Back
Quside Blog
The use of Entropy Core

Random numbers are foundational in cryptography and are produced using so-called entropy source, a hardware component. In other words, in cryptography you always need access to enough entropy of enough quality.

8 de abril de 2024
2 min read
Contact

Therefore, when running your secure applications, the following questions should be always asked: how is my application obtaining entropy? Where is the source of that entropy? Does the entropy source have adequate quality? How do I know? These questions are of special importance when the application is running in an environment that you do not control. For instance, think of virtualized and cloud environments or IoT (Internet of Things) applications.

Quside recently launched the Quside Entropy Core, a solution that provide applications with the required levels of entropy in an easy and homogeneous way, strengthening your security posture by stablishing entropy policies. With the Quside Entropy Core you do not need to worry about the entropy capabilities of the environment where your application is running, which are not always under your control or where you already known entropy production is scarce, as in IoT devices.

Accessing the Quside Entropy Core is remarkably simple from your private network: you can establish an Entropy Connection from your application in the simplest way you can imagine: using a HTTP API.

An example of this API call using the curl tool:

curl ‘https://example.server/entropy?format=json&size=32′ cert client/x509/client_Cert.pem –key client/private/client_Key.pem

where you specify the desired response format (json or binary) and the number of bytes required (32 in the example). In the API call above, we have included explicitly the client’s certificate and the key to use to authenticate the application against the Entropy Core in the TLS connection to request the entropy, but of course you can configure the curl tool to use this certificate by default. The response from Entropy Core would be like:

{

   ‘QES-ID’: 28708,

   ‘QES-qfactor’: 0.9956179857254028,

   ‘entropy_bytes’: ‘TZAAGWBkLU7PEYjg6ZStdpAhlsREvLcvzN5v5ABT48o=’,

   ‘timestamp’: ‘2024-01-12T16:29:31.725505Z’

}

In this case in a json format as requested including not only the entropy bytes requested in base64 format (“entropy_bytes”) but also information on the quality of the entropy provided (“QES-factor”) as well as the identification of the Quantum Entropy Source that generated the entropy (“QES-ID”) and the timestamp of the generation (“timestamp”). That means that your application not only will obtain the required entropy, but also be sure that it is having the required quality. As can be seen the integration of this capability into your application is straightforward, with a simple http request.

Another simple example; if you application is python based you can stablish an Entropy Connection to Entropy Core by simply using the requests and json packages: 

import json

import requests

url = ‘https://example.server/entropy?format=json&size=32’

response = requests.get(url, cert=(‘client/x509/client_Cert.pem’, ‘client/private/client_Key.pem’)

if response.status_code == 200:

    entropy_dict = json.loads(response.content.decode(‘utf-8’))

And parse the required field from the entropy_dict dictionary, as for example: 

print (entropy_dict[‘entropy_bytes’])

>>> 1vp1maNqPNS+3EHQJbGe58zi+yT0oAS7UHTHXxsG98k=

print (entropy_dict[‘QES-qfactor’])

>> 0.9955