Entropy & Key Generation: The Hidden Weak Link скачать в хорошем качестве

Entropy & Key Generation: The Hidden Weak Link

In this session, we break down why randomness is a sometimes overlooked, and yet critical, part of cryptographic key material security. Members of our CCSS committee, along with Ethan Johnson, Information Security Executive and founder of Next Encrypt, will look at how weak entropy leads to predictable keys and why certain pseudo-random number generators still introduce risk in modern systems. We’ll cover how randomness is supposed to work, where it commonly fails, and what strong entropy generation actually looks like in practice. We’ll also walk through real incidents where poor randomness exposed private keys, and outline the practical steps teams should take to generate key material safely by using appropriate entropy sources, approved DRBGs, and well-designed key-generation processes. You will leave with a clear understanding of how to evaluate entropy quality, what red flags to watch for, and what good key-generation evidence should look like in a modern crypto system. Learn about the CCSS here: https://cryptoconsortium.org/standards/ Follow C4 on Twitter:   / learnmorewithc4   Website: Cryptoconsortium.org Chapters: 00:00 Stream opens; entropy and keys 00:33 Panel introductions begin 02:27 Guest Ethan Johnson introduction 02:53 Session agenda: randomness, failures 03:35 Why entropy fails discussion 11:03 CCSS 1.01: key generation scope 13:36 Human scale vs 256-bit space 15:07 Why keys matter versus bank accounts 18:20 RNG sources: /dev/random, diceware 20:27 VMs and cloning entropy risks 21:40 What systems measure as entropy 23:13 Building better entropy pools 26:58 Environmental failures and containers 30:14 Examples where entropy went wrong 37:58 Live demo: timestamp-only entropy 42:28 Avoid single-source or naive seeding 45:20 Android wallet: nonce/K reuse caution 46:36 NIST SP 89A DRBG references 47:24 Use vetted RNGs; don’t roll your own 48:12 Human process controls; multiple participants 49:13 Assume broken until proven otherwise 51:03 How can users verify randomness? 53:04 Reduce trust via diverse supply chains 56:10 Openness beats security by obscurity 57:37 Compartmented entropy with multisig 58:58 Closing; future streams and resources Special Guest: Ethan Johnson:   / ethanj-0x000000000000000000000000000000000...   CCSS Steering Committee: S. Dirk Anderson:   / sdirkanderson   Jameson Lopp:   / lopp   Josh McDougall:   / abstr_ct   Ron Stoner: https://x.com/forwardsecrecy C4 Executive Director: Jessica Levesque:   / jesleveq