[Cryptography] The world's most secure TRNG

David Johnston dj at deadhat.com
Wed Oct 8 21:17:57 EDT 2014 

On 10/8/2014 4:00 PM, Dave Horsfall wrote:
> It's possible that I may have missed this (the list seems to have spiked
> lately), but how would the device present itself to the host?  A serial
> stream of random bits (like a terminal or a keyboard), or some sort of a
> structure with command and control etc?

The USB serial profile isn't a bad one. The drivers will be present in 
any OS and you can communicate the necessary protocol on top of the 
serial device. It certainly beats writing a device driver for every OS.

Since the device would be external to the computer (i.e. on the other 
end of a usb connection) it would be good if the owner of the device 
could provision the device with a secret key or a keypair which then 
sends the random data in signed lumps with some monotonic counter. So if 
something evil got in between the device and the consumer (application 
or OS kernel or VM or whatever) the consumer could check the data is 
what came from the device and isn't a replay or spoofed data. It's not 
perfect, but it addresses a number of attack scenarios.

I think the primary problem with writing software that uses random data 
is establishing that you have it. Most environments are 
indistinguishable in that sense. A low entropy platform with lots of 
interrupts (E.G. a synchronously clocked embedded controller with no IO 
until after it booted) will still provide data from /dev/random. It's 
easy to build a platform that has an entropy supply. It's hard to know 
how to tell that you're on such a platform if you're writing software to 
run on many platforms.

An external USB source is a good solution if you have an application 
that can securely identify data sourced from the device, regardless of 
what the platform in between is. Stick the device in the usb port, run 
the software and you've bypassed the risks of a low entropy platform 
that isn't otherwise acting against your best interests. If it's just a 
noise source, it'll still work, but I wouldn't call it the most 
defensive design you could create.

FWIW, I've analyzed the raw entropy from hardware entropy sources on 
several products from several manufacturers and an alarming proportion 
of them either don't meet their min-entropy criteria or never defined 
them in the first place. Get your ducks in a row on the min-entropy you 
guarantee, the design margin, the online testing to ensure it's working 
and the extraction process and you will be in the upper quartile of RNG 
design quality.

-DJ

More information about the cryptography mailing list