[Gllug] entropykey: why did nobody ever mention this thing before?

Nix nix at esperi.org.uk
Mon Aug 2 19:55:03 UTC 2010 

On 2 Aug 2010, Richard Jones outgrape:

> On Mon, Aug 02, 2010 at 12:23:11AM +0100, Nix wrote:
>> I just bought an Entropy Key (from <http://www.entropykey.co.uk/>. Why
>> did nobody mention the existence of this thing before? Why is nobody
>> shouting about it from the rooftops? It's very rare I find a device that
>
> Fantastically overengineered (a reverse-biased junction with an ARM
> processor?) yet very cheap.

Wonderfully overengineered. I like systems on which every I has been
crossed and every T dotted in the interests of getting things *right*,
and this is plainly one. That it's cheap as well is just icing on the
cake.

> However I'm suspicious that the numbers are really going to be random.

They probably aren't, all the time. That's why it has two random number
generators and hunts for correlations between them, and patterns in the
result of mixing them. Perhaps it's not perfectly random -- nothing is
-- but it's certainly random enough to feed the kernel's entropy pool
with, and it's certainly better than the other entropy the kernel's got
so it's also worthwhile boosting the kernel's entropy estimate at the
same time.

(Note that the userspace tools do not assume complete randomness: they
have an option to set the number of bits of entropy to add to the
estimate per byte delivered, by default 7. I suspect assuming that
one bit out of eight is nonrandom is a huge overestimate, but rather
that than an underestimate.)

> Back when I was a hardware engineer we actually tried to build a
> theoretically perfect random number generator using a reverse-biased
> zener diode sampled at a fixed rate by an ADC (similar in design to
> how they describe the entropykey).

For similar, read identical, as far as I can tell. They don't *call* it
a Zener diode but it plainly is one.

>                                     The diode bounces off and on "at
> random", but at quite a low average frequency.  The clock rate that

It also depends on temperature. I don't see any sign that you stopped
attackers from heating the box up or cooling it down. :)

> you have to sample at must be some large multiple of this frequency in
> order to reduce correlation with the frequency of the diode (IIRC the
> clock rate finally chosen wasn't very much, 2 Hz or something, so you
> end up with 2 random bits per second).  Then there's the question of

This seems very low compared to what the entropy key is providing (and
it must be mostly random or the randomness tests would fail). I see
32400 bytes/s of probably-mostly-random entropy coming from the key
(which is converted to 28350 shannons/sec added to the kernel's entropy
pool, if it needs it).

> whether the diode is bouncing up and down with some external factor:
> power supply?  environmental radio sources?

That's why there's a CPU in there testing the numbers, right?

> This was about the point where we stopped, but only after ascertaining
> that the way to do this was to put the whole device inside a half inch
> thick, earthed copper box.  Put a battery inside there, so there's no
> power supply interference.  Then run the output cable through a narrow
> hole in the metal box.  The problem _then_ is that the output cable
> carries environmental RF back into the box, and really the only way
> around that would be some sort of metalized window with an opto
> coupler.

That's totally, ludicrously OTT. :) better to get something relatively
good if not perfect and test the results, I'd say. God knows it's
cheaper.

>           I guess you can probably see why we didn't build the final
> device in the end.

The perfect is the enemy of the good. The only way you can get *true*
randomness I suspect is to do something quantum, because the only way we
have of affecting *that* is the quantum Zeno effect (and that only
changes one random event into another one with lower probability).
But this is surely close enough.

> Oh well, 42 quid for a USB gadget.  Of course I ordered one ...

:)
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list