[Cryptography] A TRNG review per week - XR232USB

Bill Cox waywardgeek at gmail.com
Mon Nov 24 20:53:55 EST 2014


This is one of my favorite TRNGs.  It's open source hardware and software!
Frankly, if you conceal stuff in crypto related projects, it's DOA.  This
project is one of the few that get this right.  You can read about it here:

http://www.jtxp.org/tech/xr232usb_en.htm

It is simple and cheap.  It relies on "comparator noise", which the
designer has trouble mathematically analyzing.  However, to me, it is
clearly similar to oscillator based noise sources, with similarly provable
entropy generation.  It is unfortunately sensitive to RF interference,
which the author tested himself.  That puts him in a whole new class of
geeks who actually test their hardware and admit to it's weaknesses.  This
guy wants you to understand the risks, unlike the vast majority of TRNG
designers out there.

On the downside, it does have a microcontroller, which means it could
potentially PWN your system, but it is only programmable through a
programming header.  It probably should have signed software, bloated with
random data to fill the ROM, like the OneRNG, but this is still very good
compared to most.  I have to give this guy kudos for ripping TRNGs like my
own "Infinite Noise" TRNG for having "creepy bit-bang" control.  It is
creepy!  I have a timer I check to insure the bit-bang is fast enough, but
I'd feel better if this were not required in my TRNG.

The author did not offer direct access to the entropy source, which is a
big problem!  However, I think most likely, he just needs to hear from us
geeks that we want it.  He stirs the entropy in an XOR pool, which makes it
nearly impossible to do proper health monitoring of the noise source.

Internally, there is a health monitor, but it only looks for long sequences
of 0's or 1's.  An attacker can simply inject a seemingly random pattern
rather than constant 0's or 1's, and defeat this health monitor.

In summary, I have to give this TRNG my second highest rating.  I would say
it is "conditionally safe for cryptography", where the condition is that
the user believes he is not being attacked with RF or (far more likely) a
power supply drain attack.  The power supply drain attack is also the one I
worry about with the Intel DRNG.

This is a good TRNG.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141124/c17f8059/attachment.html>


More information about the cryptography mailing list