Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
entropy data sources in gentoo networks
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
jpsollie
Guru
Guru


Joined: 17 Aug 2013
Posts: 323

PostPosted: Mon Sep 23, 2024 11:13 am    Post subject: entropy data sources in gentoo networks Reply with quote

Hi everyone,
when digging through a lot of driver issues in hwrng device missing thread, I took a look at other possible sources of entropy.
So, I'd like your thoughts about it:
there are 2 entropy sources (nist and qrypt) which are networking related (but obviously nist is easily interceptable).
What if openrc would broadcast entropy in a non-routed multicast group?

The idea would be to use named pipes combined with UDP packets transferred at random through the network:

the code below illustrates what I was thinking about:
on entropy source 1:
Code:

rngd -R 5 -i -n nist -n hwrng -n qrypt -O qrypt:tokenfile:qrypt.token &
while [ 1 ]; do read -n 512 err < /dev/random; echo "$err" | nc -w1 -ub 192.168.1.255 20000; sleep 5; done

... and off course when using broadcast / multicast groups you can initiate as many entropy devices as you want ...

and on the client:
Code:

mkfifo /run/entropy.pipe
nohup nc -lk -u -b -p 20000 > /run/entropy.pipe &
rngd -f -R 5 -d -x jitter -x hwrng -x rdrand -n namedpipe -O namedpipe:path:/run/entropy.pipe -O namedpipe:timeout:10
Disabling 6: JITTER Entropy generator (jitter)
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Enabling 10: Named pipe entropy input (namedpipe)
Initializing available sources
[namedpipe]: Initialized
Kernel entropy pool size 256, pool watermark 192
Reading entropy from Named pipe entropy input
Running FIPS test on entropy
entropy successfully gathered, preparing it for the kernel
Added 256/256 bits entropy
Pool full at 256, sleeping!
Added 256/256 bits entropy
Pool full at 256, sleeping!
Added 256/256 bits entropy
Pool full at 256, sleeping!
^C[namedpipe]: Shutting down


so, what do you guys think of this idea?
I know, it shouldn't be used as only source ... but it has some opportunities for iot devices not having a proper hwrng, right?
_________________
The power of Gentoo optimization (not overclocked): [img]https://www.passmark.com/baselines/V10/images/503714802842.png[/img]
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3477

PostPosted: Mon Sep 23, 2024 1:37 pm    Post subject: Reply with quote

Quote:
I know, it shouldn't be used as only source ... but it has some opportunities for iot devices not having a proper hwrng, right?

Take it with a grain of salt, but I think linux supplements entropy using IO jitter, which includes keyboard, disks ( Hooray for HDDs), and also network traffic.

Basically, there is no point in deliberately sending entropy data over network, because it means you are already connected to the network which serves as entropy source just by being there.
Whenever you receive a packet, it is timestamped, turned into a more or less "surprising" random event, and the X-factor is in some way mixed into the pool.
Hwrng, is useful when you need a constant flood of randomness; more than IO and CPU noise can provide (Yes, cpu too; see haveged)
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
jpsollie
Guru
Guru


Joined: 17 Aug 2013
Posts: 323

PostPosted: Mon Sep 23, 2024 7:32 pm    Post subject: Reply with quote

szatox wrote:
Quote:
I know, it shouldn't be used as only source ... but it has some opportunities for iot devices not having a proper hwrng, right?

Take it with a grain of salt, but I think linux supplements entropy using IO jitter, which includes keyboard, disks ( Hooray for HDDs), and also network traffic.

Basically, there is no point in deliberately sending entropy data over network, because it means you are already connected to the network which serves as entropy source just by being there.
Whenever you receive a packet, it is timestamped, turned into a more or less "surprising" random event, and the X-factor is in some way mixed into the pool.
Hwrng, is useful when you need a constant flood of randomness; more than IO and CPU noise can provide (Yes, cpu too; see haveged)

That sounds like something which doesn't need too much of a grain of salt.
nonetherless, IoT devices often do not have:
- a hwrng which succeeds FIPS validation
- RDRAND instructions (or ARM equivalent)
- a TPM with built-in random generator
- a HDD, keyboard, ... or proper drivers providing the IO jitter.
On the other side, these days, WiFi latency is a good entropy source probably almost available everywhere ... don't know.
so yeah, its use is pretty limited
_________________
The power of Gentoo optimization (not overclocked): [img]https://www.passmark.com/baselines/V10/images/503714802842.png[/img]
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3477

PostPosted: Mon Sep 23, 2024 11:05 pm    Post subject: Reply with quote

Yeah, they don't have keyboards and hardware generators and instruction sets, but network is chaotic enough.
How much entropy do you actually need there anyway? Basically any noise at all will make the output unguessable.

If you feel like pulling an ugly hack just for fun, you can try reading a floating high impedance input. It's state is undefined and it should act as an antenna collecting EM noise from the environment.
And if you don't mind adding a few components, 2 resistors + opamp give you a white noise generator; I also vaguely recall pink noise from a single resistor. An IoT device suggests a microcontroller, and those li'l babies typically have some GPIO pins not used by the project, and sometimes an extra ADC and so on. Just sayin'.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
jpsollie
Guru
Guru


Joined: 17 Aug 2013
Posts: 323

PostPosted: Tue Sep 24, 2024 6:40 am    Post subject: Reply with quote

szatox wrote:
Yeah, they don't have keyboards and hardware generators and instruction sets, but network is chaotic enough.
How much entropy do you actually need there anyway? Basically any noise at all will make the output unguessable.

If you feel like pulling an ugly hack just for fun, you can try reading a floating high impedance input. It's state is undefined and it should act as an antenna collecting EM noise from the environment.
And if you don't mind adding a few components, 2 resistors + opamp give you a white noise generator; I also vaguely recall pink noise from a single resistor. An IoT device suggests a microcontroller, and those li'l babies typically have some GPIO pins not used by the project, and sometimes an extra ADC and so on. Just sayin'.


you're absolutely right ...
but why the hell does something like qrypt exist then?
I mean, if the itter from voltage regulators is a good source of entropy, why did the rng-tools author even bother implementing qrypt?
_________________
The power of Gentoo optimization (not overclocked): [img]https://www.passmark.com/baselines/V10/images/503714802842.png[/img]
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3477

PostPosted: Tue Sep 24, 2024 8:59 am    Post subject: Reply with quote

Quote:
if the itter from voltage regulators is a good source of entropy
Those 2 I mentioned, based on resistors, rely on thermal noise, there's no predicting that.
I actually recalled more interesting circuits, a coil, capacitor and a non-linear element (like a tunnel diode), as well as a resistor + a bipolar transistor plugged in the wrong way. Those 2 have the advantage of producing output voltage high enough to be usable directly.

Qrypt? Never heard of it. You mean this?
Code:
https://www.qrypt.com/

Judging by _THE_ landing page template, it exists for money. And it has "quantum" in the name, so it must be the best thing in the world (can we have a trollface emote please?)
I mean, it may or may not be good, I am not digging through their marketing campaign to figure that out though.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum