OpenHardware Random Number Generator

Before I spend another night reading datasheets; would anyone be interested in an OpenHardware random number generator in an full-size SD card format? The idea being you insert the RNG into the SD slot of your laptop, leave it there, and the kernel module just slurps trusted entropy when required.

Why SD? It’s a port that a a lot of laptops already have empty, and on server class hardware you can just install a PCIe addon card. I think I can build such a thing for less than $50, but at the moment I’m just waiting for parts for a prototype so that’s really just a finger-in-the-air estimate. Are there enough free software people who care about entropy-related stuff?

Published by

hughsie

Richard has over 10 years of experience developing open source software. He is the maintainer of GNOME Software, PackageKit, GNOME Packagekit, GNOME Power Manager, GNOME Color Manager, colord, and UPower and also contributes to many other projects and opensource standards. Richard has three main areas of interest on the free desktop, color management, package management, and power management. Richard graduated a few years ago from the University of Surrey with a Masters in Electronics Engineering. He now works for Red Hat in the desktop group, and also manages a company selling open source calibration equipment. Richard's outside interests include taking photos and eating good food.

37 thoughts on “OpenHardware Random Number Generator”

  1. I like the idea, but I’d prefer USB (Standard-A) form factor — those are even more common. If it fit entirely inside an A socket, such that I could stick it in my server and then epoxy over the top, that would be ideal. (In less, er, permanent installations, I still wouldn’t mind needing tweezers to get it back out.)

  2. Why SD? What’s wrong with USB?

    I have 5 of these feeding entropy to virtual machines:

    http://www.entropykey.co.uk/

    They work great.

    Sadly the company is a mess and they don’t appear to be making them any more.

    I like the look of this, but it’s mostly marketing at this stage:

    https://www.kickstarter.com/projects/moonbaseotago/onerng-an-open-source-entropy-generator

    SD card format might be nice for the purposes of making it unobtrusive on a laptop, but I suspect that the biggest uses of hardware entropy sources are server operators and all our servers already come with USB slots and headers.

  3. Absolutely!

    …I was about to write how excited I am about finally getting an affordable hardware RNG that’s *also* completely open, and how there was nothing even remotely in that ballpark, but then I double-checked and found FST-01, or “Flying Stone Tiny ZERO-ONE”, which claims to be an open hardware RNG with some extra token stuff for $35.

    Why on earth didn’t that thing get more publicity? I would have been geeking out all over it a long time ago!

    So you might want to check that one out and see if it suits your needs. For one, I haven’t seen any mention of a proper kernel module that would read from the device and mix its output into the entropy pool.

  4. I would rate that idea numero uno for this year. Really. For 50$ I would buy more than one, maybe you can start a fundraiser.

    Where do you plan to get entropy from, hope not some proprietary IC?

      1. I’m pretty sure the built-in SD card reader in every laptop I have access to is connected via USB. Wouldn’t that pose the same problem? I get the impression that SDIO is a PDA thing.

        In that light, it seems to me that mass storage tricks would be the way to go even if you don’t care about external USB readers, unless I’m missing something.

          1. Huh. Looks like one of my laptops has an sdhci controller and another has a USB-connected controller. I’d like to say I’ve seen USB more often than PCI, but I’d have to go back and check the other two, which I don’t have with me at the moment.

            The one with USB shows both a Realtek RTS5129 and an Alcor device with ID 058f:6259, which appears to be another card reader. However, all I can find on the device is an SD slot. Interesting.

  5. I would love to have one of those on hand, but $50 without shipping seems like a lot for the little utilisation it’d get.
    It’s not every day I need to generate keys.

    A stupid idea came to mind while thinking about this. Someone trusted could use one of these to generate a bunch of numbers, sign every kB of it and give them away once.
    Is it more sane to trust that physical hardware will not be tampered with, or that signed numbers are what they claim to be ? I don’t know.

  6. Nice to see this, i’m certainly interested if you manage to make it a reality. Especially if you can indeed keep the price reasonable.

  7. As cool as it sounds, I feel that the SD card form factor is somewhat risky, from a security stand point.

    I could be wrong here (and please correct me if I am), but the only way to get this working via SD card is to emulate a disk of some sort. This means that someone with malicious intent *could* replace the SD card with their own version that generates seemingly random, but known sequences. Given that the SD card would be inserted inside your laptop or server, and not fully visible (to detect tampering), this becomes somewhat hard to detect by the end-user.

    USB on the other hand, is externally visible and can be made to be a harder to tamper with (eg. by using unique hardware serial numbers, end-to-end encryption, etc). Only the most determined would be able to successfully evade recognition in this form factor.

  8. What a great idea, I’d be interested.

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

  9. FWIW, as a photographer, my one & only SD card slot is frequently in use, so having to swap between RNG card & the memory cards could become somewhat tedious. I do however have 3 USB ports and rarely have all 3 in use at the same time. Desktops would have 6 or more & many monitors have USB hubs builtin too – so there are loads of USB slots to play with. Size is obviously not a problem if you’re considering SD card slot, so perhaps taking the route Yubico did for their Yubikey Nano (which barely extends beyond the USB port) is viable ?

  10. I don’t believe this is a worthwhile endeavour and I will try to explain why.

    – Designing an actually secure physical randomness generator is a hard problem, and requires internal entropy tests to rule out malfunctions etc. Unless you demonstrate knowledge in the area that rivals current research papers in the field, it is a bit hard to be convinced about the soundness of the approach.

    – There is no cryptographic need for high speed entropy generation. The only need for entropy is limited to initial seeding and enough entropy now and then to recover from state compromise. All entropy used needs to be whitened via PRNG in any case (either in the hardware, or in a driver, or via the kernel entropy pool) so the speed at which entropy is used does not correlate to the speed at which true entropy needs to be generated.

    – There are lots of commercial and not so commercial solutions that do low to medium speed entropy generation, both higher and lower of the price point you said, both as SD card and USB. Examples include: any PKCS#11 compliant smart card, OpenPGP card, SmartCard-HSM (available as MicroSD), Infinite Noise, OneRNG, Crypto Stick, YubiKey and a huge amount of commercial cryptographic products from vendors such as Feitian, Gemalto, etc.

    – If the desire for open hardware here is security against NSA or similar entities, the difficulty is in ensuring the security of the manufacturing process. This requires non-trivial computational power so the components cannot be easily identified to not have been tampered with. There are some recent research papers in laying out chips so that any tampering during the manufacturing phase could be detected, but it is still an open research topic. Also, many companies providing existing solutions are small europe based companies which makes it less likely that they are compromised. And also, even if the entropy source is compromised, feeding it through the normal Linux random pool (or something better) and combining it with other entropy sources makes it unlikely that even a malicious entropy source could do any harm.

    – If the desire for open hardware is an ideological one, some of the mentioned alternatives are in fact open hardware. Helping them might or might not be a better idea.

    – Spending $50 for pure entropy generation is a bit steep, especially considering that the alternatives usually give an actual cryptographic processor for that cost with some encryption / decryption / key generation capability. An OpenPGP smart card is 14 EUR and can do entropy generation, PGP sign/encrypt, S/MIME sign/encrypt, SSH login and PIN protected symmetric key storage, using FIPS/CommonCriteria approved tamper resistant smart card hardware.

    However, the world is not by any means a worse place if one more solution pops up – so if you are set on the idea, just do it!

  11. It also occurs to me that random numbers are in short supply / highly prized in the virtualization world. We have a virtio-rng device which is usually setup to pull entropy from the host’s /dev/random and feed it to the guest. It would be interesting to have it pull directly from a hardware RNG so that guest virtual machines don’t directly affect the host’s RNG pool. I wonder how high data rates your anticipated device would be able to provide ? If multiple (eg 500+) separate (QEMU) processes could all pull data from it in parallel, each with a guaranteed entropy data rate + quality, that could make it quite appealing for virt.

  12. Many small devices come with micro SD slots only. I would prefer that format over full size SD.

  13. Good and necessary project. But please also offer USB connection.

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

  14. Well hughsie, it’s like this:

    http://dilbert.com/strips/comic/2001-10-25/

    :)

    Tbh I don’t think random number generation is the #1 security issue at this moment… I’d be more worried for instance about the death of GPG (way too cumbersome to use for nowadays, usage is declining sharply), and there not being a modern alternative.

  15. Hello,

    I’m really interessted in these kind of hardware but not for security reasons.I’m studying the influence of the consciousness over the random number generation.

    So my question is : will the numbers generated by you hardware be unbiais or will there be a way to retrieve the raw numbers, even if they are biais ?

    Thank you,
    Andréas

  16. It might be worthwhile to think about adding other smartcard-like features as well (even if initially you don’t do the private key operations on the card). Google and Microsoft have set up https://fidoalliance.org/ that may (or may not) be going somewhere.

    There is a big market for 2nd factor authentication in the mobile space…

  17. We’re just using a combination of rdrand and the RNG in the TPM on our boards. I think that combination probably covers most use-cases in the higher-end world: servers will typically have TPMs, as will most more expensive laptops.

  18. I’m interested in the circuit more than the product. I need a good hardware RNG source for an open hardware project I’ve been working on / thinking about.

    Ian

Comments are closed.