Hardware random number generator

ogogon

ogogon

Colleagues, please tell me which hardware random number generator is supported by FreeBSD?
At the same time, I would like it to cost a little less than a wing from Boeing...

Sincerely,
Ogogon.
 
Tell us what you need it for.

Both Knuth and Schneier mention that you can use two pseudo random number generators to produce pseudo random numbers that are entirely likely to be cryptographically secure -- you use one to shuffle the (otherwise predictable) output of another.
 
Personally I would select the RNG matching your requirements and then write a driver if necessary. A device driver for an RNG is probably one of the easiest drivers one can write.
This applies especially when:
ogogon said:
I would like it to cost a little less than a wing from Boeing...
Click to expand...

Depending your needs (and I am basing this on the quoted statement above), you'll find that you'll can get a pretty nice hardware RNG in a rack mountable format and then just interface it over a variety of interfaces such as ethernet or USB.
A few years back I encountered a pretty affortable RNG in a PCIe format. Slots right in. Was pretty low-cost too (afaik somewhere between 1k and 3k USD).
 
gpw928 said:
Tell us what you need it for.
Click to expand...
To increase cryptographic strength. I have several FreeBSD routers and they all contain corporate VPN network collectors. I would like to reduce the attack surface.
gpw928 said:
Both Knuth and Schneier mention that you can use two pseudo random number generators to produce pseudo random numbers that are entirely likely to be cryptographically secure -- you use one to shuffle the (otherwise predictable) output of another.
Click to expand...
In principle, this is very nice, but a hardware generator, I believe, will always be two orders of magnitude more reliable.
 
jbo said:
Personally I would select the RNG matching your requirements and then write a driver if necessary. A device driver for an RNG is probably one of the easiest drivers one can write.
Click to expand...
Is there any clear example?
jbo said:
(afaik somewhere between 1k and 3k USD).
Click to expand...
I believe that your salaries there have either increased significantly, or Boeings have become much cheaper...
 
ogogon said:
very nice, but a hardware generator, I believe, will always be two orders of magnitude more reliable.
Click to expand...
Try to undergo a transformation from an individual that "believes" to one that knows. Maybe you have read

Random number generator attack - Wikipedia

en.wikipedia.org en.wikipedia.org

Now try to answer yourself the question, how will you measure the reliability of a RNG? You need to do that and you need to know the method, because you need to test it especially when you buy a solution.

You are talking about "magnitude more reliable". Try to put your "believed magnitude" in a number. You may learn rapidly on this matter.
 
A quick search came up with this: https://tectrolabs.com/ many of them said to be compatible with FreeBSD. Disclaimer: I know nothing about the company or their products.

Also Raspberry Pi contains a rng, but I can' find any information as how to use that with FreeBSD.
Code: 
dev.bcmrng.0.stall_count: 10
dev.bcmrng.0.2xspeed: 0
dev.bcmrng.0.underrun: 0
dev.bcmrng.0.%parent: simplebus0
dev.bcmrng.0.%pnpinfo: name=rng@7e104000 compat=brcm,bcm2835-rng
dev.bcmrng.0.%location:
dev.bcmrng.0.%driver: bcmrng
dev.bcmrng.0.%desc: Broadcom BCM2835/BCM2838 RNG
dev.bcmrng.%parent:

I would be interested though.
 
I think you want to think beyond the RNG and look at crypto acceleration as a whole.

Netgate has a page with some info.

Cryptographic Accelerator Support | pfSense Documentation

docs.netgate.com docs.netgate.com

Also we have this for hardware. I have never heard it discussed.

hifn(4)

man.freebsd.org man.freebsd.org

Intel 8960/8970 Supported here:
www.intel.com

Intel® QuickAssist Technology Driver for FreeBSD* - HW Version 1.X

Intel® QuickAssist Technology (Intel® QAT) provides cryptographic and compression acceleration capabilities used to improve performance and efficiency across the data center. This package contains the Intel® QuickAssist Technology Driver for FreeBSD* for the Hardware Version 1.X.
www.intel.com www.intel.com

It would be nice to have this updated.

Crypto Acceleration on FreeBSD :: FreeBSD Presentations and Papers

papers.freebsd.org papers.freebsd.org
 
I used once some very old web camera for this. It was very bad camera - a lot of noise. Just capture raw image, concatenate with timestamp (higher resolution as possible), hash it, and use it as the key to encrypt something (/dev/zero or /dev/urandom output for instance), but not more than 4MB - then repeat.
If CPU is relatively good, there is /dev/hwrng as well.
 
getopt said:
Now try to answer yourself the question, how will you measure the reliability of a RNG? You need to do that and you need to know the method, because you need to test it especially when you buy a solution.
Click to expand...
I am quite ready to answer your question, and not so much for myself as for you, since I know the answer for myself. I will evaluate the generator using a fairly reliable tool - the Khinchin-Kholmogorov theorem. (Aka the Wiener-Khinchin-Einstein-Kholmogorov theorem). The existing module for the Matlab system will also help me a lot.

getopt said:
You are talking about "magnitude more reliable". Try to put your "believed magnitude" in a number. You may learn rapidly on this matter.
Click to expand...
In principle, it is possible to somehow derive a certain weighted correlation coefficient, but I will be quite satisfied with a visual inspection of the constructed correlation distribution.
 
ogogon said:
a hardware generator, I believe, will always be two orders of magnitude more reliable.
Click to expand...
I disagreee, but do appreciate that some random number generator appliances have the potential to be very reliable (e.g. those based on atomic decay). But they tend to be proprietary, and their design weaknesses may not be obvious, or even discernible, to independant assessment.

I actually have no aversion to hardware random number generators, but I'd most certainly run the output of any RNG appliance through my own block cipher, just because I trust all hardware manufacturers about as much as I trust Cisco...
 
tingo said:
There are a couple of open hardware RNGs available.
Click to expand...
I also saw a few, but if you don’t mind, please provide links to yours.

Another thing surprises me - all over the world, from the USA and Germany to Russia and China, various cryptotokens are being issued. As a rule, these are USB dongles, but there are also all sorts of strange animals. Theoretically, any of them contains a random number generator. Since they are all positioned as crypto solutions, the generators are probably more or less decent. Most of them have an open API for Linux.
Why doesn't anyone use them?

Moreover, I remember that there was a publication that drivers for a number of such devices were excluded from FreeBSD for some sins. Why were they treated so harshly?
 
gpw928 said:
I disagreee, but do appreciate that some random number generator appliances have the potential to be very reliable
Click to expand...
Any software generator produces not random, but pseudo-random numbers. And after a certain number of values it will inevitably begin to repeat itself. (Remember von Neumann's famous remark.)
If you start to include external entropy into it, from some external source, then it will be noticeably better, but then it is easier to bring this to its logical conclusion and start broadcasting this flow of this external entropy.
If you transmit the projection of a certain physical process, for example a diode in avalanche mode, then there will be no cycle, and the existing correlation will be determined solely by the physics of the process. I believe that my estimate of two orders of magnitude is not very far from the truth.
 
You are still trusting the hardware appliance, and, to my way of thinking, given what is known of the NSA and other, perhaps unknown, players, that is also a "sin".

Von Neumann is not the only luminary on the subject of random numbers.

I'd encourage you to read what Knuth (Algorithm M in "The Art of Computer Programming", Volume 2) and Schneier (in "Applied Cryptography") said about mitigating the deficiencies of pseudo random number generators for cryptographic use.

I'm not suggesting that your preference for genuine randomness is wrong. In fact, I agree with you.

I am suggesting that, handled sensibly, pseudo random number generators can be used in ways that make them suitable for many applications.

Of course, if you have life threatening secrets to protect, I would trust none of the above...
 
gpw928 said:
You are still trusting the hardware appliance, and, to my way of thinking, given what is known of the NSA and other, perhaps unknown, players, that is also a "sin".
Click to expand...
Well, open solutions have already been mentioned here. Especially if they are made in China and sold on Aliexpress. In this case, the malicious NSA is unlikely to be able to do anything. Only reptilians from the planet Nibiru.

gpw928 said:
I'd encourage you to read what Knuth (Algorithm M in "The Art of Computer Programming", Volume 2) and Schneier (in "Applied Cryptography") said about mitigating the deficiencies of pseudo random number generators for cryptographic use.
Click to expand...
I didn’t understand what phrase Schneier was talking about, but I looked at the second volume of Knuth. Nowhere does it say that this is a solution that allows you to get results approaching a hardware generator. It says that "This algorithm is a very pretty example of mathematical theory intimately interwoven with programming ingenuity - a fine illustration of the art of computer programming!" (p. 128). In general, Knut really liked his beauty. Not a word about correlation stability.

gpw928 said:
Of course, if you have life threatening secrets to protect, I would trust none of the above...
Click to expand...
I believe that my privacy is always my privacy. And if we give it up for the sake of convenience, then, in the end, we will receive neither convenience nor privacy. Therefore, it doesn’t matter at all what I will protect - secret correspondence with a resident of Martian intelligence or an invitation to a barbecue of an unmarried young lady from a neighboring cottage (which in an hour she will tell all her friends about).
And if I’m protecting corporate secrets, then I’m not supposed to discuss their significance or insignificance at all, but I’m just supposed to do my job very well.
 
RaspberryPis have a hardware RNG based on zener avalanche breakdown. I believe this is used on FreeBSD on raspberryPis -- not sure how -- probably as a source of entropy. FWIW, a long time ago I had tested RPi's h/w RNG against some FIPS-140.2 tests and it passed them.
 
Open HW RNGs:

A hardware RNG we could trust - BitBabbler

A project to raise the bar for hardware random number generation and create a high quality secure entropy source, and why we started it.
www.bitbabbler.org www.bitbabbler.org

XR232USB - USB version of the XR232 random number device

XR232USB is an open-hardware and open-source project providing independent randomness for certain cryptographic and statistic applications. Protocol compatible to classic XR232 by utilizing Virtual COM ports. Software and library supporting Linux, Windows and DOS.
jtxp.org

and here is a "curated list" which has both open and others https://github.com/atoponce/awesome-hwrng
 
I am an IC design engineer who specializes in designing TRNG. Recently I made a TRNG with 30Mbps throughput rate and it can be connected to PC using a USB interface. It mainly uses the jitter noise of the ring oscillator as the entropy source. If you are interested, you can contact me
 

Attachments

  • b60164f8625966a394482055bbc5346.jpg
    b60164f8625966a394482055bbc5346.jpg
    1.7 MB · Views: 194
entropySource said:
I am an IC design engineer who specializes in designing TRNG. [...]. It mainly uses the jitter noise of the ring oscillator as the entropy source.
Click to expand...
Isn't the main "appeal" of an FRO based TRNG that it can be constructed without the need for "custom ICs"?
I'm not in the RNG business but my understanding as an EE is that FROs are commonly regarded as poor TRNG sources but interesting because of their ease of construction (no special or custom parts required).

Just to be clear: I don't mean to be complaining or "hating" - I assume that I have either a wrong or incomplete understanding of the subject - Hence I'm asking why an IC designer specialized in TRNGs would bother making a FRO based TRNG.
 
jbo@ said:
Isn't the main "appeal" of an FRO based TRNG that it can be constructed without the need for "custom ICs"?
I'm not in the RNG business but my understanding as an EE is that FROs are commonly regarded as poor TRNG sources but interesting because of their ease of construction (no special or custom parts required).

Just to be clear: I don't mean to be complaining or "hating" - I assume that I have either a wrong or incomplete understanding of the subject - Hence I'm asking why an IC designer specialized in TRNGs would bother making a FRO based TRNG.
Click to expand...
Thanks for your comment. And I will explain about that.
The TRNG chip here utilizes a multitude of ring oscillators for sampling, with their outputs XORed to generate true random numbers. While each ring oscillator is full of jitter noise, resulting in a certain level of entropy, it's not at full entropy individually. However, after XORing, the entropy reaches full capacity, yielding high-quality randomness.

I can provide NIST800-22 and NIST800-90B test results to support this claim. And the test data can be found here https://pan.baidu.com/s/179hEzOuMhiiXVKdGkkTYhO92Z1NiZnbwZNlU==?linksource=zhihu&_at_=1709523997020 and https://pan.baidu.com/link/zhihu/79hWzOuMhTiXL1E2o3ZMZmVmZ5cMZXdQU1AD==

This TRNG chip is widely employed in various server data encryption devices.To achieve a more secure and highly integrated TRNG, custom ICs are still prevalent. In the chip layout implementation, various protective measures are incorporated to enhance security. Moreover, these custom ICs integrate the post-processing modules to strengthen the output randomness.

The assertion regarding RO-based TRNG being bad might stem from studies such as the one addressing frequency injection attacks on RO-based TRNGs (https://www.iacr.org/archive/ches2009/57470316/57470316.pdf). However, these attacks typically affect only a limited number of ring oscillators. Given the extensive number of ring oscillators inside commercially utilized TRNG chips, each operating at varying frequencies, it's practically infeasible to compromise the randomness by locking all oscillators through frequency injection attacks. Furthermore, if the TRNG chip is used in a secure environment, such threats become virtually nonexistent.

My latest research has resulted in the development of a TRNG based on current-starved ring oscillators (CSRO) utilizing XOR operations. These CSROs are constructed using current-starved inverters, providing several times the jitter noise of conventional ring oscillators. Consequently, fewer CSRO samples are required for generating high-quality random numbers. Additionally, the power consumption of this TRNG has reached the lowest levels reported in academia. This work will be presented at IEEE CICC.
 

Attachments

entropySource said:
Recently I made a TRNG with 30Mbps throughput rate and it can be connected to PC using a USB interface. It mainly uses the jitter noise of the ring oscillator as the entropy source.
Click to expand...
Does it work on FreeBSD? If not, why are you posting here?
 
You must log in or register to reply here.
Back
Top