Mitigation-page

MID-047: Sufficient Entropy for Keys

Mitigation Tier: Foundational

Description

To create sufficiently random keys, devices need a source of data with a high degree of entropy to ensure that the keys are not predictable. If a device does not have a source of sufficient entropy and tries to create a key, it may be possible that the inputs that seeded the key or pseudo-random number generator (PRNG) can be guessed and therefore threat actors may be able to recreate the key or predict the PRNG output. By using a high degree of entropy, keys and seeds are fully random and cannot be recreated by threat actors, thereby making them cryptographically stronger.

Devices typically feed their entropy pools by collecting the unpredictable least significant bits from device events like the absolute and relative timing between things like hardware interrupts, user input, and other similarly unpredictable events. Complex devices like desktop and server PCs can rely on plentiful sources of such events. Embedded devices often do not have as rich a set of hardware, may have no direct interactive user input, fewer processes and applications executing, and are generally more regular and constrained in their actions. This can result in embedded systems having a shallower pool of entropy to draw upon when the need to generate cryptographic keys arises.

Operations that consume data from an entropy pool to generate keys of seed PRNGs must wait until a sufficient quantity is available. To avoid (potentially long) pauses in operation, especially at boot up, some devices have been known to use non-blocking sources, and as a result the keys they generated were predictable and vulnerable to attack. To remain secure, devices should use a blocking entropy pool that waits until there is sufficient entropy to fulfill the request for random numbers. If the device doesn’t have a way to generate enough entropy on first boot, devices may require mechanisms to obtain additional sufficient entropy (e.g. ask for random user inputs). If that is not practical, the design may need to be modified to include a cryptographic quality hardware-based random number generator (see MID-048 - Hardware Random Number Generator and MID-060 - Dedicated Hardware Cryptographic Modules).

Note: Using sufficiently random keys is an important part of maintaining the security guarantees that a good cryptographic algorithm will provide. See MID-044 - Strong Cryptographic Algorithms and Protocols for more information about cryptographic algorithms.

IEC 62443 4-2 Mappings

  • CR 4.3 - Use of cryptography 

References

[1] E. Barker, A. Roginsky, R. Davis, “Recommendation for Cryptographic Key Generation”, NIST, Special Publication 800-133 Revision 2, 2020. doi: 10.6028/NIST.SP.800-133r2

[2] M. T. Turam, E. Barker, J. Kelsey, K. A. McKay, M. L. Baish, M. Boyle, “Recommendation for the Entropy Sources Used for Random Bit Generation”, NIST, Special Publication 800-90B, 2018. doi: 10.6028/NIST.SP.800-90B

[3] “Cryptographic Module Validation Program.” NIST Computer Security Resource Center. Accessed: Aug. 28, 2024. [Online]. Available: https://csrc.nist.gov/projects/cryptographic-module-validation-program

[4] Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2012. Mining your Ps and Qs: detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX conference on Security symposium (Security’12). USENIX Association, USA, 35. Available: https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger