Re: [Cryptography] Radioactive random numbers
On Tue, 17 Sep 2013 11:35:34 -0400 Perry E. Metzger pe...@piermont.com wrote: Added c...@panix.com -- if you want to re-submit this (and maybe not top post it) I will approve it... Gah! Accidentally forwarded that to the whole list, apologies. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
Added c...@panix.com -- if you want to re-submit this (and maybe not top post it) I will approve it... Perry On Tue, 17 Sep 2013 11:08:43 -0400 Carl Ellison c...@panix.com wrote: If you can examine your setup and determine all possible memory in the device, count that memory in bit-equivalents, and discover that the number of bits is small (e.g., 8), then you can apply Maurer's test: ftp://ftp.inf.ethz.ch/pub/crypto/publications/Maurer92a.pdf Of course, if you're concerned that someone has slipped you a CPU chip with a PRNG replacing the RNG, you can't detect that without ripping the chip apart. On 9/12/13 11:00 AM, Perry E. Metzger pe...@piermont.com wrote: On Wed, 11 Sep 2013 17:06:00 -0700 Tony Arcieri basc...@gmail.com wrote: It seems like Intel's approach of using thermal noise is fairly sound. Is there any reason why it isn't more widely adopted? Actually, I think things like this mostly have been missing because manufacturers didn't understand they were important. Even the Raspberry Pi now has an SoC with a hardware RNG. In addition to getting CPU makers to always include such things, however, a second vital problem is how to gain trust that such RNGs are good -- both that a particular unit isn't subject to a hardware defect and that the design wasn't sabotaged. That's harder to do. Perry -- Perry E. Metzger pe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Fri, 13 Sep 2013, Eugen Leitl wrote: Given that there is One True Source of randomness to wit radioactive What makes you think that e.g. breakdown oin a reverse biased Zener diode is any less true random? Or thermal noise in a crappy CMOS circuit? It was a throw-away line; sigh... The capitals should've been a hint. And yes, I know about crappy CMOS circuits; I've unintentionally built enough of them :-) In fact, http://en.wikipedia.org/wiki/Hardware_random_number_generator#Physical_phenomena_with_quantum-random_properties listens a lot of potential sources, some with a higher rate and more private than others. Thanks. -- Dave, who must stop being subtle ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
(curse you anti-gmail-top-posting zealots...) On Wed, Sep 11, 2013 at 3:47 PM, Dave Horsfall d...@horsfall.org wrote: Another whacky idea... Given that there is One True Source of randomness to wit radioactive emission, has anyone considered playing with old smoke detectors? Yep. For fun I wrote a custom firmware for the Sparkfun Geiger counter to do random bit or byte generation that I could mix into my system's entropy pool. I'll eventually update the code to also work with the ExcelPhysics APOC. acknowledging some prior art: http://www.fourmilab.ch/hotbits/ The ionising types are being phased out in favour of optical (at least in Australia) so there must be heaps of them lying around. There are heaps of them at big-box retailers in the US, with no sign of going away. I got a couple for $5 each. I know - legislative requirements, HAZMAT etc, but it ought to make for a good thought experiment. Low activity sources seem to be fairly unencumbered. There are plenty of places that will sell calibrated test sources or lumps of random ore for educational use. Then you get to tell people funny stories about the time you bought radioactive material on the internet, and someone else gets to do the compliance paperwork (if necessary). Homebrew geiger counter rigs aren't exactly practical or scalable - I don't want to make my datacenter guys cut open a case of smoke detectors and solder a dozen GM tubes so we can have good random numbers. A better solution might be to use one of the various thumb-drive sized AVR-USB boards: load in a simple firmware to emulate a serial port, and emit samples from the onboard ADCs and RC oscillators... no soldering required. I was going to say that it's simple to inspect the code - even the generated assembly or the raw hex - for undesired behavior, then I remembered the USB side is non-trivial. If you're not using the onboard USB hardware it's much easier to verify that you're only doing an ADC sample, a timer read, a couple of comparisons, a UART write, and nothing else (assuming you offload the whitening to your host's entropy pool). -- GDB has a 'break' feature; why doesn't it have 'fix' too? ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On 9/11/2013 6:47 PM, Dave Horsfall wrote: Given that there is One True Source of randomness to wit radioactive emission, has anyone considered playing with old smoke detectors? I did that a decade ago, to wit: http://etoan.com/random-number-generation/index.html Cheers, Dan ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Thu, Sep 12, 2013 at 11:00:47AM -0400, Perry E. Metzger wrote: In addition to getting CPU makers to always include such things, however, a second vital problem is how to gain trust that such RNGs are good -- both that a particular unit isn't subject to a hardware defect and that the design wasn't sabotaged. That's harder to do. Or that a design wasn't sabotaged intentionally wasn't sabotaged accidentally while dropping it into place in a slightly different product. I've always thought highly of the design of the Hifn RNG block, and the outside analysis of it which they published, but years ago at Reefedge we found a bug in its integration into a popular Hifn crypto processor that evidently had slipped through the cracks -- I discussed it in more detail last year at http://permalink.gmane.org/gmane.comp.security.cryptography.randombit/3020 . Thor ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Thu, Sep 12, 2013 at 08:47:16AM +1000, Dave Horsfall wrote: Another whacky idea... Given that there is One True Source of randomness to wit radioactive What makes you think that e.g. breakdown oin a reverse biased Zener diode is any less true random? Or thermal noise in a crappy CMOS circuit? In fact, http://en.wikipedia.org/wiki/Hardware_random_number_generator#Physical_phenomena_with_quantum-random_properties listens a lot of potential sources, some with a higher rate and more private than others. emission, has anyone considered playing with old smoke detectors? The ionising types are being phased out in favour of optical (at least in Australia) so there must be heaps of them lying around. I know - legislative requirements, HAZMAT etc, but it ought to make for a good thought experiment. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
Dave Horsfall d...@horsfall.org writes: Given that there is One True Source of randomness to wit radioactive emission, has anyone considered playing with old smoke detectors? The ionising types are being phased out in favour of optical (at least in Australia) so there must be heaps of them lying around. If you're in Australia you don't need to use smoke detectors, you've got direct access to the real stuff. I've used a lump of Australian uranium ore with my geiger counter in the past. Problem is that this is hardly scalable. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Wed, Sep 11, 2013 at 4:18 PM, Perry E. Metzger pe...@piermont.comwrote: The attraction of methods that use nothing but a handful of transistors is that they can be fabricated on chip and thus have nearly zero marginal cost. The huge disadvantage is that if your opponent can convince chip manufacturers to introduce small changes into their design, you're in trouble. It seems like Intel's approach of using thermal noise is fairly sound. Is there any reason why it isn't more widely adopted? Patents? http://electronicdesign.com/learning-resources/understanding-intels-ivy-bridge-random-number-generator -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On 09/11/2013 07:18 PM, Perry E. Metzger wrote: The attraction of methods that use nothing but a handful of transistors is that they can be fabricated on chip and thus have nearly zero marginal cost. The huge disadvantage is that if your opponent can convince chip manufacturers to introduce small changes into their design, you're in trouble. Perry And this is the reason that I'd be in favour of diversity -- using sound cards, lava-lamps, etc, etc. Sources that don't explicitly identify themselves as the random number generator. There's no way for a bad actor to cover all the bases, and since these things are primarily used for things other than random-number sources, it may be hard to break them in ways that doesn't also break their primary purpose (although, if you're just mucking with the low-order noise bits of some arbitrarily-chosen digitization of a real-world source, it would be hard to tell the difference). -- Marcus Leech Principal Investigator Shirleys Bay Radio Astronomy Consortium http://www.sbrac.org ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Wed, 11 Sep 2013 17:06:00 -0700 Tony Arcieri basc...@gmail.com wrote: It seems like Intel's approach of using thermal noise is fairly sound. Is there any reason why it isn't more widely adopted? Actually, I think things like this mostly have been missing because manufacturers didn't understand they were important. Even the Raspberry Pi now has an SoC with a hardware RNG. In addition to getting CPU makers to always include such things, however, a second vital problem is how to gain trust that such RNGs are good -- both that a particular unit isn't subject to a hardware defect and that the design wasn't sabotaged. That's harder to do. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Wed, 11 Sep 2013 21:06:35 -0400 Marcus D. Leech mle...@ripnet.com wrote: And this is the reason that I'd be in favour of diversity -- using sound cards, lava-lamps, etc, etc. Sources that don't explicitly identify themselves as the random number generator. As a practical matter, though, people aren't going to put lava lamps and cameras in their colos along with every 1U box and blade server. They also won't attach them to the $40 boxes they buy at Best Buy. Good solutions probably involve hardware that is well tested, on motherboard, dirt cheap and easy for software to field validate. Yes, this is hard. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Thu, 12 Sep 2013 08:47:16 +1000 (EST) Dave Horsfall d...@horsfall.org wrote: Another whacky idea... Given that there is One True Source of randomness to wit radioactive emission, has anyone considered playing with old smoke detectors? People have experimented with all sorts of stuff, and you can make any of hundreds of methods from cameras+lava lamp+hash function to sound cards to radioactive sources work if you have budget and time. The issue is not finding ways to generate entropy. The issue is that you need something that's cheap and ubiquitous. User endpoints like cell phones have users to help them generate entropy, but the world's routers, servers, etc. do not have good sources, especially at first boot time, and for customer NAT boxes and the like the price points are vicious. The attraction of methods that use nothing but a handful of transistors is that they can be fabricated on chip and thus have nearly zero marginal cost. The huge disadvantage is that if your opponent can convince chip manufacturers to introduce small changes into their design, you're in trouble. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
