If you have a modernish machine running Linux, find out if it has a TPM (Trusted Platform Module) built in. If it does, you can use an application called "Trousers" to take advantage of its built in hardware random number generator. It will directly feed random data into /dev/random
If you don't have a TPM, you can get one of these usb sticks: http://www.entropykey.co.uk/ and it will also feed /dev/random with large amounts of real random data.
According to http://www.outflux.net/blog/archives/2009/10/22/tpm-as-rng/#..., TPM may even be using PRNGs. So you're right that the quality of output need not be better than what a modern OS already provides. (I am not aware of any case where a properly-used /dev/random failed to produce sufficient entropy. Note that doing something sensible at boot is part of "properly-used" here.)
It is possible to provide true randomness from a chip, but it's probably cheaper not to.
I suspect they just didn't consider RNG quality as a big factor in the usefulness of the design. TPM pre-dates the recent advances in on-die TRNG design. Plus the chip tends to live on a low-speed bus on the system which makes it inherently a bit crappy as a place to keep a high-bandwidth application like an RNG.
When did I say that it does? The randomness of the data is entirely down to the implementation.
Personally I'd trust the random data supplied by a third party web service less than the pseudo-random data that the software on my local machine produces. Especially if you mix in data from a TPM, especially if you mix in data from an Entropy Key as well.
Can anyone explain how this works? The entropy key site says "The Entropy Key contains two high-quality noise generators, and an ARM Cortex CPU that actively measures, checks and confirms all generated random numbers, before encrypting them and sending them to the server"... but why can't we just write high-quality noise generators in software? How is the hardware better?
Because you can't get really random number from deterministic hardware (and computers are deterministic, more or less :) ). No matter what you do, running the same algorithm on the same input gives you the same data on regular computer. And the randomness (measured in Kolmogorov complexity [1] of the resulting string) is by definition smaller than the length of the generator program.
And truly random string is such string, that there's no possible program producing this string as output, that is shorter than the string.
On deterministic computers you can only produce pseudorandom numbers, with varying quality of randomness, depending on generator program you use, but it's sometimes not enough (esp. in cryptography).
Software is deterministic, so it is not really possible to generate noise. There are non-deterministic parts of software (for example, thread interaction in concurrent systems), but this is just observable behavior of hardware effects.
The typical thing people do to get large amounts of randomness is to first generate some "real" random noise from some source (hardware thingamajigs, network timings, user interactions) and extrapolate these into longer sequences of random-looking numbers. The extrapolation can be fast and simple (in which case the randomness is not so good), or it can be slow and complex (to get decent looking randomness).
Everyone has mentioned how software is deterministic.
Hardware RNGs sometimes rely on thermal noise (which is really random) but there are sometimes flaws with how that noise is sampled and de-skewed. Also, they need to be monitored to cope with hardware failure. Be aware, especially if you're using them for cryptography, that they might be a poor fit for your purpose.
And surely everyone on HN knows that part of the "snow" noise displayed on an untuned TV is cosmic background radiation, ie "afterglow" of the big bang. I still find that amazing.
In theory, as others that replied have noted, hardware is better ... in practice there are issues other than "software is deterministic".
Many naive hardware based random number generators suffer from being not as random as one might think - thanks to quantising levels in A/D converters, to supposedly random physical processes having "spectra" where measurable signal occurs more in some bands than others, and to a multitude of other odd little effects just making a hardware based RNG is as simple as it seems.
The entropy key cited above has multiple noise sources and PRNG processes that mix them up and running checks to see that things are working as expected. That level of paranoid checking is more or less the minimum level required in a RNG to be confident about it.
Others have explained why it's not possible to create a good software random number generator. Hardware RNGs don't just provide a much better quality stream of random data, they also provide a much higher quantity of it. I just generate a GnuPG 2048 bit keypair by running "gpg --gen-key" on my laptop. It took over 11 minutes to gather enough entropy to build the key. I then plugged my Entropy Key into the laptop and repeated the process. This time it took less than 2 seconds.
A Lenovo Thinkpad T420 with an Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 8GB of RAM and an SSD. It's running Ubuntu 10.04, GnuPG 2.0.14, and a 3.2.0 Linux kernel.
The laptop was relatively idle when the test was being run.
It's worth noting that when you do a --gen-key it does output the message:
"We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilise the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy."
I can't imagine it would state that if "5 seconds" was anything like normal. Perhaps you have some sort of additional source of entropy which you don't know about.
"oh noes. Not this poo again. Save money, and do the following.
- Get a high res webcam - Open it up and remove the filters. - Hook up the device. - From time to time you'll see random white dots appear.
There you have your ultra cheap random number generator."
It would seem that this method would be muchmore expensive and time consuming than a simple web query.
How precisely would this save me money?
Pretty simple. You want random numbers for security.
If you want security, you should not trust a third party. Only yourself.
If you have to generate random numbers yourself; I just provided you a cheap solution.
It's under your control. There's no chance of an attacker serving you skewed numbers, or of MITM, or etc etc.
That may be important. (Cryptography, for example.)
Some people don't care, they just need some random numbers. People doing modelling like a lot of random numbers that are random enough, but they don't care if that same set of numbers is available elsewhere, or if it's easily repeatable.
If you don't want to build your own generator, random.org provides a service like the ANU Quantum Random Number Server, i.e. provision of unique sets of true random numbers by http request, but generated from atmospheric noise. There's a convenience R package "random" I often use for this purpose. The articles on the website are quite edifying regarding the art and science of random numbers generally. Here's a link to the interface documentation: http://www.random.org/clients/http/
I've always wondered how many probabilistic algorithms would have been discovered which outperform deterministic ones if a high-bandwidth hardware RNG was available on every machine.
I understood that probabilistic algos only need something that "looks random enough" and are fine using PRNGs. True randomness doesn't buy you any improvement, as the algorithm is only counting on some of the properties of a random source.
People, if you need random numbers for some application of yours, you shouldn't get them from their server, period. See alternatives in the posts here. The most modern example, apparently the following hardware instruction will be available in all next Intel processors: http://en.wikipedia.org/wiki/RdRand
The main article is just to appreciate the pure awesomeness of us being able to actually see something that's a result of quantum fluctuations! In vacuum!
Their product may be really great, but the company seems unable to support it. I ordered my key in October, never received it, and have been mailing them periodically ever since, perhaps 20 times, trying to resolve it with them. To date I have received one response. Their response ignored everything I had said, and assured me it would arrive soon, even though I'd explained in my email that I'd changed addresses.
I hope one day this will be resolved, because it really seems like a cool device.
That might sort of be funny if it weren't simply true, and not in any sort of funny-true way, either. Random numbers generated in the past are deterministic. Of course they are. What would non-deterministic-yet-already-generated numbers look like?
I see a few people mentioning applications of this in cryptography and I feel that this is harmful.
You do not need exotic hardware to collect entropy to generate crypto keys. You need a correctly designed cryptographically secure PRNG which has had time to accumulate 100 or so bits of entropy (i.e., unknowability to the attacker). It's nice if it can be freshened every now and then with more entropy, but that really only should make a difference if you lose a backup tape and by some miracle the private key wasn't on there already. After it's warmed up, it should never need to block due to 'depleted entropy'. No one has ever broken such a CSPRNG. This is how the OpenSSL, OpenBSD, and FreeBSD /dev/randoms work.
On the other hand, what does tend to get broken regularly are overcomplicated and overengineered RNGs like this beast.
The one on the new Intel chips is handy, but it's largely overkill. We only need 100 bits now and then, not a steady rate at Gb/s (which can shut off abruptly when an attacker sharing your cloud hardware node decides to starve you of them). It's also not something that we can review for backdoors, so we should be reluctant to use it as the sole source of entropy.
A quantum vacuum random server is great like the way an internet-connected coffee pot is great. Fun, but not useful in production.
One wouldn't want to give the impression that CSPRNG design is a solved problem, but I think you're right: exotic "true random" entropy sources definitely don't target the real challenges.
Are you aware of any instances of the OS /dev/Xrandom failing in an exploitable way, assuming proper initialization? I'm sure that people still mess up, but there are a lot of problems that are solved in that sense.
There's a well-known and very good Black Hat talk from I think 2007 that attacked cold-start entropy on embedded devices, but you could rephrase that as an entropy estimation problem.
/dev/random is hardware entropy dependent, and if application users use it too much (and we all know that many application developers don't do what's minimal stress for hardware or what's optimal "I just make it fast, it works for me"), every such application can block too often. Especially servers are problematic because you can't accumulate the entropy by measuring keyboard or whatever. That's why Intel made RdRand. And their competitors made some similar solutions even before that.
53 comments
[ 4.1 ms ] story [ 107 ms ] threadIf you don't have a TPM, you can get one of these usb sticks: http://www.entropykey.co.uk/ and it will also feed /dev/random with large amounts of real random data.
It is possible to provide true randomness from a chip, but it's probably cheaper not to.
http://spectrum.ieee.org/semiconductors/processors/behind-in...
http://en.wikipedia.orghwiki/RdRand
I suspect they just didn't consider RNG quality as a big factor in the usefulness of the design. TPM pre-dates the recent advances in on-die TRNG design. Plus the chip tends to live on a low-speed bus on the system which makes it inherently a bit crappy as a place to keep a high-bandwidth application like an RNG.
Personally I'd trust the random data supplied by a third party web service less than the pseudo-random data that the software on my local machine produces. Especially if you mix in data from a TPM, especially if you mix in data from an Entropy Key as well.
And truly random string is such string, that there's no possible program producing this string as output, that is shorter than the string.
On deterministic computers you can only produce pseudorandom numbers, with varying quality of randomness, depending on generator program you use, but it's sometimes not enough (esp. in cryptography).
[1] http://en.wikipedia.org/wiki/Kolmogorov_complexity
When something is deterministic, it is reproducible and therefore not good for creating crypto keys.
Most /dev/random implementations use data from the ethernet driver, the keyboard, mouse etc to get some input which isn't easy to reproduce.
The typical thing people do to get large amounts of randomness is to first generate some "real" random noise from some source (hardware thingamajigs, network timings, user interactions) and extrapolate these into longer sequences of random-looking numbers. The extrapolation can be fast and simple (in which case the randomness is not so good), or it can be slow and complex (to get decent looking randomness).
Hardware RNGs sometimes rely on thermal noise (which is really random) but there are sometimes flaws with how that noise is sampled and de-skewed. Also, they need to be monitored to cope with hardware failure. Be aware, especially if you're using them for cryptography, that they might be a poor fit for your purpose.
Testing Hardware RNGs
(http://www.robertnz.net/true_rng.html)
EDIT:
Descriptions of various forms of noise:
(http://www.eie.polyu.edu.hk/~ensurya/lect_notes/commun_cir/C...)
And surely everyone on HN knows that part of the "snow" noise displayed on an untuned TV is cosmic background radiation, ie "afterglow" of the big bang. I still find that amazing.
Many naive hardware based random number generators suffer from being not as random as one might think - thanks to quantising levels in A/D converters, to supposedly random physical processes having "spectra" where measurable signal occurs more in some bands than others, and to a multitude of other odd little effects just making a hardware based RNG is as simple as it seems.
The entropy key cited above has multiple noise sources and PRNG processes that mix them up and running checks to see that things are working as expected. That level of paranoid checking is more or less the minimum level required in a RNG to be confident about it.
The laptop was relatively idle when the test was being run.
It's worth noting that when you do a --gen-key it does output the message:
"We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilise the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy."
I can't imagine it would state that if "5 seconds" was anything like normal. Perhaps you have some sort of additional source of entropy which you don't know about.
How do you determine that on Linux?
- Get a high res webcam - Open it up and remove the filters. - Hook up the device. - From time to time you'll see random white dots appear.
There you have your ultra cheap random number generator. Works best in high radiation environments.
It would seem that this method would be muchmore expensive and time consuming than a simple web query. How precisely would this save me money?
It's under your control. There's no chance of an attacker serving you skewed numbers, or of MITM, or etc etc.
That may be important. (Cryptography, for example.)
Some people don't care, they just need some random numbers. People doing modelling like a lot of random numbers that are random enough, but they don't care if that same set of numbers is available elsewhere, or if it's easily repeatable.
Look into LavaRnd [1][2][3][4].
[1] What is LavaRnd? http://www.lavarnd.org/what/index.html
[2] LavaRnd Process in Detail: http://www.lavarnd.org/what/process.html
[3] Construction of a LavaCan: http://www.lavarnd.org/what/can-details.html
[4] Source code (open source): http://www.lavarnd.org/download/index.html
update - similar article (free) from same people http://www.opticsinfobase.org/view_article.cfm?gotourl=http%... (source http://www.opticsinfobase.org/oe/abstract.cfm?uri=oe-19-21-2... )
[it seems like this is actually a big deal - they are getting huge throughput]
Since we have millions of transistors in our systems couldn't they (their collectors) be used to generate "truly" random numbers?
http://www.fourmilab.ch/hotbits/
The site contains some interesting discussion around randomness and how their service works.
The main article is just to appreciate the pure awesomeness of us being able to actually see something that's a result of quantum fluctuations! In vacuum!
I hope one day this will be resolved, because it really seems like a cool device.
You do not need exotic hardware to collect entropy to generate crypto keys. You need a correctly designed cryptographically secure PRNG which has had time to accumulate 100 or so bits of entropy (i.e., unknowability to the attacker). It's nice if it can be freshened every now and then with more entropy, but that really only should make a difference if you lose a backup tape and by some miracle the private key wasn't on there already. After it's warmed up, it should never need to block due to 'depleted entropy'. No one has ever broken such a CSPRNG. This is how the OpenSSL, OpenBSD, and FreeBSD /dev/randoms work.
On the other hand, what does tend to get broken regularly are overcomplicated and overengineered RNGs like this beast.
The one on the new Intel chips is handy, but it's largely overkill. We only need 100 bits now and then, not a steady rate at Gb/s (which can shut off abruptly when an attacker sharing your cloud hardware node decides to starve you of them). It's also not something that we can review for backdoors, so we should be reluctant to use it as the sole source of entropy.
A quantum vacuum random server is great like the way an internet-connected coffee pot is great. Fun, but not useful in production.
"/dev/random vs /dev/urandom" http://www.onkarjoshi.com/blog/191/device-dev-random-vs-uran...
/dev/random is hardware entropy dependent, and if application users use it too much (and we all know that many application developers don't do what's minimal stress for hardware or what's optimal "I just make it fast, it works for me"), every such application can block too often. Especially servers are problematic because you can't accumulate the entropy by measuring keyboard or whatever. That's why Intel made RdRand. And their competitors made some similar solutions even before that.
Good detailed discussion also on: http://en.wikipedia.org/wiki//dev/random
In short, hardware RNG in the CPU is a very good thing.
Of course, whoever doesn't need cryptographically secure randomness should anyway just use plain old pure software pseudorandom number generator:
http://en.wikipedia.org/wiki/Pseudorandom_number_generator
OpenSSL, OpenBSD, and FreeBSD agree with me.