
Security recommendations for any device that depends on random numbers (2013) - lisper
https://www.av8n.com/computer/htm/secure-random.htm
======
Snawoot
If you are interested in subject of high quality random sources, you may find
this useful: there exists a project named League of Entropy [1] dedicated to
reliable generation of public randomness based on group of servers with high-
quality random sources (like lava lamps or seismic activity).

These distributed randomness beacon servers can also provide private random
data. There exists a project with daemon [2] which collects entropy from
distinct sources and produces secure output, which can be used to reseed Linux
/dev/random and /dev/urandom. It may be useful for devices without reliable HW
RNG.

[1] -
[https://www.cloudflare.com/leagueofentropy/](https://www.cloudflare.com/leagueofentropy/)

[2] - [https://github.com/Snawoot/drb-client](https://github.com/Snawoot/drb-
client)

------
anonsivalley652
Btw, are there any hardware TRNGs like EntropyKey that have a keyed-encrypted
channel (either PCIe or USB)? I was looking at Quantis, ComScire CryptoStrong,
TrueRNG v3, TrueRNGPro, OneRNG, and the Linux hw_random source tree and
haven't found anything similar. [0] EK was such an interesting product.

0\.
[https://github.com/torvalds/linux/tree/master/drivers/char/h...](https://github.com/torvalds/linux/tree/master/drivers/char/hw_random)

~~~
lisper
This:

[https://sc4.us/hsm/index.html](https://sc4.us/hsm/index.html)

is not exactly what you're looking for out of the box, but it's open-source
and it includes a HWRNG, so you could make it do what you want with some
custom firmware. I would be happy to discuss a custom development for you if
you don't want to do it yourself.

Disclosure: the SC4-HSM is my product.

~~~
ThePowerOfFuet
I'm not seeing a secure element in there (nor in the uC)... is there one? If
not, why not?

~~~
lisper
There is no secure element but there is a hwrng built in to the SoC.

~~~
duskwuff
So it isn't an HSM.

Calling a device an HSM comes with an expectation that it will resist
tampering or intensive analysis. A standard microcontroller on an exposed PCB
cannot fulfill that expectation.

~~~
lisper
It is an HSM notwithstanding that it does not contain a separate component
marketed as a secure element. The SoC is not a "standard microcontroller"
(well, it is, but not in the sense that you mean it here). The STM32F405RG has
security features built in designed to secure proprietary firmware against
industrial espionage. The same hardware features can be used to secure keys.
I'd be happy to provide you with additional details, but I'd suggest starting
by reading the documentation of the SC4-HSM and the the SoC.

~~~
duskwuff
I'm quite familiar with the characteristics of the STM32.

The STM32F405 is a standard microcontroller. Its security features are
generally comparable to those which are present on other STM32
microcontrollers, as well as most microcontrollers in general. The PCROP
(proprietary code readout protection) features which you appear to be
referencing here don't help, as your application code is already open-source,
and the key data that you're trying to protect must be readable to be used.
Moreover, PCROP functionality is absent on the STM32F405.

STM32 readout protection is not particularly robust. There are a number of
known attacks which can be used to bypass it on certain families without
decapping the chip. I'm not sure if there are any attacks currently known
against the F4 series, but I wouldn't doubt that they exist.

Most STM32 parts actually have a tamper detection feature which can be used to
clear the contents of a battery-backed RAM when triggered. This sort of
configuration still doesn't make a HSM, but it would be a step in the right
direction.

~~~
lisper
Now this has degenerated into a quibble about semantics, and the difference
between "it's not an HSM" and "it is an HSM, but it might have a vulnerability
due to an unpublished zero-day against the hardware." Unpublished attacks
against your silicon are _always_ a concern, even (perhaps especially) if your
silicon is marketed as a "secure element".

The SC4-HSM costs $75. It is intended to compete against the likes of the
Trezor, the Ledger, and the Yubikey, not the SafeNet Luna. Its primary threat
model is a compromised host, not loss of physical possession. Is it the most
secure HSM you can buy? No. Is it the best choice for use in a data center?
No. Is it secure against loss of physical possession to a state actor?
Probably not (though you can always choose to encrypt the keys, which has a
pretty good shot of holding up even against state actors). Is it fair to say
flat-out, "It's not an HSM" implying that it provides no security at all? No.

