Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding the Juniper Entropy Beacon

 

Juniper Entropy Beacon Overview

The Juniper Entropy Beacon (JEB) feeds high quality entropy over the network from a SRX345 Services Gateway to entropy-starved clients. This entropy can be used by any entropy consuming application or device. Entropy is a key component for cryptographic security systems. Generation of symmetric and asymmetric cryptographic keys requires entropy, but low or poor entropy leads to predictable keys, compromising the encryption and overall security of the system. The SRX Services Gateway can produce large amounts of entropy continuously and quickly, making it a reliable source for network based entropy sharing.

Starting in Junos OS release 19.1R1, devices can use JEB to talk to an SRX345 Services Gateway device and request up to 64 KB of entropy at a time. JEB uses its own protocol to respond to these requests. The protocol is wrapped by TLSv1.2, making it cryptographically secure. JEB also forces clients to authenticate using X.509 certificates, so it can detect API abuse and pin incoming requests to respective clients.

JEB makes use of a simple request-response Layer 7 protocol wrapped by TLSv1.2. To send an entropy seed request to a JEB server, connect to the server through TLSv1.2 and send a command in the following format: {S: size}. The size variable is the number of entropy bytes you are requesting. The JEB server will respond by sending an entropy seed of the specified size, as long the size falls within the server’s configured parameters.

Configuring a Juniper Entropy Beacon Server

This example shows how to configure a Juniper Entropy Beacon (JEB) server on a SRX345 Services Gateway. A JEB server can send high quality entropy over the network to entropy consuming applications and devices.

Requirements

This example uses the following hardware and software components:

  • A SRX345 Services Gateway

  • Junos OS release 19.1R1 or later

You must load in your own certificate-key pairs as well as a trusted CA bundle on to the SRX345 Services Gateway in order to configure the JEB server.

Overview

A JEB server can send out entropy seeds through a request-response Layer 7 protocol wrapped by TLSv1.2. You can configure the maximum size of the entropy seeds, as well as the type of random bit generator the JEB server will use for entropy generation. Once the JEB server is properly configured, users with the proper certificate can connect via TLSv1.2 and send requests for entropy seeds. The JEB server will send out an entropy seed of the requested size if it is within the configured parameters.

Configuration

CLI Quick Configuration

Configuring a JEB Server

Step-by-Step Procedure

  1. Specify the port that the JEB server will run on. The value can be in a range from 1025 through 65535, with a default value of 57005.
    [edit system services]
    user@jebserver# set jeb port port-number
  2. Configure the maximum entropy seed size that the server will send out in bytes. The range is 1 through 65536 and the default value is 4096.
    [edit system services]
    user@jebserver# set jeb max-seed-size bytes
  3. Choose a random bit generator (RBG) to use for generating entropy seeds. There are 3 options, default-rng, hmac-drbg, and jrbc. The default-rng option is a cryptographically secure pseudorandom number generator (CSPRNG), the hmac-drbg option is a deterministic RBG detailed in NIST SP 800-90A, and the jrbc option is the Juniper random bit conditioner.
    [edit system services]
    user@jebserver# set jeb rbg default-rng
    Note

    If you want to use hmac-drbg, it must be configured under the [edit system rng] hierarchy before being configured for the JEB server.

  4. Specify a path to the certificate bundle that is used by the server to authenticate the client.
    [edit system services]
    user@jebserver# set jeb tls cert-bundle /path/to/cert-bundle
  5. Configure a path to the server certificate.
    [edit system services]
    user@jebserver# set jeb tls certificate /path/to/certificate
  6. Set a path to the server key.
    [edit system services]
    user@jebserver# set jeb tls key /path/to/private-key

Results

After configuring the JEB server, you can request entropy seeds by connecting to the JEB server through TLSv1.2 and sending a request in the following format: {S: size}. The size variable is the number of entropy bytes you are requesting.

If the request is successful the server will respond with the following message:

response: OK

response_code:200

If the request is unsuccessful the server will respond with one of the following messages:

response: ERROR

response_code: 501

data: SizeUnsupportedError

or

response: ERROR

response_code: 501

data: MalformedPacketError

The SizeUnsupportedError error indicates that the requested size is over the configured size of the max-seed-size statement, and the MalformedPacketError error indicates that the packet was not properly formed.

Verification

Once the JEB server is configured, you can check to verify that the process is running by using the show system processes command or checking for JEB-related syslog messages.

Verifying the JEB process is running

Purpose

Verify that your JEB server is configured properly by using the show system processes command.

Action

user@jebserver> show system processes | grep jeb

Meaning

The output contains references to /usr/sbin/jeb and /var/etc/jeb_conf, indicating that the JEB process is running.

Verifying JEB syslog messages

Purpose

Check the syslog messages to see if init was able to start JEB. This will also provide the process ID (PID) for JEB.

Action

user@jebserver> show log messages | grep jeb

Meaning

The syslog message should indicate that the JEB process has started.