
OneRNG – Open Hardware Random Number Generator - kim_rutherford
http://onerng.info/
======
Taniwha
Note: I'm Paul the designer

Some background - this board is in late beta testing, we're going to kickstart
it and release it (with papers scheduled at a couple of conferences) - it's
hitting Hacker News a little early - but keep us in mind when we do finally
release to the public - at the moment we haven't published the design - we'll
be putting up both the firmware an hardware designs on GitHub when we think
it's ready for the public (almost there)

If you want some idea of the code and development system it's largely based on
the dev system for out IoT project:

[http://www.moonbaseotago.com/cheaprf/](http://www.moonbaseotago.com/cheaprf/)

Meanwhile I'm happy to answer questions

~~~
dspillett
_> we're going to kickstart it and release it_

Do you have any timescales for that yet, or are such decisions still heavily
dependant on feedback from testing?

~~~
Taniwha
testing is good, no known roadblocks, we planning on a Decemberish time frame,
we think we have a final firmware load at this point.

We have a small pick-and-place machine/etc setup we'll do a small in-house run
for those who want to pay a premium for early delivery and then possibly a
slower run depending on demand.

~~~
PhantomGremlin
> We have a small pick-and-place machine/etc setup

I've been in at the ground floor of a number of successful hardware startups.
One of which had a number of pick and place machines, IR reflow ovens, and all
sorts of related manufacturing equipment. So I'm quite familiar with the
field.

My very simple, very emphatic advice about a "pick-and-place" machine is: NO
NO NO NO NO, a thousand times N0!!!

Maybe it's something you have to do in NZ. But in some other parts of the
world, if I blindfolded you and let you stumble around you would probably trip
over a pick-and-place machine in about 5 minutes! They're everywhere.

In other words, unless your primary purpose is to bootstrap yourself into
being a contract manufacturer, you have absolutely no business owning your own
pick-and-place machine.

A design as simple as yours could be manufactured by almost _anyone_ in the
world. It's so simple that most of them could do it in their sleep.

Just contract the manufacturing out and be done with it.

Your quixotic effort at stuffing your own boards reminds me of the perhaps
apocryphal story of, in the 1970's, WDC designing a chipset that was used in
the DEC LSI-11 minicomputer.[1] They had a fab, and in one week they could
make enough chips for DEC to sell minicomputers for a year. "Okay, the LSI-11
chips are done. Now WTF do we do with this fab for the other 51 weeks of the
year???"

Yeah, in the old days IC fabs were cheap enough that everyone and his brother
owned one. And they had large fixed costs. And unless they were utilized
around the clock they lost money.

To a large extent stuff like pick-and-place machines are the same. Sure it's
orders of magnitude cheaper. But still, maybe it takes you a week or two to
build some of your boards. What do you do with your equipment for the other 50
weeks of the year? Is that the business you want to be in?

Of course, if that _is_ the business you want to be in, then OK.

[1]
[http://en.wikipedia.org/wiki/Western_Digital#1970s](http://en.wikipedia.org/wiki/Western_Digital#1970s)

~~~
Taniwha
It really depends on the demand, I do plan on doing a small run myself - as I
said as a kickstarter premium - that lets me test out the manufacturing
support hardware (board test and programming jigs) and provide boards really
quickly -if the volumes are high enough then yes, we're off to Shenzhen (I was
there in May, I'll be back in December)

We have a CHEAP (~$8k) P&P machine, it's great for doing prototypes (you load
it with the 10 most common components and hand place the rest) and VERY small
production runs (10-20 panelised boards is probably a limit)

------
tribaal
Well, I'm happy to see that for once, they understand that the single most
important thing is that it's _verifiable_.

So many crypto-related systems ask you to trust the provider implicitly it's
not even funny.

I don't care who you are, if I can't look at the source (all the way down) of
your product and build it myself, it's not going to make the cut as a "secure"
system. You can provide _additional_ guarantees and proofs, but showing me the
source is item number 0.

Sure, it's not perfect, but it's much closer to perfect than any alternatives.

~~~
gioele
> You can provide additional guarantees and proofs, but showing me the source
> is item number 0.

And item number 0.5 is allowing me to build the source and upload it to a
pristine EEPROM chip.

~~~
Taniwha
as part of our kickstarter we'll be offering programmers as an added reward -
you can build the image from source and program your device - and we hope you
do and share the results with the world

You can't program it over the USB (although we could) we consider that that
would be a security problem - and given recent security issues with
programmable USB devices ....

~~~
notthetup
One of the kickstarter rewards could be the ICSP programmer HW (i'm guessing
that's what you're using) so who ever wants to program it could do it.

~~~
Taniwha
we use a home-grown programmer - it's cheap but the bed-of-nails cable costs
as much as the board - we wont be making any money on them

------
malgorithms
A question for the designers (Paul?) about verifiability. In the software
world you can effectively choose from 2 levels of review. You can (1) review
the source code of a project and convince yourself it's fine. Or (2) you can
assume/hope that experts have done that, download the software, and just
verify you have an identical copy of what everyone else is reviewing. (Ideally
using signatures of the authors and reviewers.)

Almost everyone who cares does step 2, assuming they do anything at all. Very
few people are qualified or bother to review source code, but everyone who
performs step 2 can feel pretty safe, as long as a release is big enough that
it's getting reviewed by experts.

So, what's the hardware equivalent? If I'm not capable of reviewing the schema
of this hardware, but someone I trust says "this is great", how do I at least
know the one I bought is identical to the one she/he bought (or built) and
reviewed? How do I verify the components? This seems like a difficult problem.

~~~
robzyb
You run your "verified" software on hardware, right? How do you know the
hardware is verified?

~~~
Taniwha
we publish the hardware design - in reality we have to run it on someone's
chip, we've picked one that includes among other things AES, we just don't use
that stuff, at some point we have to trust the CPU, and we use a CRC32 engine
for minor whitening and stirring of our internal entropy pool - but crc32 is
easy to verify (while AES is not)

more importantly we've chosen a platform that we think is unlikely to have
already subverted by 3 letter agencies

------
notthetup
If the avalanche diode is the main/primary source of entropy why do we need
the CC2531? The super paranoid part of me is worried about the 802.15.4 radio
being used as a vector to taint the RNG.

Shouldn't an HW RNG NOT have any secondary communication method built in?

I am guessing you guys added that because that's the platform you're working
with for your IOT project, but it just seems a little overkill to me. The
diode data acquisition and the USB comms could be easily done using any
Cortex-M0 type micro.

~~~
Taniwha
I think that's a fair point, I agonized over it for quite a while - the cc2531
was the USB device/ and stack I was building with at the time.

This is the main reason why by default the device disables the RF source, you
have to go out of your way to enable it by editing an /etc .conf file -
however it actually does make a slightly better random stream

~~~
WaywardGeek
Is it possible for this device to transmit over radio, or only receive? I
certainly prefer only being able to receive, as transmitting seems like an
attack vector.

With the assumption that it only receives, I would strongly prefer that it be
left on by default. Adding a second source to the CRC mixing can only improve
entropy, even if the source is controlled by an attacker. Since the noise from
the zener has no simple proof of it's entropy output rate, and it can vary
over time, and because zener noise TRNGs have been known to be power-supply
noise sensitive (not that your's is), having that second source gives me much
more confidence in the device.

~~~
Taniwha
It could transmit, there is no transmit code in the firmware, in fact there's
no real receive code, we turn on the receiver and sample the LSB of RF noise
in the sampling DACs but don't enable any demodulation or framing.

Turning both RNGs on only gets you a about half a bit/byte of extra entropy -
but it is a great belt and braces sort of thing, makes it much harder to
attack, especially since the sampling clock inside the device for both sources
is not visible eternally

Remember we don't use the output data directly, we mix it into the kernel's
entropy pool (where it's whitened)

------
gear54rus
This seems sound. However, I'm in doubt about some of their points:

> _You can ask it to dump the current firmware to you_

It can dump the firmware but it can still execute something else than this (or
in addition to) this firmware, can't it?

> _You can see all the components on the board_

The fact that I can see these tiny thingies doesn't do much good either? Can
I, seeing them, tell what they do? No.

Building one of these yourself seems to solve both problems. Not trying to
undermine it or anything, just curious what others think of it.

~~~
tribaal
The point is - you can verify it _yourself_. Without trusting anybody else.

Dumping the firmware means you can ensure it's not been modified (presumably
from when you uploaded it to the device yourself).

Being able to inspect components means you can ensure it's still exactly as
you built it. And if you haven't, you can visually check that it does what it
says it does.

If you're not technically competent to make this verification, you can ask
somebody you trust and who is to do it for you.

~~~
gcommer
None of the images show the other side of the board, but unless every trace is
visible, it will be difficult to non-destructively inspect. If its only a 2
layer board then this just means scratching off the white silkscreen, which
wouldn't be too bad. If its more than 2 layers, you would have to have access
to an X-ray machine.

~~~
Taniwha
it's a two layer board - no buried wires or vias - by design there are very
few wires on the bottom layer, none under the noise source (we want to contain
the noise) - you can see all the wires without removing the solder mask just
by holding it in the right light

we'll be publishing the layout files of course

------
zaroth
A good CS-PRNG can take a modest amount of entropy and store it in a way
(internal state) that you trust it can't be recovered by the attacker. From
this they can generate a nearly endless supply of random output. That, as I
understand it, is /dev/random vs. /dev/urandom/.

So it's nice to have a good reliable source of _entropy_ , but you can also
consider how protected is the internal state, aka the place you stick that
entropy? The better protected the CS-PRNG state, the less entropy you actually
need.

If you trust the CS-PRNG state, then hardware entropy sources won't matter
much to you, because you just don't need that much entropy. When you start
streaming entropy from many sources, it's probably to consistently update
internal state over time because you don't fully trust that the state is
secure.

It should make no difference either way in the quality of the output (directly
pulling entropy versus CS-PRNG output). Because the necessary amount of output
to reverse-engineer state is almost infinite, the output of a properly
implemented CS-PRNG is highly trusted. And they're really nice algorithms that
have well reviewed implementations.

~~~
raverbashing
Yeah, but you have a reliable source of entropy you don't need to get a lot of
random numbers from your CSPRNG before reseeding.

------
bensn
Suggestion for modification: Call it OpenRNG instead of OneRNG. In every
second sentence i read the word open. Its obviously a main purpose.

~~~
Taniwha
it's a sad pun, we're from NZ ....

~~~
hughes
Still took me a minute - OneRNG -> "One Ring" LOTR reference

------
PhantomGremlin
If this gadget sells for under $50 (which it certainly should) I might
consider buying one, just for the fun of it.

But I haven't seen anyone here mention ID Quantique, one of the companies that
the "big boys" use for random numbers. They're in Switzerland:
[http://idquantique.com/](http://idquantique.com/)

Admittedly not open hardware, but FWIW they claim:

    
    
       QUANTIS has been evaluated and certified by the
       Swiss Federal Office of Metrology (also known as
       METAS), the Swiss national organization in charge
       of measurement science, testing and compliance.
       It confirmed that the quality of its random output
       complies with the highest requirements.
    

The minor detail about buying from ID Quantique is that their cheapest USB
product sells for about 990 euros, or about $1250.[1]

I know it's apples and oranges, but anyone interested in this product should
at least be aware of some alternatives.

[1]
[http://idquantique.com/component/content/article.html?id=83](http://idquantique.com/component/content/article.html?id=83)

------
edwintorok
How does it compare to the NeuG? Which entropy source is better?
[http://www.gniibe.org/memo/development/gnuk/rng/neug.html](http://www.gniibe.org/memo/development/gnuk/rng/neug.html)

~~~
WaywardGeek
Note: I've only glanced at NeuG, so this is an over-simplified repy. Neug
relies on a few different A/D inputs as a noise source. The resolution of the
A/Ds is only 12 bits, meaning it is not capable of reliably measuring thermal
noise in the system. In any case, it does not seem to be trying to measure
voltage on a high impedance node. Therefore the data passed will be power
supply noise and other sources of external influence. These potentially can be
influenced by an attacker, maybe even remotely. I do like this architecture
for a TRNG, and I like that it is open, but I do not believe the creator of
NeuG has put nearly the TRNG know-how into this design as OneRNG. Personally,
I'm looking forward to signing up on the Kickstarter for OneRNG when it
happens.

------
robomartin
Back about 25 years ago I wanted to build a PC card to generate better random
numbers. The idea I had at the time was to build in a set of four or five
FM/AM radio receivers into this card and have them hop ratio stations
constantly at, well, random intervals. Then I'd use the digitized audio
signals in some combination to feed a random number generator. I thought it
was a good idea at the time. Well, I didn't have enough experience yet to know
just how much I didn't know. Never built it.

------
gioele
> It even has a “tinfoil hat” to prevent RF interference

Isn't this a problem in the US, being against the famous part 15 of the FCC
rules:

«Operation is subject to the following two conditions: (1) this device may not
cause harmful interference, and (2) this device must accept any interference
received, including interference that may cause undesired operation.»

~~~
nightcracker
I'm fairly sure that the "accept" does not refer to "absorb without any
countermeasures". It's a bit poorly worded.

I think it refers to the fact that if your device fails due to interference
below the legal limit it is your problem to fix, not the device that generated
the interference.

~~~
dfox
I always assumed that it refers to the fact that interference under certain
limit should not permanently destroy the device even when such interference
may cause the device to behave erratically.

------
Animats
That's awfully complicated for a hardware RNG. A channel-hopping receiver? The
classic solution is a radiation source, which quantum mechanics says is
random.

[http://www.fourmilab.ch/hotbits/hardware3.html](http://www.fourmilab.ch/hotbits/hardware3.html)

~~~
WaywardGeek
The channel hoping is just a bit of software. It costs $0.00 in additional
hardware. Software complexity is a big deal in a TRNG. The KISS rule applies
big-time here. The more complex the software, the more likely it is a
significant flaw will be found and exploited. It remains unclear to me whether
there should even be a microcontroller on a USB TRNG. Without one, we can
eliminate the complexity from the USB key itself, but we have to move the
whitening and health monitoring to the driver. It is unclear to me if making
the driver more complex opens it up to enough additional attacks that the
system is less secure overall.

------
malandrew
On a related note, is there any device out there that lets you create a
private key and "burn" it to that device in a way that the key cannot be taken
off the device and you instead use the device the same way you use
SSH_AUTH_SOCK?

Ultimately, it would be nice to have a way where private keys can not be
copied.

------
deutronium
I'm curious why they chose to use an avalanche diode which doesn't generate
quantum-random numbers, unlike a reverse-biased transistor.

As far as I'm aware, this means you could effect the numbers, by varying
temperature.

~~~
raverbashing
I doesn't matter.

And being in a semiconductor it is a quantum process (in fact most sources of
noise in circuits are quantum in origin - not that it matters)

~~~
deutronium
That's untrue, just because it's a semiconductor, doesn't mean it can't
generate data effected by non-quantum properties such as temperature.

~~~
raverbashing
"it can't generate data effected by non-quantum properties such as
temperature"

And do you think quantum effects are not affected by temperature? REALLY?!

Start here
[http://ecee.colorado.edu/~bart/book/distrib.htm](http://ecee.colorado.edu/~bart/book/distrib.htm)

------
lifeformed
Total layman question here, but how does an avalanche diode work?

------
imaginenore
Or you could just use a shitty cheap webcam and take the lower bits of each
pixel (or one pixel of each 8x8 block if the compression is bad).

The amount of randomness per second webcams generate is pretty insane, it's
more than enough to feed the seed of a crypto PRNG function like Fortuna.

~~~
WaywardGeek
There are plenty of decent sources of entropy, like webcams and sound cards.
However, they all add parts we don't need, and they don't take any care to
design with security in mind. Eventually, a good open hardware TRNG should be
cheaper, more reliable, easier to use, and more secure than any of those
solutions, IMO.

~~~
imaginenore
> _they all add parts we don 't need_

What are you worried about exactly? Space? There are really really tiny
cameras for smartphones that are mass-produced, and they are very noisy, which
is perfect.

