At 11:39 AM -0500 8/13/99, Jim Thompson wrote:
> >> This thread started over concerns about diskless nodes that want to
>>> run IPsec. Worst case, these boxes would not have any slots or other
>>> expansion capability. The only source of entropy would be network
>>> transactions, which makes me nervous...
>>
>> An interesting alternative, I think, is an add-on RNG which could go on a
>> serial or parallel port. The bandwidth achievable without loading down
>> the machine is limited, but we don't need tremendous speeds, and many PCs
>> used as routers, firewalls, etc. have such ports sitting idle. Even
>> semi-dedicated diskless boxes would *often* have one of those.
>
>Of course, such a box already exists. The complete details of its design
>are available, and purchasing the box gives you the right to reproduce
>the design (once) such that you can, indeed, verify that you're getting
>random bits out of the box.
I spent some time searching the Web for hardware randomness sources
and I have summarized what I found at
http://www.world.std.com/~reinhold/truenoise.html. I located several
serial port RNG devices and some good sources of white noise that can
be plugged into a sound port. I don't think I found the box Mr.
Thompson refers to, but I would be glad to add it to the list. I
also included serial and USB video cameras, which may be a good
source of randomness due to digitization noise, if nothing else.
I still feel strongly that diskless machines that are likely to use
IPsec or other security software (e.g. SSL) should have a built-in
source of randomness, a la the Pentium III. If the other
microprocessor manufacturers won't comply, a TRNG should be included
on one of the support chips. Randomness generation is so critical to
public key cryptography that we should insist it be engineered in,
not pasted on.
Arnold Reinhold