Generating Random Numbers
Random numbers are important, but unfortunately, generating good random numbers turns out to be incredibly hard. The only real source of truly random numbers comes from using things like radioactive decay, the motion of fluids, atmospheric noise, or other chaos, rather than the traditional computational source which are generally generated through mathematical processes. For more powerful computers this works, however for embedded devices things are a lot harder.
“…the big problems from RNG’s in, say, embedded and Internet of Things devices is reliability, and the closed nature of the designs put into chips by manufacturers. Large systems — like servers and PCs — have gotten by using lots of tiny noise sources pulled together by the kernel into a random stream (usually composed of entropy ‘freshening’ from an entropy pool, feeding in as the seed for a much faster PRNG). Entropy pools relying on noise are quite famously slow to give random bits, and slow to ‘get going’ — if it takes longer than 100ms, for example, it’s not good enough for automotive use.” — Mark Carney, Security Researcher
For instance the random numbers on the Arduino aren’t random. They’re generated using a deterministic algorithm. So when you device is reset, it will generate precisely the same random numbers, in the same sequence, the next time it’s turned on. While it is possible to generate random numbers on something like the Arduino, it takes some effort, and a source of random chaos such as thermal noise. Which is why the Infinite Noise TRNG, coming soon on Crowd Supply, could well prove rather useful.
The Infinite Noise TRNG is a true random number generator (TRNG) based on a modular entropy multiplier technique that continuously loops over previous random output, gathering randomness from the noise of the hardware components, to generate the next random output.
It can generate random data at a rate of 300,000 bits per second, with an entropy of ~0.82, and the whole project is meticulously documented on GitHub.
“This project actually goes some way to fixing the issues for embedded hardware— it’s all open source, and uses COTS components that are also relatively cheap. The oscillator design and feedback design is what’s key, and those parts are relatively inexpensive for the randomness that they’re offering, and at the speed. This is something that could well already be implemented in some ICs — but having an ‘open standard’ that we can scrutinise is what I think the big push forward is here.” — Mark Carney, Security Researcher
Based on a design originally developed by Peter Allan in the late nineties, and refined by Bill Cox, the current Crowd Supply project is being built by Manuel Domke of 13–37.org.
“They’ve carefully considered their attack scenarios, too — how an attacker could feasibly attack a TRNG through, say, EM interference or physical attacks on the actual device — and have built in some nice safeguards in the drivers to keep checks going on the TRNG’s health …this is a design that could easily be adopted into IoT devices with some requirement for security.” — Mark Carney, Security Researcher
The Crowd Supply project hasn’t yet gone live, but you can sign up to be notified when it does. The Infinite Noise TRNG will cost €25 (about $30) plus shipping. However if you don’t want to wait you can build one of these for yourself, you can order boards from OSH Park for only $3.25, and then buy your parts as described in the BOM. All the software is open source and available on GitHub.
UPDATE: The campaign is now live on Crowd Supply!