gazzang's zTrustee encryption key manager also supports a secure, authenticated entropy service (as a commercial offering from my employer)
Enjoy!
:-Dustin
No comments:
Post a Comment
Please do not use blog comments for support requests! Blog comments do not scale well to this effect.
Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com
Thanks,
:-Dustin