Intel includes a TRNG in their CPUs (on die) since Ivy Bridge. It used to be called Bull Mountain. Now it is known as RdRand after the instruction. Here is a good article about it:
RDSEED is not for seeding the generator, it also reads a random number. The difference is that RDSEED reads directly from the hardware random bit generator whereas RDRAND reads from a CSPRNG itself seeded by that random source.
Quick summary of dopant-mask trojans: small alterations to the chip's masks can "pin" bits of the internal PRNG state high or low. Because the output of the PRNG go through a cryptographically secure hashing algorithm the output appears to have good entropy but assuming you know which bits are pinned the actual keyspace you need to search is catastrophically smaller. Intel includes checksums that run at system startup to verify the functionality of the PRNG but these are aimed at catching manufacturing errors, so they used CRC32. Thus, all you need to do to break this is be sure that the internal state of your pinned PRNG and the fair PRNG produce a CRC32 collision after running the test pattern.
If RDSEED doesn't run through the hash, would that give you enough of a window into the PRNG's internal state to be able to catch that attack? It sounds promising but it looks like RDSEED came out in 2012, so that would predate the paper...
I don't think anyone was really against intel bundling an RNG on-chip. The issue was that they really wanted the OSs to use the entropy gained there directly, rather than just using it as one more source of entropy mixed into the pool.
By doing that, all the security of the system is dependent on Intel's RNG. There's not really any downside to mixing this in with other sources of entropy, even if RDRAND were backdoored, rdrand XOR other_entropy should be equally secure as other_entropy.
It may surprise you that the order matters - in the hands of a potential attacker, combining random sources is not commutative!
If your last random source comes from an attacker who can read your state, then they can manipulate your state freely (XOR) or partially (any PRF), which could lead to trouble. Source: http://blog.cr.yp.to/20140205-entropy.html
Combining with a proper PRF limits the damage a bit compared to plain XOR, which is why Linux's /dev/random was changed to feed in RDSEED/RDRAND like any other entropy source.
On the other hand, there's the school of thought which says: if the CPU you're running on has been trojaned in hardware, you're probably buggered no matter what!
it's not something that is easy to generate mathematically, so it's an illogical thing to solve for on a cpu, which wants to follow instructions. randomness shouldnt have a "rule" to follow, that ends up being pseudorandom.
See here for a simpler explanation of building a random sequence generator using avalanche effect (sort of the precursor to this device I'd guess):
http://holdenc.altervista.org/avalanche/
a) Chip designers prefer to keep analog and digital very separate. Analog takes up comparatively much more space. Putting it on the same die may make side-channel attacks easier.
b) How do you verify that it's really random and not a CSPRNG with a key known to the NSA?
Maryland's economy takes advantage of the close location of the center of government in Washington, D.C. and emphasizes technical and administrative tasks for the defense/aerospace industry and bio-research laboratories, as well as staffing of satellite government headquarters in the suburban or exurban Baltimore/Washington area. Ft. Meade serves as the headquarters of the Defense Information Systems Agency, United States Cyber Command, and the National Security Agency/Central Security Service. In addition, a number of educational and medical research institutions are located in the state. In fact, the various components of The Johns Hopkins University and its medical research facilities are now the largest single employer in the Baltimore area. Altogether, white collar technical and administrative workers comprise 25 percent of Maryland's labor force, attributable in part to nearby Maryland being a part of the Washington Metro Area where the federal government office employment is relatively high.
Because the NSA uses US law to require companies to include compromised algorithms and backdoors in their products, and uses gagging orders to prevent the company from admitting their products have been compromised.
I'm not suggesting they are the only country in that situation, nor that there is any sure-fire way to make sure you aren't hamstrung.
But I think it is a good rule of thumb to not rely on US crypto.
A random number generator with US flag on it. Yes, it is kind of silly, it is just a sticker, but it subconsciously evokes negative associations, at least for me.
Though exploring that tangent a little, I wonder if there is a any sort of study on flags\countries and their association with quality (specifically engineering\tech). Off the top of my head I'd guess people associate places like Sweden, Germany, Switzerland, Austria - I'm not sure why.
Yeah I recall reading that there's some uneasiness around flag flying and national pride in Germany - I think it came to my attention ahead of the World Cup in 2006.
Do not confuse Germany's prior superiority with made goods with their IT skills. As a German, I can tell you: We're becoming a 3rd world IT country real quick. Plus the USA is our best friend, including the NSA.
A country is way to broad, you would have to put stickers of people or organizations with good reputation with regard to security on it, say Bruce Schneier or the EFF. But actually you should not do this either because you may evoke a false sense of security.
This company is going to lose sales for something as trivial as a flag on an easily removable sticker.
I'm sometimes surprised to see HN - which freaking loves AB testing the colour of signup buttons - is resistant to people saying "I dislike this minor detail".
There should be a way for HN users to point out things they dislike about a product - politely, constructively, without undue negativity, and without derailing the thread with off-topic noodling about the website (unless the website is the product).
This is why I wish root level comments were collapsed by default. It might make it easier to completely ignore one that starts with "minor gripe, but...".
"This company is going to lose sales for something as trivial as a flag on an easily removable sticker."
Really? I can't imagine it'll HURT them. If they're proud of having it made in the US, who does that bother enough to say "man such a great product, but nope, not gonna buy it". I'd say it might have a marginal effect the other way, for people who like to buy US-made products, and almost no effect the other way.
The flag is part of the marketing. Every other product they sell (boards) has a "Designed in the USA" text printed somewhere. Seems that they believe that having a product "Designed in the USA" gives it more credibility. One interesting point is that they do not mention where the products are actually made. With Tindie (and %99 of other) vendors, you are safe to assume that they are made in china. If not sourced in china and re-sold (which I have no issues with). Now, a RNG with an American flag that was assembled in China does remind me of those USA flags that have the little gold "Made in China" sticker. Would I buy this? Only to play with it on an old air gapped machine.
totally personal opinion here, but a lot of the stuff that say "made in the USA" are aimed toward a different crowd(older generation) than this product..
That's a good point. Another reason is to differentiate themselves from re-sellers. Like the Ebay stores that put "Ships from USA" in the listing titles.
Be aware that a decent prng will look just like the true one. That one's particularly crap. The Mersenne Twisters have incredibly long periods (2^19937 - 1 common) and you won't see anything. These are not at all cryptographically secure.
They used up the devices they'd had manufactured, were saying they had no idea if and when they'd have more ... and I guess they've completely given up, now.
If you enjoy this topic, you might be interested in HotBits. It uses a Caesium-137 check source and a radiation monitor to generate non-deterministic values.
"If you're serious about the cryptographic security of your entropy source, you should probably short, or put a 50 Ohm load on the antenna port, and put the whole assembly in a shielded box. Then you're getting entropy from the thermal noise of the amplifiers which is much harder to interfere with than atmospheric radio."
But where do you find $10 dongles? I've found just NooElec NESDR XTR for $50? Edit: OK, there are cheaper dongles with RTL2832U, just not with E4000
They're selling a $50 "product." You've linked to a $10 experiment. Just the fact that theirs comes with a signed Windows driver and software Linux support out of the box, justifies every cent of the $40.
This complaint is akin to people who complain "a $700 iPhone only has $150 of parts." It might be true, but it ignores the entire development cost, value add, and ease of use relative to buying a box of bolts and building an iPhone (or in this case a RND source).
Their price is very reasonable, and your $10 alternative is not a realistic alternative.
Sometimes if you start varying the output width of such a process dynamically you can pick out patterns. Not saying this is the case here but it's an interesting trick to allow your visual cortex to do some pretty heavy numerical lifting.
Thank you all for the feedback and also the entertainment. Here's a memorial weekend coupon code for $10 off your purchase of a TrueRNG from Amazon: MERICA10
76 comments
[ 2.5 ms ] story [ 139 ms ] threadhttp://spectrum.ieee.org/computing/hardware/behind-intels-ne...
The problem is that it is a black box. Intel has added the ability to seed the generator (rdseed), but it does not really reduce the issue of trust.
Also the rdseed instruction does not allow you to seed the generator but instead allows you to generate seeds for other (pseudo random) generators.
https://software.intel.com/en-us/blogs/2012/11/17/the-differ...
http://sharps.org/wp-content/uploads/BECKER-CHES.pdf
If RDSEED doesn't run through the hash, would that give you enough of a window into the PRNG's internal state to be able to catch that attack? It sounds promising but it looks like RDSEED came out in 2012, so that would predate the paper...
So is this one... it's also closed-source hardware.
Some people were against it; others not so much.
http://en.wikipedia.org/wiki/RdRand
http://arstechnica.com/security/2013/12/we-cannot-trust-inte...
By doing that, all the security of the system is dependent on Intel's RNG. There's not really any downside to mixing this in with other sources of entropy, even if RDRAND were backdoored, rdrand XOR other_entropy should be equally secure as other_entropy.
If your last random source comes from an attacker who can read your state, then they can manipulate your state freely (XOR) or partially (any PRF), which could lead to trouble. Source: http://blog.cr.yp.to/20140205-entropy.html
Combining with a proper PRF limits the damage a bit compared to plain XOR, which is why Linux's /dev/random was changed to feed in RDSEED/RDRAND like any other entropy source.
On the other hand, there's the school of thought which says: if the CPU you're running on has been trojaned in hardware, you're probably buggered no matter what!
See here for a simpler explanation of building a random sequence generator using avalanche effect (sort of the precursor to this device I'd guess): http://holdenc.altervista.org/avalanche/
b) How do you verify that it's really random and not a CSPRNG with a key known to the NSA?
https://ssl.araneus.fi/products/alea2/order/en/
The site of the producers, though:
http://ubld.it/
Looks like somebody who actually honestly likes to make his own hardware, and not only RNGs.
http://en.wikipedia.org/wiki/Maryland#Economy
Maryland's economy takes advantage of the close location of the center of government in Washington, D.C. and emphasizes technical and administrative tasks for the defense/aerospace industry and bio-research laboratories, as well as staffing of satellite government headquarters in the suburban or exurban Baltimore/Washington area. Ft. Meade serves as the headquarters of the Defense Information Systems Agency, United States Cyber Command, and the National Security Agency/Central Security Service. In addition, a number of educational and medical research institutions are located in the state. In fact, the various components of The Johns Hopkins University and its medical research facilities are now the largest single employer in the Baltimore area. Altogether, white collar technical and administrative workers comprise 25 percent of Maryland's labor force, attributable in part to nearby Maryland being a part of the Washington Metro Area where the federal government office employment is relatively high.
I'm not suggesting they are the only country in that situation, nor that there is any sure-fire way to make sure you aren't hamstrung.
But I think it is a good rule of thumb to not rely on US crypto.
Though exploring that tangent a little, I wonder if there is a any sort of study on flags\countries and their association with quality (specifically engineering\tech). Off the top of my head I'd guess people associate places like Sweden, Germany, Switzerland, Austria - I'm not sure why.
A pirate flag might work.
How so? I usually think of Germany as being pretty good technologically.
Any flag is a bit weird.
This company is going to lose sales for something as trivial as a flag on an easily removable sticker.
I'm sometimes surprised to see HN - which freaking loves AB testing the colour of signup buttons - is resistant to people saying "I dislike this minor detail".
There should be a way for HN users to point out things they dislike about a product - politely, constructively, without undue negativity, and without derailing the thread with off-topic noodling about the website (unless the website is the product).
Really? I can't imagine it'll HURT them. If they're proud of having it made in the US, who does that bother enough to say "man such a great product, but nope, not gonna buy it". I'd say it might have a marginal effect the other way, for people who like to buy US-made products, and almost no effect the other way.
(bad due to visible patterns, compared to the shown picture for their hardware generator: http://ubld.it/wp-content/uploads/2014/02/random_bitmap.png )
Curiously, the shop shows sales data:
(as of about 14h WEST, 2015.05.22, let's see if it budges ;-)Is there a way to measure how often this happens and what kind of improvements would be expected after buying a hardware RNG?
The case of the TrueRNG looks identical to the Entropy Key, but for all I know that could just be a common part.
https://www.fourmilab.ch/hotbits/hardware3.html
http://www.atarimagazines.com/compute/issue72/random_numbers...
You can get a $10 RTL-SDR [1] dongle that happily churns out over 2MSp/s and feed random radio noise to your entropy pool using rtl_entropy [2].
Also what's up with the flag, 'murica?
[1] - http://sdr.osmocom.org/trac/wiki/rtl-sdr
[2] - https://github.com/pwarren/rtl-entropy
"If you're serious about the cryptographic security of your entropy source, you should probably short, or put a 50 Ohm load on the antenna port, and put the whole assembly in a shielded box. Then you're getting entropy from the thermal noise of the amplifiers which is much harder to interfere with than atmospheric radio."
But where do you find $10 dongles? I've found just NooElec NESDR XTR for $50? Edit: OK, there are cheaper dongles with RTL2832U, just not with E4000
This complaint is akin to people who complain "a $700 iPhone only has $150 of parts." It might be true, but it ignores the entire development cost, value add, and ease of use relative to buying a box of bolts and building an iPhone (or in this case a RND source).
Their price is very reasonable, and your $10 alternative is not a realistic alternative.
http://csrc.nist.gov/groups/ST/toolkit/rng/batteries_stats_t...
Huh? Some PRNGs sure, but I don't really know what this is trying to prove. The output of any decent stream cipher will appear just as random.
Shameless self-insert: https://github.com/joshleaves/node-qrand
http://www.amazon.com/TrueRNG-Hardware-Random-Number-Generat...