76 comments

[ 2.5 ms ] story [ 139 ms ] thread
On one hand, this is very cool. On the other hand, why can't Intel/AMD just put this sort of thing on their CPU dyes and be done with it?
Intel includes a TRNG in their CPUs (on die) since Ivy Bridge. It used to be called Bull Mountain. Now it is known as RdRand after the instruction. Here is a good article about it:

http://spectrum.ieee.org/computing/hardware/behind-intels-ne...

The problem is that it is a black box. Intel has added the ability to seed the generator (rdseed), but it does not really reduce the issue of trust.

RDSEED is not for seeding the generator, it also reads a random number. The difference is that RDSEED reads directly from the hardware random bit generator whereas RDRAND reads from a CSPRNG itself seeded by that random source.
Quick summary of dopant-mask trojans: small alterations to the chip's masks can "pin" bits of the internal PRNG state high or low. Because the output of the PRNG go through a cryptographically secure hashing algorithm the output appears to have good entropy but assuming you know which bits are pinned the actual keyspace you need to search is catastrophically smaller. Intel includes checksums that run at system startup to verify the functionality of the PRNG but these are aimed at catching manufacturing errors, so they used CRC32. Thus, all you need to do to break this is be sure that the internal state of your pinned PRNG and the fair PRNG produce a CRC32 collision after running the test pattern.

http://sharps.org/wp-content/uploads/BECKER-CHES.pdf

If RDSEED doesn't run through the hash, would that give you enough of a window into the PRNG's internal state to be able to catch that attack? It sounds promising but it looks like RDSEED came out in 2012, so that would predate the paper...

The problem is that it is a black box.

So is this one... it's also closed-source hardware.

(comment deleted)
I don't think anyone was really against intel bundling an RNG on-chip. The issue was that they really wanted the OSs to use the entropy gained there directly, rather than just using it as one more source of entropy mixed into the pool.

By doing that, all the security of the system is dependent on Intel's RNG. There's not really any downside to mixing this in with other sources of entropy, even if RDRAND were backdoored, rdrand XOR other_entropy should be equally secure as other_entropy.

It may surprise you that the order matters - in the hands of a potential attacker, combining random sources is not commutative!

If your last random source comes from an attacker who can read your state, then they can manipulate your state freely (XOR) or partially (any PRF), which could lead to trouble. Source: http://blog.cr.yp.to/20140205-entropy.html

Combining with a proper PRF limits the damage a bit compared to plain XOR, which is why Linux's /dev/random was changed to feed in RDSEED/RDRAND like any other entropy source.

On the other hand, there's the school of thought which says: if the CPU you're running on has been trojaned in hardware, you're probably buggered no matter what!

it's not something that is easy to generate mathematically, so it's an illogical thing to solve for on a cpu, which wants to follow instructions. randomness shouldnt have a "rule" to follow, that ends up being pseudorandom.

See here for a simpler explanation of building a random sequence generator using avalanche effect (sort of the precursor to this device I'd guess): http://holdenc.altervista.org/avalanche/

a) Chip designers prefer to keep analog and digital very separate. Analog takes up comparatively much more space. Putting it on the same die may make side-channel attacks easier.

b) How do you verify that it's really random and not a CSPRNG with a key known to the NSA?

that american flag on the label makes the whole device suspect to me.
If you go that route, the state in which the company is situated is even more interesting.

The site of the producers, though:

http://ubld.it/

Looks like somebody who actually honestly likes to make his own hardware, and not only RNGs.

[As a non American] Why?
So relevant is:

Maryland's economy takes advantage of the close location of the center of government in Washington, D.C. and emphasizes technical and administrative tasks for the defense/aerospace industry and bio-research laboratories, as well as staffing of satellite government headquarters in the suburban or exurban Baltimore/Washington area. Ft. Meade serves as the headquarters of the Defense Information Systems Agency, United States Cyber Command, and the National Security Agency/Central Security Service. In addition, a number of educational and medical research institutions are located in the state. In fact, the various components of The Johns Hopkins University and its medical research facilities are now the largest single employer in the Baltimore area. Altogether, white collar technical and administrative workers comprise 25 percent of Maryland's labor force, attributable in part to nearby Maryland being a part of the Washington Metro Area where the federal government office employment is relatively high.

Because the NSA uses US law to require companies to include compromised algorithms and backdoors in their products, and uses gagging orders to prevent the company from admitting their products have been compromised.

I'm not suggesting they are the only country in that situation, nor that there is any sure-fire way to make sure you aren't hamstrung.

But I think it is a good rule of thumb to not rely on US crypto.

to expensive for only random number generator for $50
A random number generator with US flag on it. Yes, it is kind of silly, it is just a sticker, but it subconsciously evokes negative associations, at least for me.
What sticker would make you feel better? China? Hungary? Designed in USA, made in China?
No flag whatsoever, really.

Though exploring that tangent a little, I wonder if there is a any sort of study on flags\countries and their association with quality (specifically engineering\tech). Off the top of my head I'd guess people associate places like Sweden, Germany, Switzerland, Austria - I'm not sure why.

As a german i can tell you having the german flag on anything is a bit weird.
Yeah, but "Made in Germany" is usually printed with extra-large letters.
Yeah I recall reading that there's some uneasiness around flag flying and national pride in Germany - I think it came to my attention ahead of the World Cup in 2006.
I wouldn't go with Sweden.

A pirate flag might work.

Do not confuse Germany's prior superiority with made goods with their IT skills. As a German, I can tell you: We're becoming a 3rd world IT country real quick. Plus the USA is our best friend, including the NSA.
While that may be true (I do not know) it's still a connection I subconsciously make
>We're becoming a 3rd world IT country real quick.

How so? I usually think of Germany as being pretty good technologically.

A country is way to broad, you would have to put stickers of people or organizations with good reputation with regard to security on it, say Bruce Schneier or the EFF. But actually you should not do this either because you may evoke a false sense of security.
Or something that represents entropy. Maybe Ludwig Boltzmann or the entropy formula?
A truly random flag
(comment deleted)
The flag is definitely a bit weird.

Any flag is a bit weird.

This company is going to lose sales for something as trivial as a flag on an easily removable sticker.

I'm sometimes surprised to see HN - which freaking loves AB testing the colour of signup buttons - is resistant to people saying "I dislike this minor detail".

There should be a way for HN users to point out things they dislike about a product - politely, constructively, without undue negativity, and without derailing the thread with off-topic noodling about the website (unless the website is the product).

This is why I wish root level comments were collapsed by default. It might make it easier to completely ignore one that starts with "minor gripe, but...".
"This company is going to lose sales for something as trivial as a flag on an easily removable sticker."

Really? I can't imagine it'll HURT them. If they're proud of having it made in the US, who does that bother enough to say "man such a great product, but nope, not gonna buy it". I'd say it might have a marginal effect the other way, for people who like to buy US-made products, and almost no effect the other way.

ganja leaf sticker
And an italian web address. I thought the juxtaposition was rather amusing.
The flag is part of the marketing. Every other product they sell (boards) has a "Designed in the USA" text printed somewhere. Seems that they believe that having a product "Designed in the USA" gives it more credibility. One interesting point is that they do not mention where the products are actually made. With Tindie (and %99 of other) vendors, you are safe to assume that they are made in china. If not sourced in china and re-sold (which I have no issues with). Now, a RNG with an American flag that was assembled in China does remind me of those USA flags that have the little gold "Made in China" sticker. Would I buy this? Only to play with it on an old air gapped machine.
totally personal opinion here, but a lot of the stuff that say "made in the USA" are aimed toward a different crowd(older generation) than this product..
That's a good point. Another reason is to differentiate themselves from re-sellers. Like the Ebay stores that put "Ships from USA" in the listing titles.
Nicely documented. I wanted to be reminded of what a bitmap picture for a PRNG bitstream looks like, and found this example: https://www.random.org/analysis/randbitmap-wamp.png

(bad due to visible patterns, compared to the shown picture for their hardware generator: http://ubld.it/wp-content/uploads/2014/02/random_bitmap.png )

Curiously, the shop shows sales data:

    376 orders / 22 reviews
    Since Mar 04, 2014 
(as of about 14h WEST, 2015.05.22, let's see if it budges ;-)
Be aware that a decent prng will look just like the true one. That one's particularly crap. The Mersenne Twisters have incredibly long periods (2^19937 - 1 common) and you won't see anything. These are not at all cryptographically secure.
If this pool is depleted then the kernel will block causing a delay until the kernel can provide the requested random numbers.

Is there a way to measure how often this happens and what kind of improvements would be expected after buying a hardware RNG?

What happened to EntropyKey? http://www.entropykey.co.uk/
Not sure. I got an Entropy Key from Simtec about 4 years ago.

The case of the TrueRNG looks identical to the Entropy Key, but for all I know that could just be a common part.

Yeah, me too. So I was surpirsed that their website no longer seems to be available.
They used up the devices they'd had manufactured, were saying they had no idea if and when they'd have more ... and I guess they've completely given up, now.
So... they exhausted their entropy pool?
Slightly OT but, didn't, back in the day, some PC sound cards have a white noise generator that one could use for random numbers?
Do these work on FreeBSD?
Sounds pretty fucking expensive.

You can get a $10 RTL-SDR [1] dongle that happily churns out over 2MSp/s and feed random radio noise to your entropy pool using rtl_entropy [2].

Also what's up with the flag, 'murica?

[1] - http://sdr.osmocom.org/trac/wiki/rtl-sdr

[2] - https://github.com/pwarren/rtl-entropy

That's kinda neat thanks!
Very nice, on [2] are the instructions:

"If you're serious about the cryptographic security of your entropy source, you should probably short, or put a 50 Ohm load on the antenna port, and put the whole assembly in a shielded box. Then you're getting entropy from the thermal noise of the amplifiers which is much harder to interfere with than atmospheric radio."

But where do you find $10 dongles? I've found just NooElec NESDR XTR for $50? Edit: OK, there are cheaper dongles with RTL2832U, just not with E4000

They're selling a $50 "product." You've linked to a $10 experiment. Just the fact that theirs comes with a signed Windows driver and software Linux support out of the box, justifies every cent of the $40.

This complaint is akin to people who complain "a $700 iPhone only has $150 of parts." It might be true, but it ignores the entire development cost, value add, and ease of use relative to buying a box of bolts and building an iPhone (or in this case a RND source).

Their price is very reasonable, and your $10 alternative is not a realistic alternative.

Beware of single junction devices, if that should ever fail and not be detected then you're in a world of trouble.
>Showing the random stream as a bitmap shows no visible patterns like a pseudo random number generator will

Huh? Some PRNGs sure, but I don't really know what this is trying to prove. The output of any decent stream cipher will appear just as random.

Sometimes if you start varying the output width of such a process dynamically you can pick out patterns. Not saying this is the case here but it's an interesting trick to allow your visual cortex to do some pretty heavy numerical lifting.
The "random bitmap" got somehow compressed by the PNG format by 50% :)