Can adding a tiny, ARM-based 32-bit computer to your Linux box really be all you need to improve cryptographic security?
Entropy – the contents, basically, of /dev/random – isn’t something to which most Linux users give a second thought, but it keeps server administrators and cryptographers awake at night. A system starved of entropy or, worse, filled with poor-quality entropy, can suffer everything from performance issues to security holes – and it’s a problem that becomes much larger when you get into the topic of virtualisation.
When working with entropy, users will be familiar with the issue of starvation: attempting to copy 1MB of data, say, from /dev/random will rapidly grind to a halt; it’s for this reason that the non-blocking /dev/urandom is the default source for most programs’ entropy.
One way of dealing with the starvation of /dev/random and how slow it can be to refill, especially on headless systems, is the use of a hardware random number generator. These are typically expensive devices, but the Free Software Foundation has launched a budget model based on the Flying Stone Tiny (FST) microcomputer: the NeuG.
The brainchild of Niibe Yutaka, NeuG is free software designed to run on top of the FST-01’s ARM M3 processor. When connected to a host system via USB, the NeuG-enabled FST-01 appears as a serial port; connect to the port and you’ll find a flood of random characters filling your console session.
Yutaka’s implementation of a supposedly true random number generator (TRNG) is simple enough: readings from analogue sensors connected to the STM32F103 processor are taken, paired, passed through a CRC-based scrambling system, then conditioned using a hashing algorithm before being output over the device’s built-in USB serial port. This stream of entropy can then be used however you see fit. Installation is simple enough: plug the device into your system’s USB port, and a piece of firmware dubbed Fraucheky turns it into a removable storage device containing a handy readme. Glancing through this reveals the design, usage, and principle behind NeuG, but it’s missing one vital piece of information, so the next step of the process is to eject the removable drive.
When ejected, the FST-01 switches to the NeuG firmware. The drive disappears and is replaced with a serial device – /dev/ttyACM0. This needs to be tweaked with stty before use, with the instructions from the readme: the port needs setting to raw mode with echo disabled as a minimum, and it’s also possible to switch between three operation modes.
These modes have a distinct effect on the NeuG’s operation. In its default mode, the NeuG is able to output entropy at a rate of around 81KB/s through an SHA-256 conditioning algorithm; switching to an alternative CRC-32 algorithm may weaken the quality of the entropy somewhat, but boosts throughput to around 288KB/s. The final mode outputs the raw data from the sensors, with no attempt to ensure that it is in any way random.
In either of its random-number-generation modes, the NeuG is more than capable of shoving entropy into /dev/random at a rate far higher than the operating system’s own entropy-gathering activities. Installing rng-tools onto the system and pointing the rngd daemon at the NeuG’s serial port sees the available entropy shoot up the instant it’s loaded.
For servers, that’s great news – and for virtualised servers, where access to traditional entropy sources may not be available, it can potentially spell the difference between a secure system and one generating insecure keys. It also serves as a handy alternative to closed-source hardware RNGs built into modern processors, like Intel’s Ivy Bridge and newer. Gareth Halfacree
Summary
It’s hard to judge the quality of a stream of supposedly random data, but the NeuG flew through the usual barrage of tests including ent and a visualisation check. It’s also easy to use and affordable.
Specification
CPU STM32F103TBU6 ARM Cortex M3, 72MHz
RAM 20KB
ROM 128KB
Storage 4MB SPI flash memory
Operating System Fraucheky/NeuG TRNG
Throughput 288KB/s CRC-32 conditioned, 81KB/s SHA-256 conditioned
Price $50