Re: [liberationtech] RNG in Raspberry Pi

2013-10-03 Thread Andy Isaacson 
On Wed, Oct 02, 2013 at 11:57:24PM -0500, Paul Elliott wrote:
> What is the quality of the Hardware RNG in the Raspberry Pi?

Fairly unknown.  The current driver used in Raspbian and so on, which
exposes the RNG directly at /dev/hwrng is definitely *not* safe to use
raw -- it needs a mixing pool at the very least, and should ideally be
simply another input to the /dev/random entropy pool along with all of
the standard sources of entropy.

> I have heard about the controversy about the intel chip
> and wondered if there were any parallel questions about
> the Raspberry Pi.

The Intel chip at least has a published design -- the design is fairly
easy to poke holes in, but at least they did *that* much.

The Broadcom RNG has no public design documentation AFAIK.

This is not a good sign for security.

The best I've seen is the VIA independent evaluation:

http://www.cryptography.com/public/pdf/VIA_rng.pdf

> Near as I can figure out if an Hardware RNG does not
> come automaticly with your desktop or laptop, the Raspberry Pi
> seems to be about the cheapest source of random numbers you
> can get.

Far cheaper (in currency if not in time) is to use the audio amplifier
on your computer.  Here's one document on how:

http://www.av8n.com/turbid/paper/turbid.htm 

There's also a RNG firmware for the FST-01 programmable USB peripheral:
http://www.seeedstudio.com/wiki/FST-01
http://www.gniibe.org/memo/development/gnuk/rng/neug

> Entropy key are only 36 pounds, but they seem to have a long
> backlog.

Apparently the small company that made them is having issues.  I haven't
seen any evidence of them coming back to life, unfortunately.

> What about using and Raspberry Pi for hard random number 
> generation?

Might work.  I'd be cautious.  The FST-01 hardware is perhaps better
documented and easier to reverse engineer than the Broadcom chip.

-andy
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] RNG in Raspberry Pi

2013-10-02 Thread Paul Elliott 

What is the quality of the Hardware RNG in the Raspberry Pi?

I have heard about the controversy about the intel chip
and wondered if there were any parallel questions about
the Raspberry Pi.

Near as I can figure out if an Hardware RNG does not
come automaticly with your desktop or laptop, the Raspberry Pi
seems to be about the cheapest source of random numbers you
can get.

Entropy key are only 36 pounds, but they seem to have a long
backlog.

What about using and Raspberry Pi for hard random number 
generation?


Question 2:

What effect did Quantum World Corporation v. Atmel Corporation et
al have on the availablity of Hardware RNGs in PCs?

Thank you for considering my questions.



-- 
Paul Elliott   1(512)837-1096
pelli...@blackpatchpanel.com   PMB 181, 11900 Metric Blvd Suite J
http://www.free.blackpatchpanel.com/pme/   Austin TX 78758-3117
---
"Encryption works. Properly implemented strong crypto systems are one
of the few things that you can rely on. Unfortunately, endpoint
security is so terrifically weak that NSA can frequently find ways
around it." Edward Snowden
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.