Re: [Cryptography] Radioactive random numbers

2013-09-17 Thread Perry E. Metzger
On Tue, 17 Sep 2013 11:35:34 -0400 Perry E. Metzger
pe...@piermont.com wrote:
 Added c...@panix.com -- if you want to re-submit this (and maybe not
 top post it) I will approve it...

Gah! Accidentally forwarded that to the whole list, apologies.

-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-17 Thread Perry E. Metzger
Added c...@panix.com -- if you want to re-submit this (and maybe not
top post it) I will approve it...

Perry

On Tue, 17 Sep 2013 11:08:43 -0400 Carl Ellison c...@panix.com wrote:
 If you can examine your setup and determine all possible memory in
 the device, count that memory in bit-equivalents, and discover that
 the number of bits is small (e.g., 8), then you can apply Maurer's
 test:
 
 ftp://ftp.inf.ethz.ch/pub/crypto/publications/Maurer92a.pdf
 
 
 Of course, if you're concerned that someone has slipped you a CPU
 chip with a PRNG replacing the RNG, you can't detect that without
 ripping the chip apart.
 
 On 9/12/13 11:00 AM, Perry E. Metzger pe...@piermont.com wrote:
 
 On Wed, 11 Sep 2013 17:06:00 -0700 Tony Arcieri basc...@gmail.com
 wrote:
  It seems like Intel's approach of using thermal noise is fairly
  sound. Is there any reason why it isn't more widely adopted?
 
 Actually, I think things like this mostly have been missing
 because manufacturers didn't understand they were important. Even
 the Raspberry Pi now has an SoC with a hardware RNG.
 
 In addition to getting CPU makers to always include such things,
 however, a second vital problem is how to gain trust that such RNGs
 are good -- both that a particular unit isn't subject to a hardware
 defect and that the design wasn't sabotaged. That's harder to do.
 
 Perry
 -- 
 Perry E. Metzger pe...@piermont.com
 ___
 The cryptography mailing list
 cryptography@metzdowd.com
 http://www.metzdowd.com/mailman/listinfo/cryptography
 
 



-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-16 Thread Dave Horsfall
On Fri, 13 Sep 2013, Eugen Leitl wrote:

  Given that there is One True Source of randomness to wit radioactive 
 
 What makes you think that e.g. breakdown oin a reverse biased
 Zener diode is any less true random? Or thermal noise in a
 crappy CMOS circuit?

It was a throw-away line; sigh...  The capitals should've been a hint.

And yes, I know about crappy CMOS circuits; I've unintentionally built
enough of them :-)

 In fact, 
 http://en.wikipedia.org/wiki/Hardware_random_number_generator#Physical_phenomena_with_quantum-random_properties
 listens a lot of potential sources, some with a higher
 rate and more private than others.

Thanks.

-- Dave, who must stop being subtle
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-13 Thread Chris Kuethe
(curse you anti-gmail-top-posting zealots...)

On Wed, Sep 11, 2013 at 3:47 PM, Dave Horsfall d...@horsfall.org wrote:

 Another whacky idea...

 Given that there is One True Source of randomness to wit radioactive
 emission, has anyone considered playing with old smoke detectors?


Yep. For fun I wrote a custom firmware for the Sparkfun Geiger counter to
do random bit or byte generation that I could mix into my system's entropy
pool. I'll eventually update the code to also work with the ExcelPhysics
APOC.

acknowledging some prior art: http://www.fourmilab.ch/hotbits/

The ionising types are being phased out in favour of optical (at least in
 Australia) so there must be heaps of them lying around.


There are heaps of them at big-box retailers in the US, with no sign of
going away. I got a couple for $5 each.


 I know - legislative requirements, HAZMAT etc, but it ought to make for a
 good thought experiment.


Low activity sources seem to be fairly unencumbered. There are plenty of
places that will sell calibrated test sources or lumps of random ore for
educational use. Then you get to tell people funny stories about the time
you bought radioactive material on the internet, and someone else gets to
do the compliance paperwork (if necessary).

Homebrew geiger counter rigs aren't exactly practical or scalable - I don't
want to make my datacenter guys cut open a case of smoke detectors and
solder a dozen GM tubes so we can have good random numbers. A better
solution might be to use one of the various thumb-drive sized AVR-USB
boards: load in a simple firmware to emulate a serial port, and emit
samples from the onboard ADCs and RC oscillators... no soldering required.

I was going to say that it's simple to inspect the code - even the
generated assembly or the raw hex - for undesired behavior, then I
remembered the USB side is non-trivial. If you're not using the onboard USB
hardware it's much easier to verify that you're only doing an ADC sample, a
timer read, a couple of comparisons, a UART write, and nothing else
(assuming you offload the whitening to your host's entropy pool).

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Radioactive random numbers

2013-09-13 Thread Dan Veeneman
On 9/11/2013 6:47 PM, Dave Horsfall wrote:
 Given that there is One True Source of randomness to wit radioactive 
 emission, has anyone considered playing with old smoke detectors?
I did that a decade ago, to wit:

http://etoan.com/random-number-generation/index.html


Cheers,
Dan
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-13 Thread Thor Lancelot Simon
On Thu, Sep 12, 2013 at 11:00:47AM -0400, Perry E. Metzger wrote:
 
 In addition to getting CPU makers to always include such things,
 however, a second vital problem is how to gain trust that such RNGs
 are good -- both that a particular unit isn't subject to a hardware
 defect and that the design wasn't sabotaged. That's harder to do.

Or that a design wasn't sabotaged intentionally wasn't sabotaged
accidentally while dropping it into place in a slightly different
product.  I've always thought highly of the design of the Hifn RNG
block, and the outside analysis of it which they published, but years
ago at Reefedge we found a bug in its integration into a popular Hifn
crypto processor that evidently had slipped through the cracks -- I
discussed it in more detail last year at
http://permalink.gmane.org/gmane.comp.security.cryptography.randombit/3020 .

Thor
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-13 Thread Eugen Leitl
On Thu, Sep 12, 2013 at 08:47:16AM +1000, Dave Horsfall wrote:
 Another whacky idea...
 
 Given that there is One True Source of randomness to wit radioactive 

What makes you think that e.g. breakdown oin a reverse biased
Zener diode is any less true random? Or thermal noise in a
crappy CMOS circuit?

In fact, 
http://en.wikipedia.org/wiki/Hardware_random_number_generator#Physical_phenomena_with_quantum-random_properties
listens a lot of potential sources, some with a higher
rate and more private than others.

 emission, has anyone considered playing with old smoke detectors?
 
 The ionising types are being phased out in favour of optical (at least in 
 Australia) so there must be heaps of them lying around.
 
 I know - legislative requirements, HAZMAT etc, but it ought to make for a 
 good thought experiment.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-12 Thread Peter Gutmann
Dave Horsfall d...@horsfall.org writes:

Given that there is One True Source of randomness to wit radioactive
emission, has anyone considered playing with old smoke detectors?

The ionising types are being phased out in favour of optical (at least in
Australia) so there must be heaps of them lying around.

If you're in Australia you don't need to use smoke detectors, you've got 
direct access to the real stuff.  I've used a lump of Australian uranium ore 
with my geiger counter in the past.  Problem is that this is hardly scalable.

Peter.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-12 Thread Tony Arcieri
On Wed, Sep 11, 2013 at 4:18 PM, Perry E. Metzger pe...@piermont.comwrote:

 The attraction of methods that use nothing but a handful of
  transistors is that they can be fabricated on chip and thus have
 nearly zero marginal cost. The huge disadvantage is that if your
 opponent can convince chip manufacturers to introduce small changes
 into their design, you're in trouble.


It seems like Intel's approach of using thermal noise is fairly sound. Is
there any reason why it isn't more widely adopted? Patents?

http://electronicdesign.com/learning-resources/understanding-intels-ivy-bridge-random-number-generator


-- 
Tony Arcieri
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Radioactive random numbers

2013-09-12 Thread Marcus D. Leech

On 09/11/2013 07:18 PM, Perry E. Metzger wrote:


The attraction of methods that use nothing but a handful of
transistors is that they can be fabricated on chip and thus have
nearly zero marginal cost. The huge disadvantage is that if your
opponent can convince chip manufacturers to introduce small changes
into their design, you're in trouble.

Perry
And this is the reason that I'd be in favour of diversity -- using 
sound cards, lava-lamps, etc, etc.  Sources that don't explicitly 
identify themselves

  as the random number generator.

There's no way for a bad actor to cover all the bases, and since these 
things are primarily used for things other than random-number sources,
  it may be hard to break them in ways that doesn't also break their 
primary purpose (although, if you're just mucking with the low-order
  noise bits of some arbitrarily-chosen digitization of a real-world 
source, it would be hard to tell the difference).




--
Marcus Leech
Principal Investigator
Shirleys Bay Radio Astronomy Consortium
http://www.sbrac.org

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-12 Thread Perry E. Metzger
On Wed, 11 Sep 2013 17:06:00 -0700 Tony Arcieri basc...@gmail.com
wrote:
 It seems like Intel's approach of using thermal noise is fairly
 sound. Is there any reason why it isn't more widely adopted?

Actually, I think things like this mostly have been missing
because manufacturers didn't understand they were important. Even
the Raspberry Pi now has an SoC with a hardware RNG.

In addition to getting CPU makers to always include such things,
however, a second vital problem is how to gain trust that such RNGs
are good -- both that a particular unit isn't subject to a hardware
defect and that the design wasn't sabotaged. That's harder to do.

Perry
-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-12 Thread Perry E. Metzger
On Wed, 11 Sep 2013 21:06:35 -0400 Marcus D. Leech
mle...@ripnet.com wrote:
 And this is the reason that I'd be in favour of diversity --
 using sound cards, lava-lamps, etc, etc.  Sources that don't
 explicitly identify themselves as the random number generator.

As a practical matter, though, people aren't going to put lava lamps
and cameras in their colos along with every 1U box and blade server.
They also won't attach them to the $40 boxes they buy at Best Buy.

Good solutions probably involve hardware that is well tested, on
motherboard, dirt cheap and easy for software to field validate. Yes,
this is hard.

Perry
-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Radioactive random numbers

2013-09-11 Thread Perry E. Metzger
On Thu, 12 Sep 2013 08:47:16 +1000 (EST) Dave Horsfall
d...@horsfall.org wrote:
 Another whacky idea...
 
 Given that there is One True Source of randomness to wit
 radioactive emission, has anyone considered playing with old smoke
 detectors?

People have experimented with all sorts of stuff, and you can make
any of hundreds of methods from cameras+lava lamp+hash function to
sound cards to radioactive sources work if you have budget and time.

The issue is not finding ways to generate entropy. The issue is that
you need something that's cheap and ubiquitous.

User endpoints like cell phones have users to help them generate
entropy, but the world's routers, servers, etc. do not have good
sources, especially at first boot time, and for customer NAT boxes and
the like the price points are vicious.

The attraction of methods that use nothing but a handful of
transistors is that they can be fabricated on chip and thus have
nearly zero marginal cost. The huge disadvantage is that if your
opponent can convince chip manufacturers to introduce small changes
into their design, you're in trouble.

Perry
-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography