[Cryptography] A TRNG Review Per Day: TrueRNG

Bill Cox waywardgeek at gmail.com
Tue Nov 11 08:15:17 EST 2014 

TrueRNG is soooo close...  Maybe I can shame the author across the finish
line?

TrueRNG was published on Tindie for $50 as "Open Hardware".  That is
fantastic!  His product is sold here:


https://www.tindie.com/products/ubldit/truerng-hardware-random-number-generator

The problem is once the author started selling a few, he forgot to make the
hardware open.  I see that he continues to claim to be open hardware in his
marketing on Tindie.  IMO, keeping the details of TRNG hardware secret is a
terrible mistake.  Keeping the details of a reverse-biased NPN zener noise
based TRNG secret is even worse.

I suspect the author just wants to make some money for a while.  I
certainly have no problem with that.  He likely feels he can further that
goal by claiming to be open hardware while actually keeping the design a
complete secret.  I have a big problem with that.

Partly in response to this insult to open-hardware, I built an an actual
open-hardware USB TRNG, and made it available on Tindie:

    https://www.tindie.com/products/WaywardGeek/infinite-noise

My schematics, board layout, source code, and even a complete BOM are here:

    https://github.com/waywardgeek/infnoise

Feel free to make them yourself, or even mass produce them and sell them
for whatever price you like.  My preference is for the original inventor of
this entropy source, Peter Allan, to start producing them in volume (or
some improved version).  Hopefully, with my little Infinite Noise TRNG, I
can help suck the greed motivation out of this market, and manufacturers
will begin to be more open.

My advice to anyone interested in a USB key TRNG is to wait for OneRNG.
Don't buy TrueRNG until the author stops pretending to sell open-hardware,
and don't buy mine, either.  I literally bake these boards outside on my
grill to solder the parts onto the boards!  You deserve something built
with machine precision, like the OneRNG devices will be.  You certainly
deserve a device that is verifiable, which seems to be the main point of
OneRNG.

So... on to reviewing the scant details about TrueRNG that have been
revealed so far...

TrueRNG claims to use zener noise as the entropy source, just as other more
reputable TRNGs like OneRNG and Entropy Key.  Like OneRNG, TrueRNG claims
to have added a second entropy source, because these zener noise sources
can be unreliable.  Having two of them adds an important level of
redundancy, reducing my worst fear about the device - that it will start
producing predictable output.

However, to reduce the chance that both zener noise sources fail together,
the NPN transistors being used should come from different manufacturers.
These things all use the reverse Vbe breakdown of a cheap NPN transistor as
the zener noise source, since this zener is not tuned to be low-noise like
real zener diodes.  Used this way, the noise from the NPN transistors tends
to drift over time, and they can eventually fail.  Since the NPN transistor
manufacturer does not test this mode of operation, there is no way to be
sure that they will continue to work reliably, other than to buy a ton of
them and do the QA yourself.  Buying two transistors from the same lot of
parts from the same manufactures would maximize the chance that they fail
together.  Does TrueRNG use identical parts in both sources?  I hope not,
but we have no way to tell until someone does a tear-down of this "open
hardware" device.

Zener noise sources can be reliable.  They don't produce provable levels of
entropy, but we can test them statistically and become confident that they
produce enough entropy to be secure.  We can shake-and-bake them in burn-in
boards to verify that they will last.  However, for a small volume product
like TrueRNG, we can't realistically expect this level of QA.  Using two
different NPN devices from two different manufacturers should reduce the
chance of both failing to about the square root of the chance that one
fails.  That's good enough for me.

Because zener noise based sources use massive amplification to detect the
noise, they are naturally *very* sensitive to outside signals, such as
power supply noise.  If not designed by an expert analog designer (like
Paul, who works on OneRNG), they can easily have flaws that cause their
output to only appear random.  Because of this, having open schematics and
board layout is critical for zener noise based TRNGs.

IMO, TrueRNG remains in limbo, not quite a security failure, not quite a
trustworthy entropy source.  Until the author does what he claimed he would
do a long time ago, and make the design truly open, TrueRNG can not be
trusted.

I have to give TrueRNG a rating of "untrustworthy" until I can see both
schematics and board layout, complete with sources for the NPN transistors
and other parts.  At that point, a real review could be done.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141111/25bf1eed/attachment.html>

More information about the cryptography mailing list