Ensuring Good Entropy Sources is Not a Random Act (M23b)
In the realm of government certification schemes, entropy sources are closely scrutinized via their design documents, quality justifications, and health-checks. Government security validation programs, such as FIPS 140-2 and Common Criteria, have specific requirements laid out in several special publications. Often security certification efforts for Cisco products are placed in jeopardy as these requirements cannot be met. Not only are the certifications impacted, weak entropy sources can result in cryptographic and security vulnerabilities which then inevitably lead to cyberattacks. The Global Certification Team (GCT) has compiled a list of the most common hurdles faced during certification efforts which are associated with entropy sources. When issues do arise they are often related to testability, entropy harvesting rate and size and lack of design documents. This presentation will focus on the entropy source requirements for government security certification processes and some commonly found issues, their solutions and knowledge base. Both hardware and software sources shall be discussed. The presentation will also highlight special cases such as 3rd party hardware sources or entropy for virtual platforms.