FreeBSD Developers Will Not Trust Chip-Based Encryption

← Back to Stories (view on slashdot.org)

FreeBSD Developers Will Not Trust Chip-Based Encryption

Posted by Soulskill on Wednesday December 11, 2013 @09:05AM from the fool-me-once,-shame-on-you dept.

New submitter srobert writes "An article at Ars Technica explains how, following stories of NSA leaks, FreeBSD developers will not rely solely on Intel's or Via's chip-based random number generators for /dev/random values. The values will first be seeded through another randomization algorithm known as 'Yarrow.' The changes are effective with the upcoming FreeBSD 10.0 (for which the first of three planned release candidates became available last week)."

115 of 178 comments (clear)

Min score:

Reason:

Sort:

Very Smart Move by Anonymous Coward · 2013-12-11 09:09 · Score: 5, Insightful

They have every reason NOT to trust the chips. Trust, but verify is always the correct way.
1. Re:Very Smart Move by Anonymous Coward · 2013-12-11 09:18 · Score: 1
  
  He who writes the code decides nothing.
  He who executes the code decides everything.
  -- aleph stalin
2. Re:Very Smart Move by Billly+Gates · 2013-12-11 09:25 · Score: 3, Interesting
  
  You know 6 months ago such a comment would be modded -1 and this story would have the foot icon for humor.
  My have things changed. Microsoft was not that bad DRM monster we feared 12 years ago. First it turned out to be Apple in which we cheered them 10 years ago here on /.
  But both companies fail far in comparison to the US government and this is something I would not have imagined in my wildest nightmares.
  
  --
  http://saveie6.com/
3. Re:Very Smart Move by TWiTfan · 2013-12-11 09:48 · Score: 1
  
  If you will it, it is no dream, Dude.
  
  --
  The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
4. Re:Very Smart Move by Anonymous Coward · 2013-12-11 09:54 · Score: 2, Funny
  
  What? Don't be silly, these chips are all so perfectly safe and perfectly usable for things like encrypting communications
  .oO(wait, that was too subtle, nobody will get my funny joke)
  
  for us... *ahem* your customers!
  .oO(wow, i'm really funny and sarcastic. just add a little more so nobody can't possibly miss it)
  
  You're such a worrywart!
  Signed, um...
  .oO(ba-dumm tsss - i guess i will need to explain my next awesome joke too, by using boldface - otherwise nobody might get the subtle NSA reference)
  
  Mr. Norman Samuel Ayers
  .oO(well, i guess my humor is just too sophisticated, people will probaly miss it despite me repeatedly explaining my jokes. so let me just inb4 this)
  
  (/me starts a tally of wooshes)
5. Re:Very Smart Move by lgw · 2013-12-11 09:56 · Score: 2
  
  The RNG threat is particularly bad, because it looks like only one person would need to be in the know to sabotage the RNG on silicon, and it would bypass any review process, and it would be very hard to detect by observation of the RNG (assuming it still had, say, 32 bits of entropy).
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
6. Re:Very Smart Move by PopeRatzo · 2013-12-11 10:11 · Score: 2
  
  Are there black helicopters flying over your bedroom collecting your thoughts?
  Why would they need black helicopters to fly over your bedroom when they can just get them directly from your email?
  
  Is the US Government doing it?
  You know they are.
  
  Are other governments?
  Not the free ones.
  
  --
  You are welcome on my lawn.
7. Re:Very Smart Move by AHuxley · 2013-12-11 10:21 · Score: 1
  
  AC you seem to have forgotten the "parallel construction" aspect for use in US domestic courts and the massive domestic surveillance network that supports such efforts:)
  So thanks to Snowden many more people can understand that the US legal structure has changed.
  Encryption will slowly have to be corrected so that non-governmental entities and former government staff cannot just sell gov methods to anyone for cash.
  The "radio waves" aspect was always sold to countries and staff as watching the Soviet Union. Now we know it was all for internal, domestic use too.
  
  --
  Domestic spying is now "Benign Information Gathering"
8. Re:Very Smart Move by Em+Adespoton · 2013-12-11 10:59 · Score: 2
  
  Are there black helicopters flying over your bedroom collecting your thoughts?
  Why would they need black helicopters to fly over your bedroom when they can just get them directly from your email?
  
  Is the US Government doing it?
  You know they are.
  
  Are other governments?
  Not the free ones.
  True governance comes at a price. Always.
9. Re:Very Smart Move by mlts · 2013-12-11 11:17 · Score: 1
  
  Trust but verify is important, but chips are incredibly hard to know if a random source is truly random, as opposed to, say the output of a clock AES encrypted, so that it appears random.
  Best thing to do is have the chip be part of the RNG, but not the only part, so another random source will provide enough unpredictability to keep thing secure.
10. Re:Very Smart Move by Anonymous Coward · 2013-12-11 12:12 · Score: 3, Funny
  
  With a surname that's a homophone of "stallin'" I'm guessing this individual was a Java programmer
11. Re:Very Smart Move by smash · 2013-12-11 13:06 · Score: 1, Informative
  
  Ah, but Linus has called such claims nonsense.
  FreeBSD for me, thanks.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
12. Re:Very Smart Move by celle · 2013-12-11 13:24 · Score: 2, Insightful
  
  "Trust, but verify"
  If you feel you have to verify then you don't trust them. It was bullshit when Reagan said it and it still is.
13. Re:Very Smart Move by Sponge+Bath · 2013-12-11 13:36 · Score: 1
  
  It was bullshit when Reagan said it and it still is.
  Reagan's mind was imprinted into the NSA's most powerful computer, where it feverishly works to complete World Domination for Bonzo.
14. Re:Very Smart Move by Anonymous Coward · 2013-12-11 13:45 · Score: 5, Informative
  
  I take it you didn't even actually read what he said, then.
  
  Linus Torvalds responds:
  Where do I start a petition to raise the IQ and kernel knowledge of people?
  Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong.
  Short answer: we actually know what we are doing. You don't.
  Long answer: we use rdrand as _one_ of many inputs into the random pool, and we use it as a way to _improve_ that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random.
  Really short answer: you're ignorant.
  TL;DR: Linux was NOT trusting chips and doing a variant of what FreeBSD plans to do now since quite a bit before.
15. Re:Very Smart Move by cavreader · 2013-12-11 15:38 · Score: 1
  
  The legal structure has not changed in regards to Snowden's case. The charges against him have been on the books for a long time.
16. Re:Very Smart Move by zdzichu · 2013-12-11 19:04 · Score: 1
  
  Linus is reasonable guy. He's sometimes wrong, but can be convinced with technical arguments. The "don't-trust-RDRAND" change was included in Linux a year and a half ago: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c2557a303ab6712bb6e09447df828c557c710ac9
  
  --
  :wq
17. Re:Very Smart Move by TheRaven64 · 2013-12-11 21:14 · Score: 1
  
  This work has been ongoing for about a year, since long before the NSA stuff came out. The consensus has been for a while that some hardware random number generators give very good entropy, but some are very poor and it's difficult to tell without querying them a few million times and plotting the distribution which one you have. Add to that, some of them appear to be influenced by the temperature, and as Stephen Murdoch's attack on Tor showed influencing the temperature of someone else's server is not always as difficult as you'd think.
  It seems quite unlikely that the hardware RNGs are tampered with, although it would be a very neat hypothetical attack if you could influence a specific RNG in such a way that you could reduce the entropy to, say, 16 bits within a larger space and only you be able to determine what the real space was, but it's very likely that some of them are quite bad. Adding Yarrow[1] makes you a bit safer, because there will be other entropy sources mixed in and so even a relatively poor RNG helps stir the pool.
  [1] Or some other whitening algorithm - Yarrow is the default, but there are some newer ones that are better, at the cost of a footprint that is not desirable for embedded devices, and FreeBSD 10 now includes a framework to make it easy to plug in the one you want.
  
  --
  I am TheRaven on Soylent News
18. Re:Very Smart Move by robgar30 · 2013-12-11 22:55 · Score: 1
  
  Freebsd, netbsd, openbsd, linux.. nobody solely uses any single source of randomness, to do so is a bad thing. The only thing new here, with freebsd is the pluggable framework around it.
19. Re:Very Smart Move by Ash+Vince · 2013-12-12 00:36 · Score: 1
  
  Ah, but Linus has called such claims nonsense.
  FreeBSD for me, thanks.
  No he did not call the claims nonsense, what he said was that the kernel did not do this anyway so before starting a stupid petition not to do something you should actually check what the kernel does.
  It sounds like all FreeBSD are doing is copying the approach that Linux already used in that they are using the random values thrown out by the chip as a source of entropy to combine with several other sources of entropy in generating a true random number. I am surprised that FreeBSD did not do this already to be honest, although other posters her seem to think it was.
  
  --
  I dont read /. to RTFA, I read /. to offend people in ignorance.
20. Re:Very Smart Move by DES · 2013-12-12 02:11 · Score: 1
  
  TL;DR: Linux was NOT trusting chips and doing a variant of what FreeBSD plans to do now since quite a bit before.
  You mean “a variant of what FreeBSD has been doing since 2003”
21. Re:Very Smart Move by unixisc · 2013-12-12 04:00 · Score: 1
  
  From the above summary
  
  FreeBSD developers will not rely solely on Intel's or Via's chip-based random number generators for /dev/random values
  
  In other words, Intel or Via's RNG will still be used, but won't be the ONLY basis on which they are generated. It will be that PLUS Yarrow
22. Re:Very Smart Move by unixisc · 2013-12-12 04:06 · Score: 1
  
  The CPU based RNGs - aren't they based on factors other than temperature, such as ambient noise?
23. Re:Very Smart Move by arglebargle_xiv · 2013-12-12 13:40 · Score: 1
  
  It's not so much "very smart move" as "why weren't they doing this in the first place"? I've worked on various crypto projects and I don't think any of them ever relied on a single source of entropy, unfiltered. For those systems using RDRAND the way it's supposed to be used (to feed a hash or crypt-based generator, alongside other sources), this "news" story should really read "FreeBSD developers finally do what everyone else has been doing for years".
24. Re:Very Smart Move by bill_mcgonigle · 2013-12-12 18:54 · Score: 1
  
  Tell us - what happens when you mix a stream of zeros into your entropy pool?
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
25. Re:Very Smart Move by bill_mcgonigle · 2013-12-12 18:58 · Score: 1
  
  it looks like only one person would need to be in the know to sabotage the RNG on silicon
  Technically, you can't even access the hardware RDRNG, you have to access it through a black box hash function unit that is specified as "trust us". If something were to be sabotaged, that would be the place to do it. If I were designing a susceptible RNG, I'd allow it to change its behavior based on an obscure set of inputs, so most of the time it worked correctly.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
26. Re:Very Smart Move by TheRaven64 · 2013-12-12 21:03 · Score: 1
  
  It depends on the implementation. As I recall, the Intel ones are basically just a pair of flipflops in an unstable configuration for each bit. They're intended to be something that toggles between 0 and 1 at some frequency that you can't easily determine (and which isn't the same for each bit). However, as they're digital circuits, they do respond to heat. Hopefully, they don't respond in a way that makes the readings more predictable, but it would take a lot of analysis to be sure of that.
  
  --
  I am TheRaven on Soylent News
27. Re:Very Smart Move by unixisc · 2013-12-13 02:40 · Score: 1
  
  Yeah, I describe how it could be done in the thread below 'Is there any way to gain trust in a chip?' Also, if a chip has multiple asynchronous clocks & PLLs, that's another way of introducing randomness in the results.
28. Re:Very Smart Move by Em+Adespoton · 2013-12-13 05:51 · Score: 1
  
  oh brother. is that what passes for sagely advice?
  I wrote it, and I have the same reaction to the moderation 8|
29. Re:Very Smart Move by SharpFang · 2013-12-15 18:54 · Score: 1
  
  Collect, snoop in, use own resources to decrypt - sure.
  Damage security of products manufactured by independent, private 3rd party companies, force them to release broken security products and market them as secure - now that's really assinine.
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
30. Re:Very Smart Move by jaseuk · 2013-12-17 21:23 · Score: 1
  
  How many?
Wise by Anonymous Coward · 2013-12-11 09:10 · Score: 1

It's always wise to get entropy from as many places as you can; in light of the NSA revelations, it's time relying on just one becomes something people don't even consider anymore.
Is OpenBSD, the 'security first' BSD, ahead of, or behind the curve with this?
1. Re:Wise by Minwee · 2013-12-11 09:21 · Score: 4, Funny
  
  Every time an OpenBSD system needs a random number, instead of trusting any hardware device, it phones home and asks Theo to provide one.
2. Re:Wise by aliquis · 2013-12-11 09:25 · Score: 1
  
  I googled it:
  http://www.openbsd.org/crypto.html#hardware
  https://lobste.rs/s/gbe1zl/we_cannot_trust_intel_and_via_s_chip-based_crypto_freebsd_developers_say
  I don't know whatever that actually mean, how it is or how reliable anything else is. Maybe someone with some actual knowledge can provide the answers :) (My thought was that one could likely use different randomizers.)
3. Re:Wise by maxwell+demon · 2013-12-11 09:28 · Score: 5, Funny
  
  I think it phones to this place. However some developers don't trust that random number generator and instead opt for this implementation.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
4. Re:Wise by thesupraman · 2013-12-11 09:54 · Score: 1
  
  You mean just like Linux has for quite some time?
  After all, these hardware random sources feed the entropy pool, however are certainly not its only source.
  Hell, applications can even contribute to the pool as they wish, and that is not considered an issue no matter how non-random their contribution is.
  FreeBSD and its reliance on the Yarrow approach is much more 'sensitive' to its PRNG source(s), so its about time they caught up..
  http://en.wikipedia.org/wiki//dev/random
  Then again, random numbers tend to be treated almost as a religious argument rather than a technical one.
5. Re:Wise by Thud457 · 2013-12-11 10:21 · Score: 2
  
  random numbers tend to be treated almost as a religious argument rather than a technical one.
  Hail Eris!
  
  --
  the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
6. Re:Wise by Carnildo · 2013-12-11 10:29 · Score: 4, Interesting
  
  According to the OpenBSD link, OpenBSD uses the Intel and Via random-number generators, but not as the sole source of randomness. The nice thing about mixing random number generators is that if you do it right (like OpenBSD does), the result is at least as random as the most random source: a bad RNG does not reduce the overall quality of randomness.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
7. Re:Wise by epyT-R · 2013-12-11 11:27 · Score: 1
  
  Except that this feature has nothing to do with the kernel.
8. Re:Wise by Anonymous Coward · 2013-12-11 11:52 · Score: 1
  
  It's assumed in proofs that two different RNGs are _independent_. If they're independent, and you use the correct constructs, then you're guaranteed to be no worse off than the best RNGs.
9. Re:Wise by dremspider · 2013-12-12 02:02 · Score: 1
  
  Oh ye wise and knowledgeable anonymous coward. Pray tell how would like them to store the key to verify the server on another system? If they break into your system as root who the heck cares that they can now masquerade as your system? They already have access to YOUR system so what more damage can they do by man in the middling you as well? Tell us what you would do to fix it and what benefit it would provide.
10. Re:Wise by Bengie · 2013-12-12 06:34 · Score: 1
  
  I love entering passwords on 10,000 servers when they need to reboot. Lets see.. I know, lets hardcode the password into a script and encrypt the key.. There! Secure!
11. Re:Wise by Bengie · 2013-12-12 06:39 · Score: 1
  
  In our Universe, the act of measuring changes the result in a random way. Good luck. While it is possible that our Universe doesn't have true randomness, to anything inside the Universe, there is no way of knowing.
what's that going to accomplish? by Anonymous Coward · 2013-12-11 09:13 · Score: 1

if the idea is not to trust the hardware implementation then why use it alongside "Yarrow" in the first place? This just seems like the glorious Foundation using recent news about the NASA as a self-promotion tactic and even to a layman it's a poor one. "Trust FreeBSD, we still use rdrand et. al., but we filter it through some vague algorithm called Yarrow that makes it safe!"
You'll forgive me for not being entirely convinced, particularly when even the latest release of 10 still refuses to boot and install properly on my UEFI-based system.
1. Re: what's that going to accomplish? by Anonymous Coward · 2013-12-11 09:24 · Score: 5, Informative
  
  https://www.schneier.com/yarrow-qa.html
  your ignorance is unjustifiable
2. Re:what's that going to accomplish? by houstonbofh · 2013-12-11 09:24 · Score: 4, Insightful
  
  Because true random in software is computationally expensive. Adding a layer of obfuscation on top of the untrusted hardware gives you a better random cheaply, and avoids potential back-doors in the hardware generator.
3. Re:what's that going to accomplish? by Billly+Gates · 2013-12-11 09:33 · Score: 2
  
  Not to mention insecure too.
  There are only so many milliseconds on the clock to use on the seed. Even if you use the mic statistically silence or a clicking sound will be heard for 90% of the users so that makes that seed bad too. Network? At home there is little traffic and even at work there are the same patterns from Cisco and HP for 80% of the packets.
  SGI had some interesting encryption methods that dealt with quantam mechanics on their servers and workstations. Man I miss them.
  
  --
  http://saveie6.com/
4. Re:what's that going to accomplish? by aardvarkjoe · 2013-12-11 09:44 · Score: 1
  
  And if you're not sure that either one is secure, are you really gaining anything by using two - maybe you should spend some time finding a lock that you *do* trust.
  There is no PRNG, Yarrow included, that we can say with 100% certainty that is not (or will not be) broken. The point of using multiple PRNGs is so that even if one or more of the components is compromised, it doesn't compromise the entire system. To use your metaphor: if your options are a padlock and a keyed lock, and there's a 25% chance each that a burglar could bypass them -- wouldn't you use both locks to reduce the probability of being robbed to 1/16 instead of 1/4?
  
  --
  
  How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
5. Re:what's that going to accomplish? by dAzED1 · 2013-12-11 10:13 · Score: 1
  
  you just...answered why it wouldn't work. If that much garbage is actually coming into the conditioned power, it will kill the system in very little time.
6. Re:what's that going to accomplish? by X0563511 · 2013-12-11 10:26 · Score: 2
  
  Yarrow is hardly vague.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
7. Re:what's that going to accomplish? by Billly+Gates · 2013-12-11 10:28 · Score: 2
  
  you just...answered why it wouldn't work. If that much garbage is actually coming into the conditioned power, it will kill the system in very little time.
  You know I had a problem with BSOD occuring frequently in a large call center.
  Turns out hte problem was the big UPS for the whole floor spiked things and the power strips always tried to smooth things. Over a period of time the soldier would crack and burst due to the UPS doing hard rectangular patterns rather than waves when it alternated back and forth.
  Real power from the wall was cleaner than the UPS for the power strips.
  
  --
  http://saveie6.com/
8. Re:what's that going to accomplish? by Em+Adespoton · 2013-12-11 11:20 · Score: 1
  
  And if you're not sure that either one is secure, are you really gaining anything by using two - maybe you should spend some time finding a lock that you *do* trust.
  There is no PRNG, Yarrow included, that we can say with 100% certainty that is not (or will not be) broken. The point of using multiple PRNGs is so that even if one or more of the components is compromised, it doesn't compromise the entire system. To use your metaphor: if your options are a padlock and a keyed lock, and there's a 25% chance each that a burglar could bypass them -- wouldn't you use both locks to reduce the probability of being robbed to 1/16 instead of 1/4?
  That's not quite it, as we're not dealing with locks here, but patterns. And as you know, humans are pretty good at spotting patterns in the randomness.
  The end result is that if you choose the wrong combination of PRNGs, you can end up with a result that has a decidedly non-random pattern embedded in it that can be exploited to do predictive analysis of the crypto. Layering more PRNGs on can actually help to isolate the pseudoness instead of the randomness. At some point, you need to use some algorithm to randomly select from the PRNGs, and do so in a way that eliminates the pseudo-generative effects of those sources while failing to introduce its own. The best way to do this is to use something very contextual, where it is highly unlikely an attacker would have access to all the variables.
9. Re: what's that going to accomplish? by mlts · 2013-12-11 11:26 · Score: 2
  
  What is needed is are seed inputs. When a key is hit, get a super-accurate clock sample of it, hash it with MD5 [1], and toss it in the pool. Mouse movements, similar. If the computer is idle, this won't help much, but while it is in use, it should help provide enough unpredictable data to be up to par for security purposes. I'm sure there are other inputs that can be hashed over time and the hashed bits tossed in. Of course, the RNG from the chip can be easily tossed in as well. The good thing is that the most random factor "wins" in this case.
  [1]: MD5 has its issues, but it is being used in this case as a bit blender, so hash collisions can happen, and not really matter. It would be wise to move to a newer algorithm like SHA-1024 or SHA-3, for more bits though.
10. Re:what's that going to accomplish? by mlts · 2013-12-11 11:30 · Score: 1
  
  I've wondered about using a very high speed flip-flops, or on a simpler thing, a SR latch with both inputs on, and sampling the output. I remember some cryptographically secure RNGs doing this in lieu of a radium-painted chip.
11. Re:what's that going to accomplish? by Em+Adespoton · 2013-12-11 11:39 · Score: 1
  
  you just...answered why it wouldn't work. If that much garbage is actually coming into the conditioned power, it will kill the system in very little time.
  Why? Is there something I need to know about electromagnetics and primary transformer coils being unable to handle variance in the amperage and voltage?
  The DC provided by the PSU is by definition conditioned to some degree -- the transformer does this by using induced current to step down the voltage, then passes it through the rectifier (diode-cathode ring) which should smooth things out even further.
  Unless you're saying that if there's enough garbage (read: degree of variance in amperage and voltage, vs frequency of change) to get through the transformer, you're going to kill your PSU, which is true.
12. Re:what's that going to accomplish? by swillden · 2013-12-11 12:20 · Score: 1
  
  Because true random in software is computationally expensive.
  True, if by "computationally expensive" you mean "we have to run this until the hardware breaks and starts executing our software non-deterministically".
  Otherwise, true randomness in software is simply infeasible, because chip engineers deliberately design the hardware to eliminate non-determinism.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
13. Re:what's that going to accomplish? by LoRdTAW · 2013-12-11 16:32 · Score: 1
  
  Most of the power supplies are switching which means the AC is filtered and converted to DC before it hits any transformers. A switching IC then turns the resulting high voltage DC into a PWM or square wave using a transistor and that goes through a high frequency transformer which is much much smaller and cheaper than a laminated steel core 60Hz transformer. Switching frequencies can be in the tens to hundreds of kilohertz. Smaller DC-DC switchers are in the megahertz range and are really small.
  So in summary, line noise wouldn't make much of a difference with today's efficient switching power supplies. Unless it was high voltage spikes that the switcher couldn't cope with but then you have bigger problems.
14. Re:what's that going to accomplish? by houstonbofh · 2013-12-11 17:15 · Score: 1
  
  Because true random in software is computationally expensive.
  True, if by "computationally expensive" you mean "we have to run this until the hardware breaks and starts executing our software non-deterministically".
  Otherwise, true randomness in software is simply infeasible, because chip engineers deliberately design the hardware to eliminate non-determinism.
  Yep. Just keep calculating until you find the dodgy bit of ram. :) (Not supported with ECC memory)
15. Re:what's that going to accomplish? by LoRdTAW · 2013-12-11 17:29 · Score: 1
  
  I am not a cryptologist or crypto expert but what about the seed methods using a video camera looking at a lava lamp? I have also heard of pointing it out a busy window as the randomness of traffic, people, animals, tree movement etc. is quite random. Is it too slow or not random enough? What about a camera looking at a busy highway? I did a bit of googling and only found that the lavarand site is long gone but it was started by SGI back in the 90's. Another article described a cmos camera with the lens cap on and the sensor gain cranked up so the noise picked up by the sensor was used as a seed.
  I realize these methods aren't always practical or available but from a technical point, are they viable?
16. Re:what's that going to accomplish? by CoderJoe · 2013-12-11 18:04 · Score: 1
  
  This article talks about Intel's design, which is based on two inverters in a ring. Both inverters are forced to the same state and then left to settle into one state or the other based on thermal noise. There's a bit more to it, but that is the basis.
17. Re: what's that going to accomplish? by TheRaven64 · 2013-12-11 21:28 · Score: 2
  
  It is quite unlikely that the hardware RNG is compromised. It is, however, quite likely (and there have been experiments to show this for some RNG implementations) that it doesn't give as much entropy as advertised.
  The big problem is that it's very hard to get good entropy early on in the boot process (when things like TCP sequence numbers and sometimes when SSH server keys are initially generated). You can use a hash of the kernel, but that's shared between other machines with the same kernel. You can use the time, but that's likely known to the attacker (and in some embedded systems will always be the same on every boot, until it queries an external source and corrects it). You can use interrupt times, but the ones from the disk / flash are likely to be similar, if not the same, across boots of the same kernel and the early network ones are susceptible to attack by people on the local network.
  The hardware RNG definitely gives you some entropy, and so using it to stir the pool for Yarrow helps a lot here. Later on, there is a lot more entropy. As you start to get disk access patterns based on system use and network connections from a variety of sources, interrupt times give quite a lot of entropy. It still helps to mix in the hardware RNG, however.
  As I said in another post, it's quite unlikely that the hardware is intentionally compromised (although it's a nice attack, so I wouldn't guarantee that future versions won't be), but it's very likely that it provides less entropy than advertised. This makes it fine for input into a PRNG like Yarrow of Fortuna (I think Fortuna made it into FreeBSD 10, if not it should be in 10.1), but not adequate for general use. The point of a PRNG algorithm like Yarrow is to generate an unpredictable sequence of numbers from some source entropy seed, which can change over time. As long as you have enough entropy, you will get a cryptographically secure sequence of pseudo-random numbers. All this work is doing is saying 'we trust the hardware to give us some entropy, but we don't trust it to give us all of the entropy that we need'.
  
  --
  I am TheRaven on Soylent News
Makes sense ... by MacTO · 2013-12-11 09:20 · Score: 4, Insightful

One of the features of open source software is that the code, thus the algorithms, can be examined by a third party. In the case of chips, this is very difficult to do. Most people are stuck trusting that the designer implemented the algorithm they said they did, and that they implemented it properly (the former implying no malice and the latter implying competence). That is particularly true for something like random number generators, which are intended to be non-deterministic as far as the software is concerned so any testing the implementation can only be done statistically. Very few people have the ability to examine the physical design of the chip to check the actual implementation.
1. Re:Makes sense ... by Anonymous Coward · 2013-12-11 10:29 · Score: 1
  
  Once you are talking about encryption or the algorithms around encryption the people that actually have any hope in hell of making an intelligent review of the code are as rare as hens teeth. closed or open their is very little difference in the level of reviews that happen in this area. Having said that you should never rely on one source of truth for randomisation anyway.
Is there any way to gain trust in a chip? by Jeremi · 2013-12-11 09:21 · Score: 4, Interesting

Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?
Seeing as such a piece of hardware need not (and hopefully would not) have any inputs, only an output, it's hard to imagine how someone might hide (and later trigger) a back-door mechanism that could change its behavior post-testing. (But I'm sure there is some way to do it that I'm not thinking of ;))

--

I don't care if it's 90,000 hectares. That lake was not my doing.
1. Re:Is there any way to gain trust in a chip? by Billly+Gates · 2013-12-11 09:29 · Score: 1
  
  What kind of world do we live in when we can't even trust our own damn hardware! Seriously ...
  
  --
  http://saveie6.com/
2. Re:Is there any way to gain trust in a chip? by K.+S.+Kyosuke · 2013-12-11 09:36 · Score: 1
  
  There are. But an even better option is probably to roll out your own.
  
  --
  Ezekiel 23:20
3. Re:Is there any way to gain trust in a chip? by Anonymous Coward · 2013-12-11 09:37 · Score: 3, Informative
  
  Black box? No. Even if testing proved it was absolutely random for the first N numbers, there is no way to be certain that N+1 is not the first of a string of non-random numbers.
  But it's not necessary to make it a black box. Physical systems take well known phenomena and use them to to generate random numbers. http://en.wikipedia.org/wiki/Random_number_generation#Physical_methods Done this way, you can make a "transparent box" that performs great and is trustworthy.
4. Re:Is there any way to gain trust in a chip? by OzPeter · 2013-12-11 09:38 · Score: 1
  
  Just out of curiosity: Given a "black box" implementation of any device, is it possible to test its output sufficiently to gain some faith in its proper operation?
  Why do you stop at randomness? You are trusting a lot more hardware than just that when you use a computer.
  
  --
  I am Slashdot. Are you Slashdot as well?
5. Re:Is there any way to gain trust in a chip? by Anonymous Coward · 2013-12-11 09:39 · Score: 3, Interesting
  
  Ok, I'll take a shot, here's two of them for you:
  1: Chip outputs the digits of pi starting at some crazy number of decimal places out that only the NSA has had enough hours on the supercomputer to find. Your chip now puts out data that you cannot distinguish from random, but that the NSA can perfectly predict. They go to their giant database of all of your internet traffic ever, and can now read whatever they would like, as all of your keys are now utterly, hopelessly broken.
  2: Chip internally stores the last n random numbers that it has output. Later, the NSA can confiscate your computer, subject the chip to some undocumented state that causes it to barf up its secrets, and again all your keys are now utterly, hopelessly broken.
6. Re:Is there any way to gain trust in a chip? by jasax · 2013-12-11 09:40 · Score: 1
  
  You could initialize the hardware RNG and a software (open code, verified by whoever is interested) implementation of the same algorithm with the same seed and compare if the first millions or billions of generated numbers were the same. Reseed and redo this a certain number of times and you statistically can reduce the probability of evil-non-randomness to (near) zero.
  
  Of course, the existence of a programmed or delayed-opening backdoor of any sort in the chip would break this procedure...
7. Re:Is there any way to gain trust in a chip? by SuperKendall · 2013-12-11 09:43 · Score: 1, Insightful
  
  The output can be completely random, but it doesn't matter if someone else has a mechanism to reproduce exactly the same random stream. Or the ability to toggle on the semi-random mode...
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
8. Re:Is there any way to gain trust in a chip? by tippe · 2013-12-11 09:54 · Score: 5, Funny
  
  Really? I just did this:
  $ cat /dev/random | xxd | head -n 10 0000000: 414c 4c59 4f55 5242 4153 4541 5245 4245 ALLYOURBASEAREBE 0000010: 4c4f 4e47 544f 5553 5448 414e 4b53 4652 LONGTOUSTHANKSFR 0000020: 4f4d 5448 454e 5341 414c 4c59 4f55 5242 OMTHENSAALLYOURB 0000030: 4153 4541 5245 4245 4c4f 4e47 544f 5553 ASEAREBELONGTOUS 0000040: 5448 414e 4b53 4652 4f4d 5448 454e 5341 THANKSFROMTHENSA 0000050: 414c 4c59 4f55 5242 4153 4541 5245 4245 ALLYOURBASEAREBE 0000060: 4c4f 4e47 544f 5553 5448 414e 4b53 4652 LONGTOUSTHANKSFR 0000070: 4f4d 5448 454e 5341 414c 4c59 4f55 5242 OMTHENSAALLYOURB 0000080: 4153 4541 5245 4245 4c4f 4e47 544f 5553 ASEAREBELONGTOUS 0000090: 5448 414e 4b53 4652 4f4d 5448 454e 5341 THANKSFROMTHENSA
  Maybe there's a pattern there; I'm not sure. I guess that's the problem with randomness: you can never be sure.
9. Re:Is there any way to gain trust in a chip? by bug1 · 2013-12-11 10:06 · Score: 1
  
  You can also test to see how compressible it is, compression algorthithms recognising and removing patterns, so "good random" data should not be very compressible.
10. Re:Is there any way to gain trust in a chip? by LordLimecat · 2013-12-11 10:09 · Score: 1
  
  AFAIK the term "random" refers to "non-deterministic"; that is, if you know you have a box here which you know will provide the same output as the box over there, neither one is "random".
11. Re:Is there any way to gain trust in a chip? by K.+S.+Kyosuke · 2013-12-11 10:18 · Score: 1
  
  Except that it's not your own damn hardware. It's mostly Intel's hardware. Most people don't make their own chips nowadays. ;-)
  
  --
  Ezekiel 23:20
12. Re:Is there any way to gain trust in a chip? by PRMan · 2013-12-11 10:20 · Score: 1
  
  Even bad random data is not very compressible.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
13. Re:Is there any way to gain trust in a chip? by X0563511 · 2013-12-11 10:48 · Score: 1
  
  If you can feed in a seed and get the same output reliably, it's not a RNG, but a PRNG.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
14. Re:Is there any way to gain trust in a chip? by AHuxley · 2013-12-11 10:50 · Score: 2
  
  Re 'output sufficiently to gain some faith in its proper randomness".
  Back when cypher machines where unique physical devices sold to gov for embassy use the US and UK had two options:
  Set their own device standard with Tempest to leak the plain text. Such a unit would pass all "proper" crypto testing as it was a real crypto unit. The plain text was leaking out as entered or printed and could be collected.
  The great aspect was "trust" form the end user and the message was "safe" for sending.
  The other option was to get to staff or set up a front company to sell junk weakened encryption at a low price or via a trusted brand in a 'neutral' country.
  The low price would make any real commercial crypto efforts fail and set international standards to what junk brands where 'trusted' 'safe' and been used.
  When countries started the read leaked fragments of their encypted communications in the press - that was the time never to trust 'hardware'.
  After Snowden users can think back - you can have all the crypto post-testing you want as the US branded OS or tame telco or junk hardware/software is set for collecting all your keystrokes...
  The same tricks seem like crypto magic to every generation of academics. The problem is anyone could have followed the methods via the press in the ~1960-70-80-90's.
  
  --
  Domestic spying is now "Benign Information Gathering"
15. Re:Is there any way to gain trust in a chip? by VortexCortex · 2013-12-11 10:52 · Score: 1
  
  Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?
  Yes and No. One can statistically analyze output of the (pseudo) RNG and compare it to pure randomness, like atmospheric noise. However, you can't be sure there is no message in the stream. For example: Strong crypto produces enciphered data that looks exactly like pure randomness. It's one way we test for cryptographic strength. Indeed, BSD will now pipe RNG output through Yarrow (a pRNG based on hash functions) to produce randomness. Considering that knowing the initial state of a PRNG reveals its full exact stream of bits, and that hashes produce the same output for a given input: I'm not satisfied with this result either, unless the input is sufficiently salted with device IO timing and other such quasi-random states as in Linux's /dev/random entropy pool.
  
  Seeing as such a piece of hardware need not (and hopefully would not) have any inputs, only an output, it's hard to imagine how someone might hide (and later trigger) a back-door mechanism that could change its behavior post-testing. (But I'm sure there is some way to do it that I'm not thinking of ;))
  Strong crypto needs strong randomness for initialization vectors.
  While it's true the Ken Thompson Microcode Hack could exist in silicon (Chips could have full featured back-doors in them) it would be far less obvious and simpler to attack a single point of failure: The (hardware | pseudo) random number generator.
  It's possible to build a (pseudo) Random Number Generator that is biased in a way that's not noticeably different from pure atmospheric noise in practice, and even passes all the NIST / Diehard tests for randomness. I built one such high entropy pseudo random number generator using a pool of 517 integers and a mixing system. I had arranged the mixing system such that based on a small sample of randomness (50 or so integers, ~1500 bits) one could deduce a weak signal inherent in the pool which then slowly revealed the entire random number generator state in a cascade effect via an Error correction coding present in the bit-stream.
  Looking at the source code for my PRNG one wouldn't realize the thing had a back door in it via the selection of primes, constants, and the XOR, shift, AND, etc. mixing strategy itself. The implementation of error correction code akin to Reed Solomon Codes was hiding in plain sight. I sort of turned the weak signal bits on ear and presented them in the stream in "parallel" instead of "serial". The NIST tests chi-square, etc. against my PRNG proved indistinguishable from true random sources such as atmospheric noise, even with gigabytes of data to analyze thanks to the prime number sequence's weak enciphering of the bias pattern.
  To make matters worse, I built the system around constants taken from a run of digits in Pi. When apparently any random values will do as inputs for an equation, a known source of digits like this is meant to put cryptographer's minds at ease in that the values aren't just 'magic numbers', pulled from thin air -- Constant numbers selected with possible nefarious purposes. For examples of such 'un-magic selections', see the initial constant states of nearly any hash function, such as MD5, SHA-1, or SHA-2, etc...
  ......!
  According to RFC1925 - Rule 6(a), it's always possible to add another layer of indirection. So, I put my "careful number selection" to create the backdoor one level higher than the values themselves. I went looking for sources of workable constant values in the supposed accepted places. Of course anyone can supply their own pool sizes and init values to defeat my random attack, but in practice folks will use the default values
16. Re:Is there any way to gain trust in a chip? by gnasher719 · 2013-12-11 11:03 · Score: 2
  
  Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?
  Short answer: No.
  
  Long answer: There is "statistical randomness" and "cryptographical randomness". "Statistical randomness" tells you whether a random number generator can be used reasonably to simulate random physical phenomena. "Cryptographical randomness" means that it is impossible to predict the next random number if you know the mechanism that produces the random numbers, and the previous sequence of random numbers. Statistical randomness can be tested. For example, if you calculate three random numbers a, b and c, there are six possible ways how they could be ordered, and each possible ordering should be equally likely. Cryptographical randomness cannot be tested.
17. Re:Is there any way to gain trust in a chip? by Anonymous Coward · 2013-12-11 11:04 · Score: 3, Interesting
  
  All of this can be conveniently calculated by this tool, and neither of this will help you to distinguish actual randomness from a result of cryptographic algorithm working on extremely predictable input.
  For example, here's what it says about 32M of random bytes:
  Entropy = 7.999994 bits per byte.
  Optimum compression would reduce the size of this 33554432 byte file by 0 percent.
  Chi square distribution for 33554432 samples is 257.80, and randomly would exceed this value 43.91 percent of the times.
  Arithmetic mean value of data bytes is 127.4968 (127.5 = random). Monte Carlo value for Pi is 3.140698143 (error 0.03 percent). Serial correlation coefficient is 0.000015 (totally uncorrelated = 0.0).
  And here's what it says about 32 megabytes generated by SHA-256 hashing of 'Intel Intel Intel Intel Intel' concatenated with a 24 bit counter:
  Entropy = 7.999994 bits per byte.
  Optimum compression would reduce the size of this 33554432 byte file by 0 percent.
  Chi square distribution for 33554432 samples is 269.79, and randomly would exceed this value 25.08 percent of the times.
  Arithmetic mean value of data bytes is 127.4839 (127.5 = random). Monte Carlo value for Pi is 3.141798922 (error 0.01 percent). Serial correlation coefficient is 0.000266 (totally uncorrelated = 0.0).
  See how different the results look?.. Oh, wait, they don't :(
  For comparison, here's results for 32MB of simply ('Intel Intel Intel Intel Intel' concatenated with a 24 bit counter):
  Entropy = 3.465109 bits per byte.
  Optimum compression would reduce the size of this 33554432 byte file by 56 percent.
  Chi square distribution for 33554432 samples is 1153826816.00, and randomly would exceed this value less than 0.01 percent of the times.
  Arithmetic mean value of data bytes is 91.5781 (127.5 = random). Monte Carlo value for Pi is 3.948254105 (error 25.68 percent). Serial correlation coefficient is 0.079051 (totally uncorrelated = 0.0).
18. Re:Is there any way to gain trust in a chip? by cOldhandle · 2013-12-11 11:34 · Score: 1
  
  Even though it only has an output and no inputs, one trivial way of providing input would be to request random numbers in an irregular, timed pattern to trigger a state change in the obscured chip.
19. Re:Is there any way to gain trust in a chip? by melikamp · 2013-12-11 12:07 · Score: 2
  
  Just out of curiosity: Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?
  gnasher719 gave a nice answer, and I just want to add more. For statistical purposes, a true and fair RNG printing a string of zeroes and ones would at the very least print a normal number, and to test for that, one would have to count the frequencies of substrings of every length, in every base, which of course can be done, but may get expensive if one wants a lot of confidence.
  What gnasher719 calls cryptographical randomness cannot be tested in practice, but in theory, one can run the countable set of all computer programs in parallel, and see whether they can predict the digits of the RNG sequence with probability better than 1/2. Of course, this is completely intractable in the foreseeable future, with or without functional quantum computers.
20. Re:Is there any way to gain trust in a chip? by ras · 2013-12-11 12:12 · Score: 2
  
  Given a "black box" implementation of a random number generator, is it possible to test its output sufficiently to gain some faith in its proper randomness?
  The answer is an outright no.
  The thing that crypto depends on isn't that a stream of random numbers appears to be random. It is that the next number is utterly unpredictable. No one, not even the person who generated it, will know what it will be. This means if it is used as a key to protected some data, no one can predict what that key will be.
  One of ways every cryptographic cipher or hash is checked is to verify its output is indistinguishable from random data. If it isn't there is a weakness in the cipher or hash. So the output from any good cipher or hash will always appear to be completely random according to any test we can devise. But - the output is also completely predictable.
  So all NSA need to do in their black box is start with a predictable key or salt (the time would be fine), push it through a cipher or hash and output something which by appears completely random. If the random number is used to as 128 bits AES key it will appear file to any test the user can generate. But say they use a 1us tick to generate the time, and the NSA knows to say within 10 minutes when the key was generated, then they will only have to brute force against 1 billion keys (in other words that 128 bit key only has 30 bits of entropy). This is trivial to do.
  QED, the answer is emphatically no - there is no way to test if a black box is generating truly random numbers. Every black box must be treated as untrustworthy - which is exactly what BSD, Linux and I hope everybody else does.
21. Re:Is there any way to gain trust in a chip? by PPH · 2013-12-11 13:09 · Score: 1
  
  You just think it has no inputs. All that is needed is to flip the hidden "NotSoRandom" flag to '1'.
  
  --
  Have gnu, will travel.
22. Re:Is there any way to gain trust in a chip? by Pinhedd · 2013-12-11 20:36 · Score: 1
  
  I have no doubt that the hardware-based random number generators works in the exact fashion that their manufacturers have specified. Given the amount of scrutiny that is presently being placed upon them I am certain that any sort of pattern in the entropy under normal operation would have been discovered by now.
  However, this does not preclude the existence of a backdoor which alters normal operation. Setup certain registers in a particular fashion, call an undocumented instruction, and boom, the random number generator's entropy drops by several orders of magnitude. Not enough to be noticeable, but enough to make attacking it easier. There are however several problems with this:
  1. It would require that the machine be compromised locally, with at least user level privilege. Security is mostly moot at this point and there are far better attack vectors available.
  2. It would require sneaking undocumented instructions past dozens of engineers working at multiple levels of design and validation. Working backdoors into software is easy and can even slide under the radar if done properly, but in hardware they would stick out like a sore thumb. I have a hard time believing that the existence of a deliberate backdoor in hardware from a company the size of Intel would go unnoticed for long, or that everyone involved would be willing to keep it a secret.
  3. There are far better attack vectors available to compromise cryptographic functions at the hardware level than messing with the RNG. Critics have taken a tunnel vision approach to the possibility that RDRAND and other hardware based random number generators may be compromised as they cannot be audited, yet completely overlook that nothing else about the hardware can be audited either. There are whole layers of management functions built into Intel's chips which could provide undocumented backdoors.
23. Re:Is there any way to gain trust in a chip? by DES · 2013-12-12 00:06 · Score: 1
  
  You can't be sure with true randomness. With cryptographically secure randomness you can be (at least within a specified tolerance around 2^-128).[citation needed]
  You can never be sure. The keystream of a good stream cipher is fully deterministic, yet statistically indistinguishable from the output of a good PRNG.
24. Re:Is there any way to gain trust in a chip? by unixisc · 2013-12-12 07:25 · Score: 1
  
  At its most basic level, couldn't an RNG be implemented in hardware by putting in a JK flip flop w/ both inputs set to '1', so that a race condition develops? Put in enough bits, separate the flip flops some, and the outputs of some won't necessarily influence that of the others. Or even if they do, the probability will be... random!
  Do that w/ enough bits - say 512 - and you got a perfect RNG in the hardware. Some of the inputs could be near VDD, some near VSS and others far from either, and you'd have enough random predictability.
25. Re:Is there any way to gain trust in a chip? by jasax · 2013-12-12 13:45 · Score: 1
  
  With RNG I was using a short name for "Random Number Generator". I didn't meant a LFSR ;-)
With alll we know about hardware backdoors by ganjadude · 2013-12-11 09:26 · Score: 1

We have known for some time it is not impossible to hardcode a backdoor into a chip. I thought we already decided a while back that we cannot trust chip protection, in the past it was china chips but with the information given by snowden it only makes sense not to trust a chip from intel

--
have you seen my sig? there are many others like it but none that are the same
1. Re:With alll we know about hardware backdoors by X0563511 · 2013-12-11 10:50 · Score: 1
  
  Who is "we?"
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
They will be tried in secret in a secret court.. by Anonymous Coward · 2013-12-11 09:31 · Score: 1

for violating secret orders they never even heard of :-)
nine nine nine... by jakedata · 2013-12-11 09:31 · Score: 5, Funny

http://dilbert.com/strips/comic/2001-10-25/
That's the problem with randomness, you can never be sure.
1. Re:nine nine nine... by Dogers · 2013-12-11 10:38 · Score: 1
  
  Same with programmers and randomness :)
  http://www.gergely.risko.hu/debian-dsa1571.en.html
  
  --
  I am a viral sig. Please copy me and help me spread. Thank you.
2. Re:nine nine nine... by sourcerror · 2013-12-11 10:41 · Score: 1
  
  This is how it was generated.
FYI, Linux did this 18 months ago by swillden · 2013-12-11 09:51 · Score: 4, Informative

One of the first things Ted Ts'o did when he took back maintainership of /dev/random in Linux was to stop depending solely on the hardware RNG.
https://plus.google.com/117091380454742934025/posts/SDcoemc9V3J?e

--
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
1. Re:FYI, Linux did this 18 months ago by swillden · 2013-12-11 09:54 · Score: 2
  
  Hmm. I thought slashdot would automatically linkify that. https://plus.google.com/117091380454742934025/posts/SDcoemc9V3J?e.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
So the NSA can predict your video game ... by perpenso · 2013-12-11 10:16 · Score: 1

2: Chip internally stores the last n random numbers that it has output. Later, the NSA can confiscate your computer, subject the chip to some undocumented state that causes it to barf up its secrets, and again all your keys are now utterly, hopelessly broken.
More likely its just going to get the random numbers generated for a video game.
1. Re:So the NSA can predict your video game ... by X0563511 · 2013-12-11 10:47 · Score: 1
  
  If you're using /dev/random (or the Windows equivalent) instead of /dev/urandom for that, you're an idiot and probably have lots of open bugs related to your game hanging.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
TRNG using discrete components? by QuasiSteve · 2013-12-11 10:22 · Score: 4, Interesting

Given that it's stated that you can't trust a chip's encryption routines, which at the basis means that you don't trust its random number generator, and given that 'a chip' extends down from the latest Intel to a relatively lowly PIC, is anybody aware of an actually available TRNG (true/hardware random number generator) built out of discrete components?
Comments to a Bruce Schneier post titled "Surreptitiously Tampering with Computer Chips" once suggested this would be the only way to 1. be certain* of no tampering and 2. have reasonably sufficient output bandwidth to be used in practical applications.
However, I haven't seen any actual implementation. My Google-fu may be failing me, though.
* Barring some pretty sweet shenanigans like those pulled by Henryk Gasperowicz; [Spoiler video](https://www.youtube.com/watch?v=-KMLmpC7-Ls). I can't see manufacturers including any crypto-defeatery bits into a basic transistor thinking that it just might possibly be used in an actual crypto application, and eat the cost somehow.
Entropy source by tchuladdiass · 2013-12-11 10:58 · Score: 1

Why not just hook a microphone on the inside of the computer to pick up the fan noise, and use that as a random source? I'm sure there's some entropy in there.
1. Re:Entropy source by epyT-R · 2013-12-11 11:23 · Score: 1
  
  not enough.. mechanical noise is cyclical..
2. Re:Entropy source by mrchaotica · 2013-12-11 13:18 · Score: 2
  
  A webcam with the lens cap on works for that kind of thing. (I'd link to lavarnd.org, but it is mysteriously down...)
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
3. Re:Entropy source by TheGratefulNet · 2013-12-11 17:25 · Score: 1
  
  mix with electrical noise. I bet there's a lot of unused lm741's out there still in the supply chain. they are noisy as hell. combine the noise of this and some other element and if mixed in the right way, I would think that's pretty random.
  (only half serious about using the lm741, though)
  
  --
  
  --
  "It is now safe to switch off your computer."
4. Re:Entropy source by semi-extrinsic · 2013-12-11 20:55 · Score: 2
  
  I would mod you up if I wasn't out of points.
  And I too think lavarnd.org being down at this moment in time is semi-spooky.
  
  --
  for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
Re:Dumb headline by VortexCortex · 2013-12-11 11:11 · Score: 1

Well, if the chip is using its encryption circuit to create the RNG output...
Good by koan · 2013-12-11 13:18 · Score: 1

http://cryptome.org/jya/cg071599.htm

--
"If any question why we died, Tell them because our fathers lied."
Weird stance. by eyenot · 2013-12-11 16:46 · Score: 1

It strikes me as concession packaged up as stand-offishness. But it still reads like concession. If you don't trust the chip, don't use the chip. Why all the song and dance just to say "well we're still relying on the chip, by the way" at the end? Can anybody say "sugar coat"? I would take them to task over it, if I had some kind of bargaining power of my own. I would say, "if you claim you don't trust the chip, then either you don't utilize the chip, at all, or I in turn don't trust your routines."

--
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
1. Re:Weird stance. by TheRaven64 · 2013-12-11 21:38 · Score: 2
  
  Trust in a random number generator is not a binary thing. All of the current hardware RNG implementations produce some entropy. The question is how much entropy you trust them to produce. If it gives 256 bits of entropy, then you can just use it as your random number source and be done with it. One that produces 16 bits of entropy is very useful as one (but not the sole) source to an algorithm like Yarrow of Fortuna, but would be a disaster if you used it as the random number generator without such an algorithm in the middle.
  
  --
  I am TheRaven on Soylent News
2. Re:Weird stance. by eyenot · 2013-12-24 17:54 · Score: 1
  
  It just seems so, so stupid to me that in the search for real encryption, we have to rely on pseudo-randomness, so then the entire point of contention comes down to a matter of how much "pseudo" we're willing to accept. My theory is that as science goes deeper into math and logic, we're going to result in consecutively more "reliable" PRNG but those will always be dismissed by later science, and will always raise the point of contention. It's not worth getting worked up over, and it's certainly never worth placing so much investment in that that same and inevitable contention is going to seem dearly costly in retrospect. People are, by and large, stupid. If we want truly random results, we should utilize something like a photon interference field which is more or less considered to be completely random. Or the emission of particles from certain stable isotopes which are known to closely adhere to certain probabilities over time but are also known to be truly random. Then we would be forced to develop methods of encryption based on true randomness, which is only an impossibility as long as we continue to believe (within our limited paradigm) that it is so.
  
  --
  "Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Re:So, same as the Linux Kernel by TheRaven64 · 2013-12-11 21:41 · Score: 1
You might want to check your facts. A few things:
- The new FreeBSD randomness framework allows whitening algorithms (Yarrow, Fortuna, whatever) to be plugged in easily, along with multiple sources.
- Linux initially trusted RDRNG unconditionally to provide streams of random numbers, then backtracked to only using it as an input to whitening. FreeBSD only ever used it as an input to the PRNG and now has a more generic framework for doing so.
- Neither the new, or the old, FreeBSD random number generation framework is vulnerable to the attack published in October (and covered on Slashdot) on the Linux random number generator.
--
I am TheRaven on Soylent News
TFA is completely wrong by DES · 2013-12-11 22:51 · Score: 1

FreeBSD has been using Yarrow for 10+ years, and no FreeBSD release has ever shipped with the option to feed the stream from a HWRNG directly to /dev/random. The only news here is that we have a new framework in the kernel for plugging hardware pseudo-random number generators into Yarrow, and an explicit policy (issued in my capacity as FreeBSD Security Officer) to not expose HWPRNGs directly to userland. There was some pressure from corporate users who want the raw feed for compliance reasons, but they were told to use RDRAND etc. directly rather than through /dev/random.
Re:Me neither by DES · 2013-12-12 02:05 · Score: 1

I wouldn't trust chip based encryption either, and I wouldn't trust anybody else that did.
Assuming we're only talking about ciphers and not protocols: by definition, there is one and only one possible ciphertext for any given combination of key and plaintext. Thus, there is no way to introduce a weakness in an implementation which would not be trivially detectable by comparison with any other implementation; in fact, the result would be unusable as it would not be interoperable with other implementations.
(With a caveat for algorithms which require a random initialization vector; don't let the implementation choose the IV for you.)
Re:So, same as the Linux Kernel by bill_mcgonigle · 2013-12-12 18:50 · Score: 1

Linux initially trusted RDRNG unconditionally to provide streams of random numbers, then backtracked to only using it as an input to whitening.
There was a patch offered to allow linux to solely use RDRNG for /dev/random, but it was roundly rejected on the lists. I don't think you can find any point at which the kernel ever trusted it. It's only on newer Intel chips anyway.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Re:Use XOR by Em+Adespoton · 2013-12-13 06:00 · Score: 1

Yes; this is mostly right -- except for the fact that a stream of zeroes can still be completely random; just highly unlikely. The trick is whether that stream of zeroes can be accurately predicted or not, not what the actual value is. As such, not affecting the output is a perfectly random thing to do.