Author: Marty Meehan

Marty Meehan is a senior director at Cognitio Corporation. He writes at and the cyber focused Threat Brief. Marty's background is in the national security technology sector.

The Entropy Problem: Random Data and Secure Cryptography

The strength of any cryptosystem depends in large part on the unpredictability of the data used in the encryption process. Unfortunately, some of today’s most commonly-used sources of “random” data depend on inputs that have the potential to inject predictable data, and therefore weakness, into the process.

Low-entropy data sources produce encryption keys that can be attacked much more easily than a truly random key. Even high-performance pseudorandom number generators that have been certified as “cryptographically secure” may prove to be insufficiently random once large-scale quantum computers become available.

Full-entropy random data provides the highest possible security against potential key attacks. Even quantum computers, while they may be able to break the asymmetric keys currently used in public key infrastructure, are expected to be ineffective against truly random AES-256 encryption keys. Random number generators that measure quantum physical processes are able to deliver truly random data at speeds up to 1 Gb/second, effectively solving the entropy problem for government entities and other organizations that store and process highly sensitive information.

For further information you can read the PKWare white paper in the CTOvision library. 

Download “The Entropy Problem: Random Data and Secure Cryptography” WP_Entropy-Problem.pdf – Downloaded 17 times – 4 MB

QuintessenceLabs is Named a Tech Pioneer for 2018

The World Economic Forum has named QuintessenceLabs one of their Tech Pioneers for 2018!QuintessenceLabs joins a prestigious list of previous awardees such as Google, Spotify, Twitter, AirBnB and Atlassian.

This year's pioneers were chosen based on their innovative breakthroughs and creative solutions to many different global challenges. QuintessenceLabs was selected for their significant contributions to the field of data protection, including efforts in preparing organizations for the quantum age, when strong cybersecurity will become even more crucial than it is now.QuintessenceLabs solutions include the leading commercial quantum random number generator, an advanced encryption key and security policy manager, and “virtual zeroization” solutions for securing sensitive data in uncontrolled environments.

Find out more here.

Remote Access or Remote Browsing – the Showdown

Interesting observations made by Henry Harrison, CTO at Garrison Technology.

Remote access has a venerable history. According to that infallible source Wikipedia, the Telnet protocol was first developed in 1969. Twenty years later, Citrix was founded to provide remote access solutions for Windows platforms. Today’s options include RDP, PCoIP, VNC, SSH, XWindows (OK, not really – but NX counts!) and others.

Some uses of remote access are all about convenience. VDI promises a reduction in management costs. High Performance Computing environments use remote access because it’s impractical to put a supercomputer on every desktop.

Remote access as a security tool

But in other cases, remote access is used as a security tool. We don’t want people working with sensitive data on their insecure home PCs – but we use remote access to allow them to use their home PC to remotely control a more secure computer where they can work with that sensitive data.

Home working is a well-known use case. But there are others. For example, organisations that have critical operational systems sometimes isolate these from their main corporate network – they might be able to afford a compromise of their corporate systems but they can’t afford a compromise of their operational systems. And when employees – administrators, usually – need access to the operational systems, they use remote access. Often, they call the remote access platform that provides this a “jump box”.

It’s a great idea. Don’t worry about the security of the end user’s machine – just use remote access to let them drive a system where the security is much more easily controlled.

But how well does the idea stand up to scrutiny?

The vulnerability in remote access

The challenge with remote access is that in principle, if an attacker manages to take control of the end user’s machine (using their own covert and malicious form of remote access) then they can do anything that the user can do.

They can certainly read any confidential information that is available on the secure system. And beyond reading it, they can scrape it and use OCR to recover the raw information.

What about the other way round – rather than stealing information, can the attacker damage or modify the secure systems? Well, by definition, anything the administrator can do to the secure system, the attacker can do – and ultimately, administrators can do absolutely anything. And there might be other, unexpected things that an attacker could do too: for example, might they be able to “type” Base64 encoded data and a script to decode it into a secure system, in order to transfer binary malware onto it?

Of course, it’s not quite as simple as that. Remote access will involve an authentication and authorisation step where the user will need to enter a password and a two-factor authentication code. (Obviously if you don’t use two-factor authentication then it really is trivial – just keylog the password and initiate remote access at any time).

With two-factor authentication, the attacker does need to wait for the legitimate user to log on. Their job then is to hijack the legitimate session and use it to do whatever they want. It’s the same principle as the “man in the browser” attacks that have been used successfully against online banking services.

Remote access vs remote browsing

There are many attractions to remote access – but as we’ve seen, there are vulnerabilities that really can’t be mitigated. What’s the alternative?

The alternative is to accept that any system is only as secure as the endpoint that’s using it. That means that secure systems should only be accessed using endpoint machines that are as secure as they are. And the problem with that is that some users might rapidly find themselves needing several different endpoint machines – one to access the most secure systems, one to access mainstream corporate systems, and one to access untrusted Internet systems…

That’s not a very attractive working model.

Remote browsing turns the remote access model on its head. Rather than accessing a secure system from an insecure endpoint machine, remote browsing allows a secure endpoint machine to access insecure systems. That’s fundamentally better from security perspective – because done right, remote browsing can make it near-impossible for an attacker to compromise the endpoint machine, and thus give them no way of getting at any secure systems.

“Done right” in this case means that communications from less secure systems are converted into raw bitmaps (and the equivalent for sound) – a format that eliminates potential attacks. A raw bitmap is a fixed size memory buffer, so any data an attacker might write into it constitutes a valid, if potentially weird, image – meaning there is essentially no attack surface.

The secure endpoint stays secure, protecting the secure systems that it can access. But the user of the secure endpoint has access to everything, including potentially high risk systems such as random unknown websites.

The winner

In our opinion, remote browsing wins the showdown. Remote access is an in-principle insecure architecture. Remote browsing is in-principle secure.

But let’s not pretend it’s a trivial win. Firstly, making sure that a secure endpoint machine only connects to equivalently secure systems is undoubtedly hard in an era of ubiquitous Internet connections. I fear that pain is just unavoidable if you’re serious about security.

And secondly, as with any security solution, it’s all very well being secure in principle: the implementation needs to be secure in practice as well. That’s much more challenging for a remote browsing technology than it is for a remote access technology – have a look at if you want to know more about why that is.

Ending the Entropy Drought

Cognitio CorpFederal agencies are modernizing with cloud and mobile technologies, yet both will present new security challenges. One such challenge is the ability to handle the magnitude of requests for good random numbers, which are required for most security services to function correctly. And a high amount of entropy – the degree of randomness in a system – is needed for strong, truly random numbers. Over the past 18 months, several low-entropy vulnerabilities were discovered and, in some cases, exploited on mobile devices, virtual machines (VMs) and cloud providers. Organizations need to consider adding a standard service that provides a true random number generator with an endless supply of entropy.

Cognitio looks at the challenges low entropy places on an organization's infrastructure and the benefits of a high entropy service in the paper at this link:

Download “Ending the Entropy Drought -- Cognitio” Ending-the-Entropy-Drought-2018.pdf – Downloaded 29 times – 216 KB


QuintessenceLabs Introduces Stronger Key Management Appliances

QuintessenceLabs (QLabs), in partnership with PKWARE, launched four virtual and hardware key management appliances as part of the company’s line of Smartcrypt appliances. These Smartcrpyt appliances are integrated with the QLabs' Trusted Security Foundation (TSF) solution, which includes a high speed random number generator, an advanced key and policy manager and an embedded FIPS 140-2 Level 3 hardware security module for key storage.

QuintessenceLabs’ TSF solution includes qStream, a full-entropy true random number generator that delivers high quality encryption keys derived from a quantum source. The random nature of these keys makes them totally unpredictable and enables PKWARE to offer the strongest data encryption quality to government agencies and commercial clients.

Moreover, the TSF provides advanced key and policy management capabilities with qCrypt. The fully interoperable and flexible key and policy manager enables a centralized management of cryptographic objects with full lifecycle usage, policy control and advanced replication capabilities.

The partnership of QuintessenceLabs with PKWARE creates an enhanced and seamless enterprise level data protection solution right from key generation, management, and storage through to data focused encryption delivering an end-to-end encryption solution for the highest security.

If you’re interested in learning more about the Trusted Security Foundation and the qStream quantum random number generator, please visit:

To learn more about the Smartcrypt appliance, and to read the full press release, please visit: