An Open Hardware & Open Source
Verifiable Random Number Generator
Jim Cheetham & Paul Campbell
It is a small USB-connected device
It speeds up & increases your computer's ability
to provide you with high-quality random numbers
The cake is a lie …
By default, OneRNG measures unpredictable physical events
from an avalanche diode circuit
and returns the results — but this is a bit too raw to be used directly
This raw data is then whitened through a CRC16 function which makes it good enough to be fed into your system
There is an AES hardware module available, but it is not used by the default firmware
There's a 7.5KB pool of data that is kept full
New data is mixed in over the old data all the time
A LED on the board tells you when the pool is full
and warns you when it is getting empty
/dev/urandom
The results are fed into /dev/random
as an additional
entropy source for the system, and you should read them from there
If you RTFM, you'll read from /dev/urandom
all of the time
on Linux, but not necessarily on other OSs
You can also enable the RF monitor to get another source of entropy data with a higher quality — but at the cost of a little paranoia
Cryptography has a huge appetite for random data
And your online Privacy and Security depends on Crypto
The more you encrypt, the more entropy you need to consume
altcoin also requires high quality random data - coins have been stolen because of weak RNGs
Astronomy Miniconf reminds us that "SCIENCE!" uses large-scale numerical simulations (Monte Carlo, Markov Chain, etc), and while they can use PRNG, they need to be careful about periodicity/repeats
I know nothing about the "Gaming" industry, but they need it, surely?
Don't ever use the default <INSERT_LANGUAGE_HERE> random() function!
Don't use PID, or μsecs since epoch, or wall time
Don't do your own crypto, don't do your own RNG
By default, use /dev/urandom
Even if your PRNG is a CSPRNG, you'll feel the need for seed
Get your seed values from a True RNG
Only generate your long-lived private keys when there is sufficient entropy
Never mind the quantity, feel the quality
… unless you needed quantity, that is …
If your True RNG returned sufficient data, why use PRNGs at all?
(because you must mix multiple entropy sources together)
Even if they aren't out to get you, they'll get you.
When risks are “addressed” they are usually pushed either up or down the stack
They end up requiring trust in End-User Behaviour (unpatchable) or in the Hardware
Being an Open Hardware and Open Source solution is a start
But the OneRNG is also designed to be verifiable
You should not trust this device — you do not need to trust this device
You should VERIFY that what you physically hold is what you need to have
Scripts on your server should do steps 2,3 & 4 on startup
"More Entropy" means that /dev/random is less likely to block
"Early Entropy" means that /dev/urandom will be well-seeded before key generation
Real independent crypto users have another affordable high-quality source
We provide some software for you to use to make OneRNG an input to /dev/random
via rngd
This is architecture independent - python & shell scripts
… and we don't get involved in your choice of init daemon …
UDEV detects the device (using an ID assigned from OpenMoko's range)
On insertion we validate the firmware, then start rngd
On removal we remember to stop rngd for you!
Increasingly, UDEV implementations make life more complex
No-one seems to bother with UDEV removal scripts
so the mechanism is probably not very well tested
USB CDC drivers are the generic USB serial interface
Sadly ModemManager stomps on every one unless you remember to disable it in UDEV
OneRNG doesn't support Hayes AT commands …
UDEV: ENV{ID_MM_DEVICE_IGNORE}="1"
Wireshark will capture USB traffic if you need it - modprobe usbmon
first
The NSA-designed SHA-1 was not fully "trusted"
The blocking behaviour is a defence against this untrusted DRBG
Ted T'so, 2015 “… the paranoiacs were *right* that the NSA had introduced a back-door into a crypto algorithm which they gifted to the civilian world. It just turned out to be DUAL-EC instead of SHA-1.”
Just use /dev/urandom
:-)
These are fundamentally the same :-)
They will behave identically with sufficient entropy
Use /dev/urandom
Use /dev/urandom
Use /dev/urandom
If you already know better, you don't need me to tell you what to do
Even though you should use /dev/urandom
OneRNG helps to avoid the need to block
Therefore systems that use /dev/random run faster?
(Catalyst are simlating workloads to quantify this assertion)
A small quantity of good entropy is enough to improve everything
But the more sources of entropy you have, the better off you are
As well as OneRNG, please add other sources
To get volume production set up, we used Kickstarter with an NZD$10,000 target over 45 days
This is still running - we started just after Kiwicon8, on 15 Dec 2014, and will finish a couple of weeks after LCA2015, on 29 Jan 2015
https://www.kickstarter.com/projects/moonbaseotago/onerng-an-open-source-entropy-generator
Rewards:
(As of Tue 13 Jan 2015)
50% funded after 2 days
100% funded after 6 days
200% funded after 18 days
Least Squares currently predicts ~400% funding at close :-)
Thu Jan 15 2015: 252 backers, NZD$27,034 raised, 13 days to go
Presentation resources :-
Software - reveal.js, hosted on Github
Icons used are from The Noun Project, http://creativecommons.org/licenses/by/3.0/us/ licensed
Arrow and Bent Arrow by Thomas Le Bas, Dice by Weston Terrill, Toothbrush, Radio by Joe Harrison, Avalanche by Louis Dawson, Swimming Pool by Sitara Shah, Clock by Nick Green, Guy Fawkes by Christopher T. Howlett, Pac-Man by Luigi Di Capua, Surveillance by Luis Prado, Audit by Miroslav Koša, Skydiving by Jual Pablo Bravo, CPU by iconsmind.com, Certificate by Alex Auda Samora, Incognito by Alen Krummenacher, Layers by Cornelius Danger, Search by Melvin Salas, Infographic by Rob Gill, Seed Packet by Anton Gajdosik (Public Domain)