The SOURCE for truly random numbers in the kernel is external hardware

Posted Sep 19, 2013 15:04 UTC (Thu) by faramir (subscriber, #2327)
Parent article: The search for truly random numbers in the kernel

If I can buy a 4Gbyte USB flash drive for < $5, it should be possible to build a USB attachable source of truly random numbers for a reasonable amount of money. All that needs to happen in the kernel is to define exactly how such a device talks to the kernel and a way for a system administrator to enable use of a specific device. Then let the hardware guys do as many different implementations as the market will bear.

Personally, I would be happy to contribute $20 to a kickstarter project that wrote the appropriate software for Linux; designed and built the hardware; and made both the software and hardware "open source". For the paranoid, make it an option to just get an unpopulated circuit board so the recipient could source the rest of the off the shelf components from wherever they like. Many people may not be able to design the requisite hardware, but almost anyone who cares could learn to solder well enough to put such a device together.

Finally, given the existence of USB flash drives which

1. Pretend to have a higher capacity then they actually do (in order to commit fraud on the purchaser)

2. Pretend to be a USB keyboard/mouse for various nefarious purposes

this would seem to be a simple project for someone with hardware design skills. (Which is unfortunately not me.)

The SOURCE for truly random numbers in the kernel is external hardware

Posted Sep 19, 2013 15:11 UTC (Thu) by mpr22 (subscriber, #60784) [Link] (1 responses)

It has already been done, and indeed has been mentioned in LWN comments in the past.

The SOURCE for truly random numbers in the kernel is external hardware

Posted Sep 19, 2013 16:36 UTC (Thu) by nix (subscriber, #2304) [Link]

I note that the entropy key's network entropy daemon actually relies on the kernel's entropy estimation: in particular, it relies on it so that it knows when not to bother sending in more entropy. This matters because extracting the entropy over USB is relatively CPU-expensive (it can eat a few percent of CPU time on slow machines), so it is best not to throw too much entropy into the pool unless people are using what you throw in. The key generates enough entropy to fill the pool in a couple of seconds, after all... and by the standards of modern entropy sources that is *slow*.

The SOURCE for truly random numbers in the kernel is external hardware

Posted Sep 19, 2013 15:21 UTC (Thu) by pizza (subscriber, #46) [Link] (3 responses)

>it should be possible to build a USB attachable source of truly random numbers for a reasonable amount of money.

There's an outfit out of the UK (www.entropykey.co.uk) that was selling such a widget for about $60, but they've hit some sort of unrelated financial problems and haven't been able to make/ship any for some time now.

In the mean time, I'm actually working on a USB-attached RNG now, utilizing an STM32F4 MCU, which has a high-quality hardware RNG onboard. You can buy the eval boards for $15 in single-unit quantity (STM32F4DISCOVERY), so I don't think there's much of a point in trying to design a custom board since we won't be able to meet that price target without a large enough initial order.

When I get it working (The USB stack is a bit of a PITA), I'll be releasing the firmware (and appropriate Linux code) under the GPL. If there's enough interest in dedicated hardware, perhaps Kickstarter may be an option, hmm.

The SOURCE for truly random numbers in the kernel is external hardware

Posted Sep 19, 2013 15:46 UTC (Thu) by felixfix (subscriber, #242) [Link] (2 responses)

But if commercial RNGs are not to be trusted, packaging it into a USB stick doesn't magically remove the stigma.

The SOURCE for truly random numbers in the kernel is external hardware

Posted Sep 19, 2013 17:52 UTC (Thu) by daney (guest, #24551) [Link]

You may not trust a commercial RNG, but if the USB interface to said class of devices were standardized, you might have the option of easily switching RNG vendor.

The SOURCE for truly random numbers in the kernel is external hardware

Posted Sep 19, 2013 18:06 UTC (Thu) by pizza (subscriber, #46) [Link]

My servers are perpetually entropy-starved simply by random web crawlers hitting its TLS-exposed services. A full entropy pool is typically depleted within a few seconds, even under low-load situations.

Meanwhile, I won't be using the RNG output of the STM32 directly; it will be mixed and mangled before being passed to the host -- and since Linux will mix it with its other entropy sources, it's considerably less likely to be a problem.

Besides, let's be honest here, if you distrust commercial RNGs, wouldn't any random pre-packaged RNG design be equally suspect? Just because the design/code is open source doesn't mean there's not a weakness in it that only the NSAs in the world are capable of recognizing. And besides, even assuming noble intentions, designing a good RNG is *hard*; I'm actually more likely to introduce weaknesses (as opposed to improvements) with my meddling.