Not enough entropy in cloud computing land
According to a presentation given by a group of three researchers, Andrew Becherer, Alex Stamos and Nathan Wilcox, at the recently concluded Black Hat conference, programs outsourced to cloud environments may run into difficulties generating the random numbers needed for encryption and authentication.
To generate (pseudo) random numbers, Linux (for example) requires the maximum possible number of external events, such as mouse movements, keyboard events and hard drive head movements. According to the presentation, the Linux pseudo-random number generator (PRNG) is first initialised using the time and then fed with hard drive and IRQ events. In a virtual environment the researchers note that all guest systems share the time and the number of different events is insufficient, due to the lack of, or shared use of, physical devices.
This could enable an attacker to copy and guess the start and increment values used by a virtual machine's PRNG, and to use these values to determine the SSH key pair by calling
Pages 65 to 67 of the presentation slide show outline the potential attack scenario, taking Amazon's EC2 as an example. The authors admit though that they are not certain such an attack is actually possible in practice.