Hacker News new | past | comments | ask | show | jobs | submit login
RTL-entropy: Uses RTL-SDR to turn a DVB-T dongle into an entropy source (github.com)
120 points by liotier on Mar 28, 2018 | hide | past | favorite | 58 comments



I think what's so attractive about the RTL-SDR devices is that they're so cheap and have such a huge variety of applications.

With a $10 dongle, you can go from tracking airplanes, to reading your wireless electric meter, to listening to local amateur radio, and then to an additional entropy source.

I double I'll ever get tired of playing with this little radio.


one of the dangers of the RTL entropy source project is not that it is predictable, but that it can be made to become predictable. By determining the frequency the device is listening on, you could inject a signal over the air that causes the entropy to conform to a known pattern. Even Lavarand users blend their entropy sources.

Ive used the RTL as a blended entropy source for my kubernetes pi cluster project, but blended it with signal data from the open source FST-01 from the flying stone project. this in turn gets randomly audited by dieharder. http://webhome.phy.duke.edu/~rgb/General/dieharder.php

My RTL entropy generator changes frequencies every 6 hours to a frequency determined by a script referencing /dev/urandom.


From the readme:

> If you're serious about the cryptographic security of your entropy source, you should probably short, or put a 75 Ohm load on the antenna port, and put the whole assembly in a shielded box. Then you're getting entropy from the thermal noise of the amplifiers which is much harder to interfere with than atmospheric radio.


And thermal noise is - almost by definition - the best source of white noise you can get in this world...


One solution there is to pick a frequency(cell/military bands) where the FCC really comes down on transmissions that aren't authorized.

Or you could randomize it, the RTL has a pretty wide receive range.


It's still always possible to just generate any radio signal close to the SDR at a low enough power that no one else can pick it up. Also, it would require special SDR transmitters, but you could in theory transmit on every frequency that an RTL-SDR could pick up (again, close by at a low power so you don't disturb other stuff).


A simple comb generator would fill all the frequencies nicely, and is very cheap compared to an SDR transmitter. I have no idea how useful the comb waveform is to "break" the RNG output though.

Here is one for $99, I'm sure you could DIY one for less with reduced output power: https://www.tekbox.net/test-equipment/comb-generators/tbcg1-...


My company sponsored some enhancements to this project several years ago and I blogged about it back then (without much interest).

I still think it's a great effort but as others have pointed out here it shouldn't be your only source of entropy and I'd feel a lot better about it if it were properly reviewed/hammered on.

Still, it's really cool to randomly see the project front page on HN years later!


Nice project, but obviously: don't rely (solely) on this entropy.

There are all kinds of conceivable failure modes that software cannot detect, let alone handle.

Statistic tests are good, but only of limited use.


XOR it with /dev/urandom, the result will be as strong as the best source of entropy.


I don't think this is true without some assumptions. The two bitstreams could cancel out if cleverly chosen.


That would mean that the attacker can already predict /dev/urandom, rendering it effectively useless. So the parent is right, "the result will be as strong as the best source of entropy", if both sources are bad then the result will be as well.


It is true under the assumption that the two sources are independent of each other. If one of the sources is entirely known or predictable, this will not affect the entropy of the other source.


If you know "the other" bitstream, sure. The only sensible premise is that you don't.


If both bitstreams are cleverly chosen, then neither is a source of entropy.


But isn't the point of a hardware entropy source that you don't quite trust /dev/urandom?


You have two adversaries. Adversary A have control over your hardware source, and adversary B have control over /dev/urandom. If you XOR them A and B must cooperate to compromise your random generator. You can combine as many sources of randomness as you want, and each increase the difficulty for an adversary to defeat your generator.


That just gets you the entropy of /dev/urandom, if you can't trust your original source.


Do you have any recommendations for other, high quality, sources of entropy?



Cloudflare uses a wall full of lava lamps, theres a tom scott video on it

https://youtu.be/1cUUfMeOijg


In most cases you can use the Intel CPU included RNG by installed rng-tools to feed it into the kernel entropy pool

Otherwise I’d be happier using a similarly priced USB tool that is at least designed for the job such as the ChaosKey which is also open hardware and firmware and has a Linux driver in tree


With all the issues with Intel, I would be weary of trusting their implementation.


It's "wary". The word "weary" means tired.

Edit: Just curious: are people downvoting because they disagree with my proposed spelling, or because they don't like the correction? Please let me know so I can integrate this knowledge into future comments.


Analysis of Intel’s Ivy Bridge Digital Random Number Generator

http://www.rambus.com/wp-content/uploads/2015/08/Intel_TRNG_...


A geiger counter next to an ionization smoke detector should have some entropy, though I don't know how high the quality would be.

https://www.sparkfun.com/products/14209 https://www.newegg.com/Product/Product.aspx?Item=0EF-005S-00...



No. The main problem is not the type of physical process, but the lack of any detection of failures.

Hardware fails. Can you reliably detect that? The board you linked to cannot at all. Most HWRNGs can, but only partially.



Thermal and other noise by analog electronic parts (resistors, transistors pushed to high gain etc.) comes to mind. They are much safer compared to an online service, app or a piece of hardware one doesn't have the source for, but I have no idea if that noise is good once sampled to be used in cryptography or other non-analog fields.


You have to sample the noise, and deskew it, and check the components are still operating. This is where the errors normally lie.

It's probably a fun project to try, but I'd be wary of using it for cryptography if only because we have other better methods.

I collected a bunch of links a while ago. Here they are, I don't know if these are still working or interesting, but they might be useful: https://news.ycombinator.com/item?id=6060636


Thanks for this! I was looking for something like this to play with.


In general, use a pool and worry less for most purposes as long as some of them are good enough.

An old project of mine:

http://random.hd.org/

It was good enough to use for a financial application when whitened / XORed with system sources.


If on an embedded system the low order bit of an infrequently sampled ADC input might be acceptable.


Is it better than a webcam image piped through sha256?


No? Yes? Neither? Both?

I've seen enough of these discussions to be able to parrot back to you some of the usual responses. Basically, say that you point your webcam at a perfectly black sheet (0x000000 in color). Will you get any actual entropy from this? No.

Now say you point your webcam at the night sky. On a clear night, I will more or less know what your camera is looking at, and will be able to to narrow down the huge field of possible values presented by sha256 to a much smaller set of possibilities. Knowing when you generated your private key and your method of getting entropy, I will be able to crack your key much easier (doesn't mean easy, just many orders of magnitude easier).

Now, say you point your webcam at a lava lamp, or the display showing characteristics of some quantum process, or something else provably random. Here I can't really tell wtf your camera is looking at. I can of course go and slide that black sheet in front of your camera for a bit. Or stand in front of it. But if you physically secure your camera, then yeah you are doing something right (though of course not everything, as it's quite possible that something in your algorithm is in fact reducing your possible output to only some subset of possible values produced by sha256).

It's the same thing with radio. If you tune it to a signal that's producing a sine wave with a stable frequency... I know exactly what your input is. If you tune it to something like the BBC, I know exactly what your input is, even with some noise. If you tune it to something really random, can I just put a very strong transmitter near your receiver and overwhelm the spectrum such that you are listening to only my signal? And the best part is that you won't know that this is happening even more than with a webcam.

Personally, I wouldn't really want to trust these devices. They are fun. but they aren't practical for this purpose. Where you need real entropy is a data center. And a data center won't be receiving too much radio.

Again, parroting every other thread about this, a reverse biased transistor will give you true quantum randomness which is very cheap, very easy to produce, and is difficult to temper with at a distance without disrupting the rest of your equipment too.

Again, you don't need as much entropy as you think. Your kernel will seed a CSPRNG with a tiny bit of entropy, which is enough to keep you safe for eons after that. You can't "run out" of entropy with that scheme. The biggest issue is to initialize the random number generator with true entropy before you start using it, which is only difficult if you are running virtual machines and the host doesn't provide entropy to it. I believe at least in some schemes the seed used is based on time or some such predictable factor, which doesn't help.


How will you be able to reduce the field of possible values presented by sha256 if you approximately know the source image? There is still noise in the image and several orders of magnitude more data. You assume that brute forcing similar images and hashing the result would be easier than just brute forcing the sha256.


That's exactly what I assume. If I know 90% of the image, but need to brute force 10%, I just reduce the possible field of values by an order of magnitude. The better I know what the image was to begin with, the easier it gets. That's exactly why poor RNGs are bad: I can brute force the value by knowing your method + approximately your input.

And if I can affect the image in a way that makes it even more predictable (black sheet over the camera, bright white light into the camera), it gets even easier.


Doing a little back-of-the-envelope math, a 1080p image has a total of 1920x1080x3 = 6,220,800 subpixels. That means each subpixel needs to have less than 0.00004 bits of entropy for there to be less than 256 bits in a single image. Surely a typical consumer CCD will introduce more noise than that. A potential catch is that the noise is likely correlated to a degree. Still, it's not clear that even a webcam pointed at a black sheet of paper is insufficient as a source of entropy.


10% of 1 megapixels divided by 24 is 4166. So, even if you only consider the least significant bit of one of the three subpixels in 10% of the image you still have 16 times more information than what you can represent in a SHA256 hash from a measly 1 megapixel image.

I think it is valid to question how you could reduce the search space enough to be more beneficial than brute forcing SHA256.


but unless the image is very low resolution, chances are sha256 is a smaller space no?


> Basically, say that you point your webcam at a perfectly black sheet (0x000000 in color). Will you get any actual entropy from this? No.

Umm... Why not?


Because every frame would be identical, so the sha256 hash of every frame would also be identical.

The first frame would give you some entropy, but you would terribly weaken it by re-using identical "random" data over and over again.


The idea is that thermal noise operating on the image sensors creates variations in the image. Every frame would have random differences.


This is an interesting project and I've played with it in the past.

Note, however, you should not use this for any real purpose. I saw a video on Youtube a while back of the author presenting this (at a LUG meeting or some such) and even he warns against using it for any real purpose.

So play around with it, hack on it, etc., but do not, by any means, incorporate this into any process that requires actual entropy for cryptographic purposes.


Why not?


Speculation:

A digital TV signal is a lot more repeatable than an analog one. A digital signal doesn't have the "TV static" effect of an analog signal that may introduce different entropy between two devices pulling the same signal in different locations


I'm not sure I agree that a digital TV signal has more repetition than analog. It is possible, but worth investigating.

That said, although the DVB-T dongles were intended for digital TV use, the typical demodulators (such as http://www.amateur-radio-wiki.net/index.php?title=RTL2832) have an extremely wide frequency range and can be repurposed all over that range.

Absolutely use extreme caution when adopting a new source of entropy.


Please note that the rtl-sdr dongle is used as a generic software defined radio receiver, it can be tuned to any frequency range it supports.

It has a few issues like the usb packaging does some retiming, plus the rtl chip documentation is under nda and else.


Von Neumann debiasing is well known, but I was unable to find a reference for Kaminsky debiasing . Can anyone point me to a description of what that is?



I have used youtube-dl with video_entropyd on a newly created DO server. Could be a nice alternative for anyone who hasn't physical access to their server to install such a dongle.


Putting it in a box (what they suggest as an alternative) is better, and you don't need the RTL for that. The whole point is to take as local a measurement as you can.


Would be interesting to see this run through some statistical batteries. DieHarder and TestU01 still seem to be the gold standards.


I use mine to track airplanes. Much more fun.


I did the same thing, but then realised it's pointless when you have flightradar24.com ...


Some of the military and cargo planes are not showing up on Flightradar yet you can track them on your own.


Flightradar actually sources data from ADS-B receivers operated by volunteers.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: