FreeBSD Developers Will Not Trust Chip-Based Encryption

New submitter srobert writes "An article at Ars Technica explains how, following stories of NSA leaks, FreeBSD developers will not rely solely on Intel's or Via's chip-based random number generators for /dev/random values. The values will first be seeded through another randomization algorithm known as 'Yarrow.' The changes are effective with the upcoming FreeBSD 10.0 (for which the first of three planned release candidates became available last week)."

Very Smart Move

They have every reason NOT to trust the chips. Trust, but verify is always the correct way.

Re:Very Smart Move

He who writes the code decides nothing.
He who executes the code decides everything.

-- aleph stalin

Re:Very Smart Move

[Billly+Gates]

You know 6 months ago such a comment would be modded -1 and this story would have the foot icon for humor.

My have things changed. Microsoft was not that bad DRM monster we feared 12 years ago. First it turned out to be Apple in which we cheered them 10 years ago here on /.

But both companies fail far in comparison to the US government and this is something I would not have imagined in my wildest nightmares.

Re:Very Smart Move

What? Don't be silly, these chips are all so perfectly safe and perfectly usable for things like encrypting communications for us... *ahem* your customers! You're such a worrywart!

Signed,
um...
Mr. Norman Samuel Ayers

(/me starts a tally of wooshes)

Re:Very Smart Move

But both companies fail far in comparison to the US government and this is something I would not have imagined in my wildest nightmares.

Your imagination seems a bit limited, then. If it can be done, if there is a reason to do it, then it is done. Are there black helicopters flying over your bedroom collecting your thoughts? No. Are people using trying to record information on computer networks, like they did on radio waves for years? Yes. Is the US Government doing it? Sure. Are other governments? Sure. Are other non-governmental entities doing it? Probably on a smaller scale. Does it mean the end of the world? No.

Re:Very Smart Move

[TWiTfan]

If you will it, it is no dream, Dude.

Re:Very Smart Move

What? Don't be silly, these chips are all so perfectly safe and perfectly usable for things like encrypting communications

.oO(wait, that was too subtle, nobody will get my funny joke)

for us... *ahem* your customers!

.oO(wow, i'm really funny and sarcastic. just add a little more so nobody can't possibly miss it)

You're such a worrywart!

Signed, um...

.oO(ba-dumm tsss - i guess i will need to explain my next awesome joke too, by using boldface - otherwise nobody might get the subtle NSA reference)

Mr. Norman Samuel Ayers

.oO(well, i guess my humor is just too sophisticated, people will probaly miss it despite me repeatedly explaining my jokes. so let me just inb4 this)

(/me starts a tally of wooshes)

Re:Very Smart Move

[lgw]

The RNG threat is particularly bad, because it looks like only one person would need to be in the know to sabotage the RNG on silicon, and it would bypass any review process, and it would be very hard to detect by observation of the RNG (assuming it still had, say, 32 bits of entropy).

Re:Very Smart Move

[PopeRatzo]

Are there black helicopters flying over your bedroom collecting your thoughts?

Why would they need black helicopters to fly over your bedroom when they can just get them directly from your email?

Is the US Government doing it?

You know they are.

Are other governments?

Not the free ones.

Re:Very Smart Move

[AHuxley]

AC you seem to have forgotten the "parallel construction" aspect for use in US domestic courts and the massive domestic surveillance network that supports such efforts:)
So thanks to Snowden many more people can understand that the US legal structure has changed.
Encryption will slowly have to be corrected so that non-governmental entities and former government staff cannot just sell gov methods to anyone for cash.
The "radio waves" aspect was always sold to countries and staff as watching the Soviet Union. Now we know it was all for internal, domestic use too.

Re:Very Smart Move

What an insightful analysis...

Re:Very Smart Move

[Em+Adespoton]

Are there black helicopters flying over your bedroom collecting your thoughts?

Why would they need black helicopters to fly over your bedroom when they can just get them directly from your email?

Is the US Government doing it?

You know they are.

Are other governments?

Not the free ones.

True governance comes at a price. Always.

Re:Very Smart Move

[mlts]

Trust but verify is important, but chips are incredibly hard to know if a random source is truly random, as opposed to, say the output of a clock AES encrypted, so that it appears random.

Best thing to do is have the chip be part of the RNG, but not the only part, so another random source will provide enough unpredictability to keep thing secure.

Re:Very Smart Move

With a surname that's a homophone of "stallin'" I'm guessing this individual was a Java programmer

Re:Very Smart Move

[smash]

Ah, but Linus has called such claims nonsense.

FreeBSD for me, thanks.

Re:Very Smart Move

[celle]

"Trust, but verify"

        If you feel you have to verify then you don't trust them. It was bullshit when Reagan said it and it still is.

Re:Very Smart Move

[Sponge+Bath]

It was bullshit when Reagan said it and it still is.

Reagan's mind was imprinted into the NSA's most powerful computer, where it feverishly works to complete World Domination for Bonzo.

Re:Very Smart Move

I take it you didn't even actually read what he said, then.

Linus Torvalds responds:

Where do I start a petition to raise the IQ and kernel knowledge of people?

Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong.

Short answer: we actually know what we are doing. You don't.

Long answer: we use rdrand as _one_ of many inputs into the random pool, and we use it as a way to _improve_ that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random.

Really short answer: you're ignorant.

TL;DR: Linux was NOT trusting chips and doing a variant of what FreeBSD plans to do now since quite a bit before.

Re:Very Smart Move

No he didn't, you stupid moron.

“We use rdrand as _one_ of many inputs into the random pool, and we use it as a way to _improve_ that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random. Really short answer: you're ignorant.”

It's the same concept that FreeBSD has: use rdrand, but not as a sole trusted source.

Nitwit.

Re: Very Smart Move

Those who say "Trust but verify" don't know what "trust" means. It's fine if you don't want to trust, but please don't say you do if you don't.

Re:Very Smart Move

[cavreader]

The legal structure has not changed in regards to Snowden's case. The charges against him have been on the books for a long time.

Re:Very Smart Move

Because you're smarter than he is. Right.

They use a lot of different entropy sources; I don't know why one would consider using only one. I am sure that, despite the summary, no one had any intention of doing this. If you had actually read the lkml post you would have a lot clearer understanding of the issue; I believe also Ars had a decent writeup of that story.

This is a non-story designed to troll people who [a] didn't take the time to read about entropy pools the last time it became an issue, and [b] who are hyped up on more-or-less-unrelated security issues. That apparently being a large proportion of Slashdotters.

I'm glad you enjoy using FreeBSD. I presume that you download the evangelism with the OS. It's cool, I'm sure it's very nice and Unixy. Just, ah, maybe you could develop some other theme for 30s before developing your ego. That particular label your're touting is free to acquire, and its exclusivity is therefore perhaps not actually a point in its favor.

Re:Very Smart Move

[zdzichu]

Linus is reasonable guy. He's sometimes wrong, but can be convinced with technical arguments. The "don't-trust-RDRAND" change was included in Linux a year and a half ago: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c2557a303ab6712bb6e09447df828c557c710ac9

Re:Very Smart Move

[TheRaven64]

This work has been ongoing for about a year, since long before the NSA stuff came out. The consensus has been for a while that some hardware random number generators give very good entropy, but some are very poor and it's difficult to tell without querying them a few million times and plotting the distribution which one you have. Add to that, some of them appear to be influenced by the temperature, and as Stephen Murdoch's attack on Tor showed influencing the temperature of someone else's server is not always as difficult as you'd think.

It seems quite unlikely that the hardware RNGs are tampered with, although it would be a very neat hypothetical attack if you could influence a specific RNG in such a way that you could reduce the entropy to, say, 16 bits within a larger space and only you be able to determine what the real space was, but it's very likely that some of them are quite bad. Adding Yarrow[1] makes you a bit safer, because there will be other entropy sources mixed in and so even a relatively poor RNG helps stir the pool.

[1] Or some other whitening algorithm - Yarrow is the default, but there are some newer ones that are better, at the cost of a footprint that is not desirable for embedded devices, and FreeBSD 10 now includes a framework to make it easy to plug in the one you want.

Re:Very Smart Move

[robgar30]

Freebsd, netbsd, openbsd, linux.. nobody solely uses any single source of randomness, to do so is a bad thing. The only thing new here, with freebsd is the pluggable framework around it.

Re:Very Smart Move

[Ash+Vince]

Ah, but Linus has called such claims nonsense.

FreeBSD for me, thanks.

No he did not call the claims nonsense, what he said was that the kernel did not do this anyway so before starting a stupid petition not to do something you should actually check what the kernel does.

It sounds like all FreeBSD are doing is copying the approach that Linux already used in that they are using the random values thrown out by the chip as a source of entropy to combine with several other sources of entropy in generating a true random number. I am surprised that FreeBSD did not do this already to be honest, although other posters her seem to think it was.

Re:Very Smart Move

[DES]

TL;DR: Linux was NOT trusting chips and doing a variant of what FreeBSD plans to do now since quite a bit before.

You mean “a variant of what FreeBSD has been doing since 2003”

Re:Very Smart Move

oh brother. is that what passes for sagely advice?

Re:Very Smart Move

[unixisc]

From the above summary

FreeBSD developers will not rely solely on Intel's or Via's chip-based random number generators for /dev/random values

In other words, Intel or Via's RNG will still be used, but won't be the ONLY basis on which they are generated. It will be that PLUS Yarrow

Re:Very Smart Move

[unixisc]

The CPU based RNGs - aren't they based on factors other than temperature, such as ambient noise?

Re:Very Smart Move

And then, they made a patch to move rdrand at the beginning of pool seeding, because of the possibility of an attackif it is the last element of the xor chain.

So, yeah, he was as smart as he thought.

Re:Very Smart Move

[arglebargle_xiv]

It's not so much "very smart move" as "why weren't they doing this in the first place"? I've worked on various crypto projects and I don't think any of them ever relied on a single source of entropy, unfiltered. For those systems using RDRAND the way it's supposed to be used (to feed a hash or crypt-based generator, alongside other sources), this "news" story should really read "FreeBSD developers finally do what everyone else has been doing for years".

Re:Very Smart Move

[bill_mcgonigle]

Tell us - what happens when you mix a stream of zeros into your entropy pool?

Re:Very Smart Move

[bill_mcgonigle]

it looks like only one person would need to be in the know to sabotage the RNG on silicon

Technically, you can't even access the hardware RDRNG, you have to access it through a black box hash function unit that is specified as "trust us". If something were to be sabotaged, that would be the place to do it. If I were designing a susceptible RNG, I'd allow it to change its behavior based on an obscure set of inputs, so most of the time it worked correctly.

Re:Very Smart Move

[TheRaven64]

It depends on the implementation. As I recall, the Intel ones are basically just a pair of flipflops in an unstable configuration for each bit. They're intended to be something that toggles between 0 and 1 at some frequency that you can't easily determine (and which isn't the same for each bit). However, as they're digital circuits, they do respond to heat. Hopefully, they don't respond in a way that makes the readings more predictable, but it would take a lot of analysis to be sure of that.

Re:Very Smart Move

[unixisc]

Yeah, I describe how it could be done in the thread below 'Is there any way to gain trust in a chip?' Also, if a chip has multiple asynchronous clocks & PLLs, that's another way of introducing randomness in the results.

Re:Very Smart Move

[Em+Adespoton]

oh brother. is that what passes for sagely advice?

I wrote it, and I have the same reaction to the moderation 8|

Re:Very Smart Move

[SharpFang]

Collect, snoop in, use own resources to decrypt - sure.
Damage security of products manufactured by independent, private 3rd party companies, force them to release broken security products and market them as secure - now that's really assinine.

Re:Very Smart Move

[jaseuk]

How many?

Wise

It's always wise to get entropy from as many places as you can; in light of the NSA revelations, it's time relying on just one becomes something people don't even consider anymore.

Is OpenBSD, the 'security first' BSD, ahead of, or behind the curve with this?

Re:Wise

[Minwee]

Every time an OpenBSD system needs a random number, instead of trusting any hardware device, it phones home and asks Theo to provide one.

Re:Wise

I would assume ahead or on par. The benefit of the BSD license and the BSD projects being similar is that the various projects are always looking at the others' code trees for ideas and software to use. They all do it and it's encouraged.

Re:Wise

[aliquis]

I googled it:

http://www.openbsd.org/crypto.html#hardware
https://lobste.rs/s/gbe1zl/we_cannot_trust_intel_and_via_s_chip-based_crypto_freebsd_developers_say

I don't know whatever that actually mean, how it is or how reliable anything else is. Maybe someone with some actual knowledge can provide the answers :) (My thought was that one could likely use different randomizers.)

Re:Wise

[maxwell+demon]

I think it phones to this place. However some developers don't trust that random number generator and instead opt for this implementation.

Re:Wise

[thesupraman]

You mean just like Linux has for quite some time?

After all, these hardware random sources feed the entropy pool, however are certainly not its only source.
Hell, applications can even contribute to the pool as they wish, and that is not considered an issue no matter how non-random their contribution is.

FreeBSD and its reliance on the Yarrow approach is much more 'sensitive' to its PRNG source(s), so its about time they caught up..

http://en.wikipedia.org/wiki//dev/random

Then again, random numbers tend to be treated almost as a religious argument rather than a technical one.

Re:Wise

Another one: http://xkcd.com/619/

Re:Wise

[Thud457]

random numbers tend to be treated almost as a religious argument rather than a technical one.

Hail Eris!

Re:Wise

[Carnildo]

According to the OpenBSD link, OpenBSD uses the Intel and Via random-number generators, but not as the sole source of randomness. The nice thing about mixing random number generators is that if you do it right (like OpenBSD does), the result is at least as random as the most random source: a bad RNG does not reduce the overall quality of randomness.

Re:Wise

Really paranoid developers don't trust that one either. We use good-old fashioned dead trees for our random numbers!

Re:Wise

Depends on how bad that RNG really is (how can an RNG done right be bad?). Try this one on for size: f(x): x XOR x.

Re:Wise

Then again, random numbers tend to be treated almost as a religious argument rather than a technical one.

Because random numbers are only random to those who believe. Nothing is random in the deterministic universe. We haven't backdoored the RNG we call "existence", but just like the hardware RNG, it's not actually random! More accurately, a hardware RNG cannot be random in a deterministic universe.

Re:Wise

[epyT-R]

Except that this feature has nothing to do with the kernel.

Re:Wise

It's assumed in proofs that two different RNGs are _independent_. If they're independent, and you use the correct constructs, then you're guaranteed to be no worse off than the best RNGs.

Re:Wise

Fortunately, we don't live in a deterministic universe!

Also, you're just wrong. Even _if_ we lived in a deterministic universe, you can still have unpredictable random numbers. This is sometimes called "mechanical randomness", because it doesn't fundamentally rely on quantum indeterminism. You can construct an unpredictable RNG in a deterministic universe if the processing power needed to compute the next sequence is greater than your adversary has available.

Because the _mechanical_ cause+effect of even the most simplest of processes around us can result in chain reactions that very quickly result in an unfathomably large number of free variables, it's actually trivial to build RNG's that no computer in the universe could crack. Think of it this way: if the universe is one big computer, and in order to predict the next event you need to simulate that universe from the very first instant, and to simulate it you need a bigger computer, where are you going to find that computer? Nowhere.

Many hardware RNGs can be described as either quantum RNGs or mechanical RNGs. For example, thermal noise based RNGs can be described either way, and so they can be proven secure whether quantum mechanics is real or not. You can prove they're secure by proving that no human being could possibly build a computer capable of computing the next sequence. To do that you just need to establish the limitations in how far back they can record the inputs (a few missed atomic collisions anywhere in the prior chain of events could be enough to fatally screw up the simulation), and the limitations of their processing ability.

Re:Wise

Until you store your keys unprotected, as SSH does by default. That flaw has been in every open source or free version of SSH software since the original SSH version 1, and the maintainers over at OpenBSD say "if someone gets at your computer, you have much bigger problems", and refuse to top this default practice.

Re:Wise

Which is why you use two RNGs that use different physical sources of entropy. We know that the CPU uses a thermal source so we want a second source that can't be affected by CPU temperature. If we're lazy then we can have another thermal source away from the CPU but better is to use something totally different. Keyboard+mouse input is tolerable on a desktop, something better is required for a server. A cheap HW RNG such as a USB webcam in a can is a well isolated thermal source and you can make a radioactive decay RNG with a USB Geiger counter and a smoke alarm.

Re:Wise

[dremspider]

Oh ye wise and knowledgeable anonymous coward. Pray tell how would like them to store the key to verify the server on another system? If they break into your system as root who the heck cares that they can now masquerade as your system? They already have access to YOUR system so what more damage can they do by man in the middling you as well? Tell us what you would do to fix it and what benefit it would provide.

Re:Wise

[Bengie]

I love entering passwords on 10,000 servers when they need to reboot. Lets see.. I know, lets hardcode the password into a script and encrypt the key.. There! Secure!

Re:Wise

[Bengie]

In our Universe, the act of measuring changes the result in a random way. Good luck. While it is possible that our Universe doesn't have true randomness, to anything inside the Universe, there is no way of knowing.

Re:Wise

Calvinist?

what's that going to accomplish?

if the idea is not to trust the hardware implementation then why use it alongside "Yarrow" in the first place? This just seems like the glorious Foundation using recent news about the NASA as a self-promotion tactic and even to a layman it's a poor one. "Trust FreeBSD, we still use rdrand et. al., but we filter it through some vague algorithm called Yarrow that makes it safe!"

You'll forgive me for not being entirely convinced, particularly when even the latest release of 10 still refuses to boot and install properly on my UEFI-based system.

Re:what's that going to accomplish?

if the idea is not to trust the hardware implementation then why use it alongside "Yarrow" in the first place? This just seems like the glorious Foundation using recent news about the NASA as a self-promotion tactic and even to a layman it's a poor one. "Trust FreeBSD, we still use rdrand et. al., but we filter it through some vague algorithm called Yarrow that makes it safe!"

You'll forgive me for not being entirely convinced, particularly when even the latest release of 10 still refuses to boot and install properly on my UEFI-based system.

Yeah, I was wondering the same thing -- if you don't trust it, don't use it, since it just gives you a false sense of security - if Yarrow is cryptographically secure, why combine it with the hardware RNG? "Well, the on-chip RNG might be compromised, but at least I'm combining it with Yarrow..... Yarrow might not be secure, but at least I'm combining it with the on-chip RNG."

That seems a little like saying "I think the burglar knows the combination on my padlock, so I'm going to add this other keyed lock just in case. I think the burglar has a key to my keyed lock, but at least I have the combination lock too". Having 2 locks might make it a little harder for a thief to break in, but if you are certain that one of the locks is secure, why do you need the second one? And if you're not sure that either one is secure, are you really gaining anything by using two - maybe you should spend some time finding a lock that you *do* trust.

Re: what's that going to accomplish?

https://www.schneier.com/yarrow-qa.html

your ignorance is unjustifiable

Re:what's that going to accomplish?

[houstonbofh]

Because true random in software is computationally expensive. Adding a layer of obfuscation on top of the untrusted hardware gives you a better random cheaply, and avoids potential back-doors in the hardware generator.

Re:what's that going to accomplish?

[Billly+Gates]

Not to mention insecure too.

There are only so many milliseconds on the clock to use on the seed. Even if you use the mic statistically silence or a clicking sound will be heard for 90% of the users so that makes that seed bad too. Network? At home there is little traffic and even at work there are the same patterns from Cisco and HP for 80% of the packets.

SGI had some interesting encryption methods that dealt with quantam mechanics on their servers and workstations. Man I miss them.

Re:what's that going to accomplish?

It's called redundancy. Let's say I hack Yarrow or the NSA builds in a back door to Intels hardware? It's not a false sense of security, it's redundancy.

Re:what's that going to accomplish?

Hi,

Maybe you should try filing a PR or actually engaging the developers? They're hunting down the handful of models that won't boot. If you cooperate they'll gladly fix it for you.

Stop being a bad open source whiner and spend 15 minutes contributing for once.

Re:what's that going to accomplish?

[aardvarkjoe]

And if you're not sure that either one is secure, are you really gaining anything by using two - maybe you should spend some time finding a lock that you *do* trust.

There is no PRNG, Yarrow included, that we can say with 100% certainty that is not (or will not be) broken. The point of using multiple PRNGs is so that even if one or more of the components is compromised, it doesn't compromise the entire system. To use your metaphor: if your options are a padlock and a keyed lock, and there's a 25% chance each that a burglar could bypass them -- wouldn't you use both locks to reduce the probability of being robbed to 1/16 instead of 1/4?

Re:what's that going to accomplish?

Ground noise feedback in the PSU coming from the power company, transmission lines, and any random squirrels warming their nuts in a transformer somewhere (usually to their detriment).

That should be random enough. Not 60 Hz, but the variations on it. (Substitute "50 Hz" for Europe.)

Unfortunately, a good PSU smooths out garbage power and also has no way of providing it as a data point for the CPU. Also, UPS systems get in the way.

Re:what's that going to accomplish?

[dAzED1]

you just...answered why it wouldn't work. If that much garbage is actually coming into the conditioned power, it will kill the system in very little time.

Re: what's that going to accomplish?

Well... no.

Taking the output of a "compromised" RNG and using that as a seed of a PRNG offers exactly 0 security.

If the chip RNG is in fact compromised as the authors state, then the compromiser can simply get the "random" number that the chip would have provided, and then run that through Yarrow themselves, resulting in the actual number just as easily had they not run it through Yarrow in the first place.

This is Security 101 stuff here. If you start with a compromised algorithm, running it through any number of other algorithms is only going to increase the amount of time to break the system by a constant factor and does absolutely nothing to provide any true security. "Security though obfuscation" and all that.

Re:what's that going to accomplish?

[X0563511]

Yarrow is hardly vague.

Re:what's that going to accomplish?

[Billly+Gates]

you just...answered why it wouldn't work. If that much garbage is actually coming into the conditioned power, it will kill the system in very little time.

You know I had a problem with BSOD occuring frequently in a large call center.

Turns out hte problem was the big UPS for the whole floor spiked things and the power strips always tried to smooth things. Over a period of time the soldier would crack and burst due to the UPS doing hard rectangular patterns rather than waves when it alternated back and forth.

Real power from the wall was cleaner than the UPS for the power strips.

Re: what's that going to accomplish?

... And that's why they're also adding other entropy sources instead of relying on just possibly compromised RNG.

That's basically the Pascal's wager - if on-chip RNG's working, they win and get better random stream, if it's broken - they lose nothing (as long as they don't count it towards available entropy estimate).

Re: what's that going to accomplish?

A good PRNG should take a string of 0s in the state and produce a (pseudo)random distribution. This is the main yardstick, and also why many ciphers (stream ciphers especially) are used as the core of PRNGs.

Re:what's that going to accomplish?

True random doesn't exist in software-only form, because virtually any software you or I touch is going to be executed deterministically wrt the underlying machine. That's why a real RNG uses something like a radiation source and software stuff is referred to as a PRNG.

Re:what's that going to accomplish?

[Em+Adespoton]

And if you're not sure that either one is secure, are you really gaining anything by using two - maybe you should spend some time finding a lock that you *do* trust.

There is no PRNG, Yarrow included, that we can say with 100% certainty that is not (or will not be) broken. The point of using multiple PRNGs is so that even if one or more of the components is compromised, it doesn't compromise the entire system. To use your metaphor: if your options are a padlock and a keyed lock, and there's a 25% chance each that a burglar could bypass them -- wouldn't you use both locks to reduce the probability of being robbed to 1/16 instead of 1/4?

That's not quite it, as we're not dealing with locks here, but patterns. And as you know, humans are pretty good at spotting patterns in the randomness.

The end result is that if you choose the wrong combination of PRNGs, you can end up with a result that has a decidedly non-random pattern embedded in it that can be exploited to do predictive analysis of the crypto. Layering more PRNGs on can actually help to isolate the pseudoness instead of the randomness. At some point, you need to use some algorithm to randomly select from the PRNGs, and do so in a way that eliminates the pseudo-generative effects of those sources while failing to introduce its own. The best way to do this is to use something very contextual, where it is highly unlikely an attacker would have access to all the variables.

Re: what's that going to accomplish?

[mlts]

What is needed is are seed inputs. When a key is hit, get a super-accurate clock sample of it, hash it with MD5 [1], and toss it in the pool. Mouse movements, similar. If the computer is idle, this won't help much, but while it is in use, it should help provide enough unpredictable data to be up to par for security purposes. I'm sure there are other inputs that can be hashed over time and the hashed bits tossed in. Of course, the RNG from the chip can be easily tossed in as well. The good thing is that the most random factor "wins" in this case.

[1]: MD5 has its issues, but it is being used in this case as a bit blender, so hash collisions can happen, and not really matter. It would be wise to move to a newer algorithm like SHA-1024 or SHA-3, for more bits though.

Re:what's that going to accomplish?

[mlts]

I've wondered about using a very high speed flip-flops, or on a simpler thing, a SR latch with both inputs on, and sampling the output. I remember some cryptographically secure RNGs doing this in lieu of a radium-painted chip.

Re:what's that going to accomplish?

[Em+Adespoton]

you just...answered why it wouldn't work. If that much garbage is actually coming into the conditioned power, it will kill the system in very little time.

Why? Is there something I need to know about electromagnetics and primary transformer coils being unable to handle variance in the amperage and voltage?

The DC provided by the PSU is by definition conditioned to some degree -- the transformer does this by using induced current to step down the voltage, then passes it through the rectifier (diode-cathode ring) which should smooth things out even further.

Unless you're saying that if there's enough garbage (read: degree of variance in amperage and voltage, vs frequency of change) to get through the transformer, you're going to kill your PSU, which is true.

Re:what's that going to accomplish?

[swillden]

Because true random in software is computationally expensive.

True, if by "computationally expensive" you mean "we have to run this until the hardware breaks and starts executing our software non-deterministically".

Otherwise, true randomness in software is simply infeasible, because chip engineers deliberately design the hardware to eliminate non-determinism.

Re: what's that going to accomplish?

Parent's link has "Recently, we published the first extensive cryptanalysis of PRNGs at Fast Software Encryption 1998."

Re:what's that going to accomplish?

What's a diode-cathode ring? I've not heard this term with regard to power supply rectifiers.

Re: what's that going to accomplish?

Your existence is unjustifiable.

Save for that your whore mother couldn't keep her mudflaps shut.

Re:what's that going to accomplish?

[LoRdTAW]

Most of the power supplies are switching which means the AC is filtered and converted to DC before it hits any transformers. A switching IC then turns the resulting high voltage DC into a PWM or square wave using a transistor and that goes through a high frequency transformer which is much much smaller and cheaper than a laminated steel core 60Hz transformer. Switching frequencies can be in the tens to hundreds of kilohertz. Smaller DC-DC switchers are in the megahertz range and are really small.

So in summary, line noise wouldn't make much of a difference with today's efficient switching power supplies. Unless it was high voltage spikes that the switcher couldn't cope with but then you have bigger problems.

Re:what's that going to accomplish?

[houstonbofh]

Because true random in software is computationally expensive.

True, if by "computationally expensive" you mean "we have to run this until the hardware breaks and starts executing our software non-deterministically".

Otherwise, true randomness in software is simply infeasible, because chip engineers deliberately design the hardware to eliminate non-determinism.

Yep. Just keep calculating until you find the dodgy bit of ram. :) (Not supported with ECC memory)

Re:what's that going to accomplish?

[LoRdTAW]

I am not a cryptologist or crypto expert but what about the seed methods using a video camera looking at a lava lamp? I have also heard of pointing it out a busy window as the randomness of traffic, people, animals, tree movement etc. is quite random. Is it too slow or not random enough? What about a camera looking at a busy highway? I did a bit of googling and only found that the lavarand site is long gone but it was started by SGI back in the 90's. Another article described a cmos camera with the lens cap on and the sensor gain cranked up so the noise picked up by the sensor was used as a seed.

I realize these methods aren't always practical or available but from a technical point, are they viable?

Re:what's that going to accomplish?

[CoderJoe]

This article talks about Intel's design, which is based on two inverters in a ring. Both inverters are forced to the same state and then left to settle into one state or the other based on thermal noise. There's a bit more to it, but that is the basis.

Re: what's that going to accomplish?

[TheRaven64]

It is quite unlikely that the hardware RNG is compromised. It is, however, quite likely (and there have been experiments to show this for some RNG implementations) that it doesn't give as much entropy as advertised.

The big problem is that it's very hard to get good entropy early on in the boot process (when things like TCP sequence numbers and sometimes when SSH server keys are initially generated). You can use a hash of the kernel, but that's shared between other machines with the same kernel. You can use the time, but that's likely known to the attacker (and in some embedded systems will always be the same on every boot, until it queries an external source and corrects it). You can use interrupt times, but the ones from the disk / flash are likely to be similar, if not the same, across boots of the same kernel and the early network ones are susceptible to attack by people on the local network.

The hardware RNG definitely gives you some entropy, and so using it to stir the pool for Yarrow helps a lot here. Later on, there is a lot more entropy. As you start to get disk access patterns based on system use and network connections from a variety of sources, interrupt times give quite a lot of entropy. It still helps to mix in the hardware RNG, however.

As I said in another post, it's quite unlikely that the hardware is intentionally compromised (although it's a nice attack, so I wouldn't guarantee that future versions won't be), but it's very likely that it provides less entropy than advertised. This makes it fine for input into a PRNG like Yarrow of Fortuna (I think Fortuna made it into FreeBSD 10, if not it should be in 10.1), but not adequate for general use. The point of a PRNG algorithm like Yarrow is to generate an unpredictable sequence of numbers from some source entropy seed, which can change over time. As long as you have enough entropy, you will get a cryptographically secure sequence of pseudo-random numbers. All this work is doing is saying 'we trust the hardware to give us some entropy, but we don't trust it to give us all of the entropy that we need'.

Re:what's that going to accomplish?

For old designs with no or passive PFC, mostly right.
For PSUs with active PFC, line noise can confuse the fuck out of the PFC controller and cause anything from nothing to blowing up half the PSU.
Most well known case is the PFC stage in certain PSUs committing suicide when run off modified square wave.

Makes sense ...

[MacTO]

One of the features of open source software is that the code, thus the algorithms, can be examined by a third party. In the case of chips, this is very difficult to do. Most people are stuck trusting that the designer implemented the algorithm they said they did, and that they implemented it properly (the former implying no malice and the latter implying competence). That is particularly true for something like random number generators, which are intended to be non-deterministic as far as the software is concerned so any testing the implementation can only be done statistically. Very few people have the ability to examine the physical design of the chip to check the actual implementation.

Re:Makes sense ...

Once you are talking about encryption or the algorithms around encryption the people that actually have any hope in hell of making an intelligent review of the code are as rare as hens teeth. closed or open their is very little difference in the level of reviews that happen in this area. Having said that you should never rely on one source of truth for randomisation anyway.

Re:Makes sense ...

If it really matters (and by really matters, I mean, existing legal protections are insufficient to satisfy your risk tolerance), you really ought to engage an expert cryptographer, physicist, electrical engineer, and software developer. It won't be cheap, but for most people, it doesn't really matter. Either that or you can spend a decade or two trying to catch up yourself.

Re:Makes sense ...

"there". you should have used "there"

Re:Makes sense ...

The issues with cryptography mean that it quite often takes far more than just a cryptographer, physicist, electrical engineer and software developer. It takes one of the incredibly rare individuals that has the skills across ALL of those areas as each of them individually can't adequately review such a system, even if you hire one of each of them it will be inadequate.

Is there any way to gain trust in a chip?

[Jeremi]

Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?

Seeing as such a piece of hardware need not (and hopefully would not) have any inputs, only an output, it's hard to imagine how someone might hide (and later trigger) a back-door mechanism that could change its behavior post-testing. (But I'm sure there is some way to do it that I'm not thinking of ;))

Re:Is there any way to gain trust in a chip?

[Billly+Gates]

What kind of world do we live in when we can't even trust our own damn hardware! Seriously ...

Re:Is there any way to gain trust in a chip?

You would have to sample a large size of CPU's on a regular basis using an expensive and probably impossible process.

Re:Is there any way to gain trust in a chip?

[K.+S.+Kyosuke]

There are. But an even better option is probably to roll out your own.

Re:Is there any way to gain trust in a chip?

Black box? No. Even if testing proved it was absolutely random for the first N numbers, there is no way to be certain that N+1 is not the first of a string of non-random numbers.

But it's not necessary to make it a black box. Physical systems take well known phenomena and use them to to generate random numbers. http://en.wikipedia.org/wiki/Random_number_generation#Physical_methods Done this way, you can make a "transparent box" that performs great and is trustworthy.

Re:Is there any way to gain trust in a chip?

[OzPeter]

Just out of curiosity: Given a "black box" implementation of any device, is it possible to test its output sufficiently to gain some faith in its proper operation?

Why do you stop at randomness? You are trusting a lot more hardware than just that when you use a computer.

Re:Is there any way to gain trust in a chip?

You are so wrong. They don't have to have a back door to alter the results. If there is a way to determine the next number that random number generator based on previous results, then the numbers are no longer random to that observer. It is like you came from the future and you know the results of every lottery.

Re:Is there any way to gain trust in a chip?

Ok, I'll take a shot, here's two of them for you:

1: Chip outputs the digits of pi starting at some crazy number of decimal places out that only the NSA has had enough hours on the supercomputer to find. Your chip now puts out data that you cannot distinguish from random, but that the NSA can perfectly predict. They go to their giant database of all of your internet traffic ever, and can now read whatever they would like, as all of your keys are now utterly, hopelessly broken.

2: Chip internally stores the last n random numbers that it has output. Later, the NSA can confiscate your computer, subject the chip to some undocumented state that causes it to barf up its secrets, and again all your keys are now utterly, hopelessly broken.

Re:Is there any way to gain trust in a chip?

[jasax]

You could initialize the hardware RNG and a software (open code, verified by whoever is interested) implementation of the same algorithm with the same seed and compare if the first millions or billions of generated numbers were the same. Reseed and redo this a certain number of times and you statistically can reduce the probability of evil-non-randomness to (near) zero.

Of course, the existence of a programmed or delayed-opening backdoor of any sort in the chip would break this procedure...

Re:Is there any way to gain trust in a chip?

[SuperKendall]

The output can be completely random, but it doesn't matter if someone else has a mechanism to reproduce exactly the same random stream. Or the ability to toggle on the semi-random mode...

Re:Is there any way to gain trust in a chip?

Every electrical device has an input: Power. Without inspecting the silicon, there's no way to tell if a device is backdoored or not.

Re:Is there any way to gain trust in a chip?

Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?

Yes. But it takes a very long time to test it on the level that you need these days.

Re:Is there any way to gain trust in a chip?

Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?

You measure its the mean and the auto-correlation of produced numbers. A perfectly random system will have a mean half way between the min and max number and the auto-correlation should be a delta function (i.e.. completely uncorrelated).

Re:Is there any way to gain trust in a chip?

I'm not sure why anyone's trusted "hardware" since at least the time System Management Mode was introduced with the 386.

The 386 also happens to be Intel's first processor not designed entirely by hand. This is not a coincidence. WAKE UP SHEEPLE!

Re:Is there any way to gain trust in a chip?

[tippe]

Really? I just did this:

$ cat /dev/random | xxd | head -n 10
0000000: 414c 4c59 4f55 5242 4153 4541 5245 4245 ALLYOURBASEAREBE
0000010: 4c4f 4e47 544f 5553 5448 414e 4b53 4652 LONGTOUSTHANKSFR
0000020: 4f4d 5448 454e 5341 414c 4c59 4f55 5242 OMTHENSAALLYOURB
0000030: 4153 4541 5245 4245 4c4f 4e47 544f 5553 ASEAREBELONGTOUS
0000040: 5448 414e 4b53 4652 4f4d 5448 454e 5341 THANKSFROMTHENSA
0000050: 414c 4c59 4f55 5242 4153 4541 5245 4245 ALLYOURBASEAREBE
0000060: 4c4f 4e47 544f 5553 5448 414e 4b53 4652 LONGTOUSTHANKSFR
0000070: 4f4d 5448 454e 5341 414c 4c59 4f55 5242 OMTHENSAALLYOURB
0000080: 4153 4541 5245 4245 4c4f 4e47 544f 5553 ASEAREBELONGTOUS
0000090: 5448 414e 4b53 4652 4f4d 5448 454e 5341 THANKSFROMTHENSA

Maybe there's a pattern there; I'm not sure. I guess that's the problem with randomness: you can never be sure.

Re:Is there any way to gain trust in a chip?

[bug1]

You can also test to see how compressible it is, compression algorthithms recognising and removing patterns, so "good random" data should not be very compressible.

Re:Is there any way to gain trust in a chip?

[LordLimecat]

AFAIK the term "random" refers to "non-deterministic"; that is, if you know you have a box here which you know will provide the same output as the box over there, neither one is "random".

Re:Is there any way to gain trust in a chip?

[K.+S.+Kyosuke]

Except that it's not your own damn hardware. It's mostly Intel's hardware. Most people don't make their own chips nowadays. ;-)

Re:Is there any way to gain trust in a chip?

[SuperKendall]

Yes, but the point is you can still have something that is random until it is not.

Re:Is there any way to gain trust in a chip?

Intel processors are shit. x86 is a turd.

Re:Is there any way to gain trust in a chip?

[PRMan]

Even bad random data is not very compressible.

Re:Is there any way to gain trust in a chip?

[X0563511]

If you can feed in a seed and get the same output reliably, it's not a RNG, but a PRNG.

Re:Is there any way to gain trust in a chip?

[AHuxley]

Re 'output sufficiently to gain some faith in its proper randomness".
Back when cypher machines where unique physical devices sold to gov for embassy use the US and UK had two options:
Set their own device standard with Tempest to leak the plain text. Such a unit would pass all "proper" crypto testing as it was a real crypto unit. The plain text was leaking out as entered or printed and could be collected.
The great aspect was "trust" form the end user and the message was "safe" for sending.
The other option was to get to staff or set up a front company to sell junk weakened encryption at a low price or via a trusted brand in a 'neutral' country.
The low price would make any real commercial crypto efforts fail and set international standards to what junk brands where 'trusted' 'safe' and been used.
When countries started the read leaked fragments of their encypted communications in the press - that was the time never to trust 'hardware'.
After Snowden users can think back - you can have all the crypto post-testing you want as the US branded OS or tame telco or junk hardware/software is set for collecting all your keystrokes...
The same tricks seem like crypto magic to every generation of academics. The problem is anyone could have followed the methods via the press in the ~1960-70-80-90's.

Re:Is there any way to gain trust in a chip?

[VortexCortex]

Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?

Yes and No. One can statistically analyze output of the (pseudo) RNG and compare it to pure randomness, like atmospheric noise. However, you can't be sure there is no message in the stream. For example: Strong crypto produces enciphered data that looks exactly like pure randomness. It's one way we test for cryptographic strength. Indeed, BSD will now pipe RNG output through Yarrow (a pRNG based on hash functions) to produce randomness. Considering that knowing the initial state of a PRNG reveals its full exact stream of bits, and that hashes produce the same output for a given input: I'm not satisfied with this result either, unless the input is sufficiently salted with device IO timing and other such quasi-random states as in Linux's /dev/random entropy pool.

Seeing as such a piece of hardware need not (and hopefully would not) have any inputs, only an output, it's hard to imagine how someone might hide (and later trigger) a back-door mechanism that could change its behavior post-testing. (But I'm sure there is some way to do it that I'm not thinking of ;))

Strong crypto needs strong randomness for initialization vectors.

While it's true the Ken Thompson Microcode Hack could exist in silicon (Chips could have full featured back-doors in them) it would be far less obvious and simpler to attack a single point of failure: The (hardware | pseudo) random number generator.

It's possible to build a (pseudo) Random Number Generator that is biased in a way that's not noticeably different from pure atmospheric noise in practice, and even passes all the NIST / Diehard tests for randomness. I built one such high entropy pseudo random number generator using a pool of 517 integers and a mixing system. I had arranged the mixing system such that based on a small sample of randomness (50 or so integers, ~1500 bits) one could deduce a weak signal inherent in the pool which then slowly revealed the entire random number generator state in a cascade effect via an Error correction coding present in the bit-stream.

Looking at the source code for my PRNG one wouldn't realize the thing had a back door in it via the selection of primes, constants, and the XOR, shift, AND, etc. mixing strategy itself. The implementation of error correction code akin to Reed Solomon Codes was hiding in plain sight. I sort of turned the weak signal bits on ear and presented them in the stream in "parallel" instead of "serial". The NIST tests chi-square, etc. against my PRNG proved indistinguishable from true random sources such as atmospheric noise, even with gigabytes of data to analyze thanks to the prime number sequence's weak enciphering of the bias pattern.

To make matters worse, I built the system around constants taken from a run of digits in Pi. When apparently any random values will do as inputs for an equation, a known source of digits like this is meant to put cryptographer's minds at ease in that the values aren't just 'magic numbers', pulled from thin air -- Constant numbers selected with possible nefarious purposes. For examples of such 'un-magic selections', see the initial constant states of nearly any hash function, such as MD5, SHA-1, or SHA-2, etc...

......!

According to RFC1925 - Rule 6(a), it's always possible to add another layer of indirection. So, I put my "careful number selection" to create the backdoor one level higher than the values themselves. I went looking for sources of workable constant values in the supposed accepted places. Of course anyone can supply their own pool sizes and init values to defeat my random attack, but in practice folks will use the default values

Re:Is there any way to gain trust in a chip?

[gnasher719]

Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?

Short answer: No.

Long answer: There is "statistical randomness" and "cryptographical randomness". "Statistical randomness" tells you whether a random number generator can be used reasonably to simulate random physical phenomena. "Cryptographical randomness" means that it is impossible to predict the next random number if you know the mechanism that produces the random numbers, and the previous sequence of random numbers. Statistical randomness can be tested. For example, if you calculate three random numbers a, b and c, there are six possible ways how they could be ordered, and each possible ordering should be equally likely. Cryptographical randomness cannot be tested.

Re:Is there any way to gain trust in a chip?

All of this can be conveniently calculated by this tool, and neither of this will help you to distinguish actual randomness from a result of cryptographic algorithm working on extremely predictable input.

For example, here's what it says about 32M of random bytes:
Entropy = 7.999994 bits per byte.

Optimum compression would reduce the size
of this 33554432 byte file by 0 percent.

Chi square distribution for 33554432 samples is 257.80, and randomly
would exceed this value 43.91 percent of the times.

Arithmetic mean value of data bytes is 127.4968 (127.5 = random).
Monte Carlo value for Pi is 3.140698143 (error 0.03 percent).
Serial correlation coefficient is 0.000015 (totally uncorrelated = 0.0).

And here's what it says about 32 megabytes generated by SHA-256 hashing of 'Intel Intel Intel Intel Intel' concatenated with a 24 bit counter:
Entropy = 7.999994 bits per byte.

Optimum compression would reduce the size
of this 33554432 byte file by 0 percent.

Chi square distribution for 33554432 samples is 269.79, and randomly
would exceed this value 25.08 percent of the times.

Arithmetic mean value of data bytes is 127.4839 (127.5 = random).
Monte Carlo value for Pi is 3.141798922 (error 0.01 percent).
Serial correlation coefficient is 0.000266 (totally uncorrelated = 0.0).

See how different the results look?.. Oh, wait, they don't :(

For comparison, here's results for 32MB of simply ('Intel Intel Intel Intel Intel' concatenated with a 24 bit counter):
Entropy = 3.465109 bits per byte.

Optimum compression would reduce the size
of this 33554432 byte file by 56 percent.

Chi square distribution for 33554432 samples is 1153826816.00, and randomly
would exceed this value less than 0.01 percent of the times.

Arithmetic mean value of data bytes is 91.5781 (127.5 = random).
Monte Carlo value for Pi is 3.948254105 (error 25.68 percent).
Serial correlation coefficient is 0.079051 (totally uncorrelated = 0.0).

Re:Is there any way to gain trust in a chip?

[cOldhandle]

Even though it only has an output and no inputs, one trivial way of providing input would be to request random numbers in an irregular, timed pattern to trigger a state change in the obscured chip.

Re:Is there any way to gain trust in a chip?

[melikamp]

Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?

gnasher719 gave a nice answer, and I just want to add more. For statistical purposes, a true and fair RNG printing a string of zeroes and ones would at the very least print a normal number, and to test for that, one would have to count the frequencies of substrings of every length, in every base, which of course can be done, but may get expensive if one wants a lot of confidence.

What gnasher719 calls cryptographical randomness cannot be tested in practice, but in theory, one can run the countable set of all computer programs in parallel, and see whether they can predict the digits of the RNG sequence with probability better than 1/2. Of course, this is completely intractable in the foreseeable future, with or without functional quantum computers.

Re:Is there any way to gain trust in a chip?

[ras]

Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?

The answer is an outright no.

The thing that crypto depends on isn't that a stream of random numbers appears to be random. It is that the next number is utterly unpredictable. No one, not even the person who generated it, will know what it will be. This means if it is used as a key to protected some data, no one can predict what that key will be.

One of ways every cryptographic cipher or hash is checked is to verify its output is indistinguishable from random data. If it isn't there is a weakness in the cipher or hash. So the output from any good cipher or hash will always appear to be completely random according to any test we can devise. But - the output is also completely predictable.

So all NSA need to do in their black box is start with a predictable key or salt (the time would be fine), push it through a cipher or hash and output something which by appears completely random. If the random number is used to as 128 bits AES key it will appear file to any test the user can generate. But say they use a 1us tick to generate the time, and the NSA knows to say within 10 minutes when the key was generated, then they will only have to brute force against 1 billion keys (in other words that 128 bit key only has 30 bits of entropy). This is trivial to do.

QED, the answer is emphatically no - there is no way to test if a black box is generating truly random numbers. Every black box must be treated as untrustworthy - which is exactly what BSD, Linux and I hope everybody else does.

Re:Is there any way to gain trust in a chip?

[PPH]

You just think it has no inputs. All that is needed is to flip the hidden "NotSoRandom" flag to '1'.

Re:Is there any way to gain trust in a chip?

You can't be sure with true randomness. With cryptographically secure randomness you can be (at least within a specified tolerance around 2^-128).

Re:Is there any way to gain trust in a chip?

[Pinhedd]

I have no doubt that the hardware-based random number generators works in the exact fashion that their manufacturers have specified. Given the amount of scrutiny that is presently being placed upon them I am certain that any sort of pattern in the entropy under normal operation would have been discovered by now.

However, this does not preclude the existence of a backdoor which alters normal operation. Setup certain registers in a particular fashion, call an undocumented instruction, and boom, the random number generator's entropy drops by several orders of magnitude. Not enough to be noticeable, but enough to make attacking it easier. There are however several problems with this:

1. It would require that the machine be compromised locally, with at least user level privilege. Security is mostly moot at this point and there are far better attack vectors available.

2. It would require sneaking undocumented instructions past dozens of engineers working at multiple levels of design and validation. Working backdoors into software is easy and can even slide under the radar if done properly, but in hardware they would stick out like a sore thumb. I have a hard time believing that the existence of a deliberate backdoor in hardware from a company the size of Intel would go unnoticed for long, or that everyone involved would be willing to keep it a secret.

3. There are far better attack vectors available to compromise cryptographic functions at the hardware level than messing with the RNG. Critics have taken a tunnel vision approach to the possibility that RDRAND and other hardware based random number generators may be compromised as they cannot be audited, yet completely overlook that nothing else about the hardware can be audited either. There are whole layers of management functions built into Intel's chips which could provide undocumented backdoors.

Re:Is there any way to gain trust in a chip?

Seeing as such a piece of hardware need not (and hopefully would not) have any inputs, only an output, it's hard to imagine how someone might hide (and later trigger) a back-door mechanism that could change its behavior post-testing. (But I'm sure there is some way to do it that I'm not thinking of ;))

Apart from the other valid arguments in this thread, I think you can count the frequency and the timing of random number requests as some kind of input that could trigger different behavior.

Re:Is there any way to gain trust in a chip?

[DES]

You can't be sure with true randomness. With cryptographically secure randomness you can be (at least within a specified tolerance around 2^-128).[citation needed]

You can never be sure. The keystream of a good stream cipher is fully deterministic, yet statistically indistinguishable from the output of a good PRNG.

Re:Is there any way to gain trust in a chip?

[unixisc]

At its most basic level, couldn't an RNG be implemented in hardware by putting in a JK flip flop w/ both inputs set to '1', so that a race condition develops? Put in enough bits, separate the flip flops some, and the outputs of some won't necessarily influence that of the others. Or even if they do, the probability will be... random!

Do that w/ enough bits - say 512 - and you got a perfect RNG in the hardware. Some of the inputs could be near VDD, some near VSS and others far from either, and you'd have enough random predictability.

Re:Is there any way to gain trust in a chip?

[jasax]

With RNG I was using a short name for "Random Number Generator". I didn't meant a LFSR ;-)

With alll we know about hardware backdoors

[ganjadude]

We have known for some time it is not impossible to hardcode a backdoor into a chip. I thought we already decided a while back that we cannot trust chip protection, in the past it was china chips but with the information given by snowden it only makes sense not to trust a chip from intel

Re:With alll we know about hardware backdoors

[X0563511]

Who is "we?"

They will be tried in secret in a secret court..

for violating secret orders they never even heard of :-)

nine nine nine...

[jakedata]

http://dilbert.com/strips/comic/2001-10-25/

That's the problem with randomness, you can never be sure.

Re:nine nine nine...

[Dogers]

Same with programmers and randomness :)
http://www.gergely.risko.hu/debian-dsa1571.en.html

Re:nine nine nine...

[sourcerror]

This is how it was generated.

Re:nine nine nine...

That is why we want cryptographically secure randomness. Then you can be sure, within a specified tolerance of around 2^-128.

NSA Honeypot

The NSA has an innocent-looking honeypot right here for all you wise-guys.

If you want proper random numbers, get yourself a radioactive source.

FYI, Linux did this 18 months ago

[swillden]

One of the first things Ted Ts'o did when he took back maintainership of /dev/random in Linux was to stop depending solely on the hardware RNG.

https://plus.google.com/117091380454742934025/posts/SDcoemc9V3J?e

Re:FYI, Linux did this 18 months ago

[swillden]

Hmm. I thought slashdot would automatically linkify that. https://plus.google.com/117091380454742934025/posts/SDcoemc9V3J?e.

Dumb headline

The summary itself says it's just the RNG that they're not trusting; it doesn't say anything at all about not trusting the encryption. (Probably because the question of whether or not the encryption works correctly, is actually verifiable, unlike the RNG.) So why the dumb headline, which contradicts its own summary?

Re:Dumb headline

[VortexCortex]

Well, if the chip is using its encryption circuit to create the RNG output...

Me neither

I wouldn't trust chip based encryption either, and I wouldn't trust anybody else that did.

Re:Me neither

[DES]

I wouldn't trust chip based encryption either, and I wouldn't trust anybody else that did.

Assuming we're only talking about ciphers and not protocols: by definition, there is one and only one possible ciphertext for any given combination of key and plaintext. Thus, there is no way to introduce a weakness in an implementation which would not be trivially detectable by comparison with any other implementation; in fact, the result would be unusable as it would not be interoperable with other implementations.

(With a caveat for algorithms which require a random initialization vector; don't let the implementation choose the IV for you.)

So the NSA can predict your video game ...

[perpenso]

2: Chip internally stores the last n random numbers that it has output. Later, the NSA can confiscate your computer, subject the chip to some undocumented state that causes it to barf up its secrets, and again all your keys are now utterly, hopelessly broken.

More likely its just going to get the random numbers generated for a video game.

Re:So the NSA can predict your video game ...

[X0563511]

If you're using /dev/random (or the Windows equivalent) instead of /dev/urandom for that, you're an idiot and probably have lots of open bugs related to your game hanging.

TRNG using discrete components?

[QuasiSteve]

Given that it's stated that you can't trust a chip's encryption routines, which at the basis means that you don't trust its random number generator, and given that 'a chip' extends down from the latest Intel to a relatively lowly PIC, is anybody aware of an actually available TRNG (true/hardware random number generator) built out of discrete components?

Comments to a Bruce Schneier post titled "Surreptitiously Tampering with Computer Chips" once suggested this would be the only way to 1. be certain* of no tampering and 2. have reasonably sufficient output bandwidth to be used in practical applications.

However, I haven't seen any actual implementation. My Google-fu may be failing me, though.

* Barring some pretty sweet shenanigans like those pulled by Henryk Gasperowicz; [Spoiler video](https://www.youtube.com/watch?v=-KMLmpC7-Ls). I can't see manufacturers including any crypto-defeatery bits into a basic transistor thinking that it just might possibly be used in an actual crypto application, and eat the cost somehow.

Re:TRNG using discrete components?

How about floating differential inputs to an ADC powered by a battery with the MSBs stripped off?

Re:TRNG using discrete components?

An ADC isn't a discrete component, nor would the uC that generates the bitstream from the ADC. Though you could build an ADC from discrete components (yuck, that would be huge), you're still left with the uC.

Re:TRNG using discrete components?

http://en.wikipedia.org/wiki/Hardware_random_number_generator

You could decide not to trust them based on the fact that you can't exclude the fact that something put in by the NSA or whatever fuzzes the data such that it's not truly random. But if you eliminate sabotage, then yea, a hardware random number generator can be trusted. Hell, the quantum ones are TRULY random!

Re:TRNG using discrete components?

Why the restriction to make it solely out of discrete components? At what point do you start to trust integrated circuits, or settle on a sufficient level of paranoia?
Sample e.g. Zener breakdown noise with an ADC... well maybe you don't want to trust the ADC IC. So you design your own discrete integrating ADC (with discrete-components amplifier), all controlled and sampled with your own software running on a microcontroller. If you can't trust your own software to run on a microcontroller, use logic chips. Still not discrete enough, then make a simpler 1-bit ADC and sample that output. Sample using what? Your computer, of course.

Now do you trust your computer to faithfully execute the instructions given to it, that is, to sample the output of your RNG?
At some point in the bit stream there's going to be an integrated circuit that you have to reasonably trust.

What if that's good enough, and these boards are pumped out by the million? Now it's a target for the snoopers again.

Re:TRNG using discrete components?

Unless you think they're suborning ADCs to "know" they're being used as TRNG sources (which doesn't even in principle seem to be possible), just buy a Cirrus Logic 24-bit delta sigma converter, and once you become a master of analog board layout & error compensation you can sample a 1K resistor's white noise to seed a discrete LFSR.

Re:TRNG using discrete components?

Simple chaotic circuits perhaps?

Re:TRNG using discrete components?

Let me google that for you:
Wikipedia page on Hardware RNGs
Wikipedia list of Hardware RNGs for sale
Raspberry Pi has hardware RNG built-in
Don't trust manufacturers? Build your own!
Here's how HotBits did it
LavaRnd uses your lens-capped webcam to generate random numbers
Once you have it, make sure you test it!

Sorry for the snark, it just makes me sad to see a post get modded to +5 for asking a question that's long since been answered, on this site, even.

Hipster Judges

That order is too obscure, you probably never heard of it.

Entropy source

[tchuladdiass]

Why not just hook a microphone on the inside of the computer to pick up the fan noise, and use that as a random source? I'm sure there's some entropy in there.

Re:Entropy source

[epyT-R]

not enough.. mechanical noise is cyclical..

Re:Entropy source

[mrchaotica]

A webcam with the lens cap on works for that kind of thing. (I'd link to lavarnd.org, but it is mysteriously down...)

Re:Entropy source

[TheGratefulNet]

mix with electrical noise. I bet there's a lot of unused lm741's out there still in the supply chain. they are noisy as hell. combine the noise of this and some other element and if mixed in the right way, I would think that's pretty random.

(only half serious about using the lm741, though)

Re:Entropy source

[semi-extrinsic]

I would mod you up if I wasn't out of points.
And I too think lavarnd.org being down at this moment in time is semi-spooky.

Use XOR

No. None of this matters so long as you use XOR

That's really all it takes.

Check this out, I have some hexadecimal dice (yes, I'm a geek) so I will roll two of them to get me an actual random number from 0x00 to 0xFF

Then, I will use XOR to merge with two other random random bytes, which unfortunately, have been tampered with by the NSA. The NSA were able to choose 0x12 and 0xFA for their two bytes. But feel free to try this with any other bytes, or more of them, if you like.

OK, the dice gave me... 0xA5. The NSA don't know that, they just know the values they were able to choose, 0x12 and 0xFA. I XOR the three numbers and I get 0x4D. But how do the NSA guess what number I got? They have no way to know from just their two numbers 0x12 and 0xFA what the result will be.

Let's try it again, this time the NSA are able to know that the two other bytes were 0x58 and 0xE0, and I'm telling you as well. But... what's the resulting random byte? If you were right you should be able to guess, despite not knowing the dice roll that was XOR'd in. But you don't, because you were wrong.

XOR. To combine two or more streams of hopefully random bytes you use XOR and then you automatically get AT LEAST as much randomness as was in the most random of the sources and usually more.

Re:Use XOR

You are both right.

With a regular PRNG (which isn't really random at all, it just looks random), xor'ing two different streams together can result in something less random (i.e. less random looking).

However, here the discussion is about entropy sources, with dice rolling being an example of one, albeit too large to put inside a computer. If just one of your sources truly is random, even if it's bad (rolling dice, and returning one when you get 6, and zero for everything else would be bad but still truly random), you can not get worse by xor'ing it with a different source, even if that source is completely non-random. E.g. a stream of zeroes is completely non-random, and doesn't affect the output at all.

Re:Use XOR

[Em+Adespoton]

Yes; this is mostly right -- except for the fact that a stream of zeroes can still be completely random; just highly unlikely. The trick is whether that stream of zeroes can be accurately predicted or not, not what the actual value is. As such, not affecting the output is a perfectly random thing to do.

Good

[koan]

http://cryptome.org/jya/cg071599.htm

BSD?

People still use BSD?? Poor bastards

Useless against vPro / Small Business Advantage

All measures are pointless when the Intel chipsets on the motherboards have backdoors called vPro or Business Advantage.

One secret command sent to the chipset through the onboard NIC and it's over, you get access to ram/storage/video, all happening behind the OS, even when the machine is turned off.

It is our understanding that if the cpu has vPro / Small Business Advantage in it, it is backdoor'd, that means almost all the new Intel cpus in the past 5 years are backdoored, if not the past 10 years.

Intel Small Business Advantage is a security nightmare
New Intel Chips Contain Back-Door Processor, Hackable Even When Computer is Turned Off

Nothing is safe.

Weird stance.

[eyenot]

It strikes me as concession packaged up as stand-offishness. But it still reads like concession. If you don't trust the chip, don't use the chip. Why all the song and dance just to say "well we're still relying on the chip, by the way" at the end? Can anybody say "sugar coat"? I would take them to task over it, if I had some kind of bargaining power of my own. I would say, "if you claim you don't trust the chip, then either you don't utilize the chip, at all, or I in turn don't trust your routines."

Re:Weird stance.

[TheRaven64]

Trust in a random number generator is not a binary thing. All of the current hardware RNG implementations produce some entropy. The question is how much entropy you trust them to produce. If it gives 256 bits of entropy, then you can just use it as your random number source and be done with it. One that produces 16 bits of entropy is very useful as one (but not the sole) source to an algorithm like Yarrow of Fortuna, but would be a disaster if you used it as the random number generator without such an algorithm in the middle.

Re:Weird stance.

[eyenot]

It just seems so, so stupid to me that in the search for real encryption, we have to rely on pseudo-randomness, so then the entire point of contention comes down to a matter of how much "pseudo" we're willing to accept. My theory is that as science goes deeper into math and logic, we're going to result in consecutively more "reliable" PRNG but those will always be dismissed by later science, and will always raise the point of contention. It's not worth getting worked up over, and it's certainly never worth placing so much investment in that that same and inevitable contention is going to seem dearly costly in retrospect. People are, by and large, stupid. If we want truly random results, we should utilize something like a photon interference field which is more or less considered to be completely random. Or the emission of particles from certain stable isotopes which are known to closely adhere to certain probabilities over time but are also known to be truly random. Then we would be forced to develop methods of encryption based on true randomness, which is only an impossibility as long as we continue to believe (within our limited paradigm) that it is so.

But they do trust binary blobs...

http://www.gnu.org/distros/common-distros.html#BSD

So, same as the Linux Kernel

Yet, oddly, when the Linux Kernel's use of extra randomness was central to a topic on slashdot, it was talking about Linus calling people complaining about the Linux Kernel's treatment of random numbers being wrong as, paraphrased "You're too fucking dumb to understand, the developers writing that code are a lot smarter than you, so either write your own or shut the fuck up".

Now, I posted at the time that Linus was being a shit for this, but the complaint I have here isn't about Linus, but the fawning version of the same sort of story that BSD gets not only for doing the same thing as the Linux kernel did (but not lauded for) BUT DID IT MUCH LATER TOO (which it isn't being called out on).

Re:So, same as the Linux Kernel

[TheRaven64]

You might want to check your facts. A few things:

• The new FreeBSD randomness framework allows whitening algorithms (Yarrow, Fortuna, whatever) to be plugged in easily, along with multiple sources.
• Linux initially trusted RDRNG unconditionally to provide streams of random numbers, then backtracked to only using it as an input to whitening. FreeBSD only ever used it as an input to the PRNG and now has a more generic framework for doing so.
• Neither the new, or the old, FreeBSD random number generation framework is vulnerable to the attack published in October (and covered on Slashdot) on the Linux random number generator.

Re:So, same as the Linux Kernel

[bill_mcgonigle]

Linux initially trusted RDRNG unconditionally to provide streams of random numbers, then backtracked to only using it as an input to whitening.

There was a patch offered to allow linux to solely use RDRNG for /dev/random, but it was roundly rejected on the lists. I don't think you can find any point at which the kernel ever trusted it. It's only on newer Intel chips anyway.

Video Card DMA

OK, you have good crypto. But someone planted an interrupt, and the video card is using direct DMA to snaffle memory
a) tamper with routine
b) Copy it somewhere
c) read kbd buffer
d Call home

Clearly the objective is to log private keys and a stream ,instead old old passwords.
This make the undo-able, quite doable and cheap.

TFA is completely wrong

[DES]

FreeBSD has been using Yarrow for 10+ years, and no FreeBSD release has ever shipped with the option to feed the stream from a HWRNG directly to /dev/random. The only news here is that we have a new framework in the kernel for plugging hardware pseudo-random number generators into Yarrow, and an explicit policy (issued in my capacity as FreeBSD Security Officer) to not expose HWPRNGs directly to userland. There was some pressure from corporate users who want the raw feed for compliance reasons, but they were told to use RDRAND etc. directly rather than through /dev/random.