[ale] random number generators

Tue Mar 19 18:30:41 EDT 2019

I was looking at redirecting urandom to random to keep a higher
quantity but lower quality.
The systems are isolated on a private network (firewalled off from "bad
stuff") but they do potentially contain ePHI and subject to HIPAA
rules. Thus the deep dive into RNG and the performance issues.
There are several hardware RNGs that are not stupid $$ but of unknown
quality. The one I found that provides NIST certification is $800. I
need 3. Not my money but I'm still a cheapskate.
On Tue, 2019-03-19 at 17:51 -0400, dev null zero two wrote:
> I should also say that using he blocking interface of the Linux rng
> is only effective if the sources feeding the entropy pools are
> conservatively credited. If haveged is being used I imagine it is
> credited at full entropy. If that's the case you may as well use the
> non-blocking interface because your entropy-tracking is likely
> incorrect anyway.
> 
> On Tue, Mar 19, 2019 at 5:43 PM dev null zero two <
> dev.null.02 at gmail.com> wrote:
> > My understanding is Haveged has security issues and has to be
> > confirgued in a special way to produce informational-theoretic
> > entropy.
> > The Intel parts may have HWRNGs on them. Is the Linux kernel
> > pulling in any data from existing hwrng like Intel rdseed
> > already? That Linux patch may do that too if it isn't already a
> > feature of the Linux kerne.
> > 
> > On Tue, Mar 19, 2019 at 5:19 PM Jim Kinney <jim.kinney at gmail.com>
> > wrote:
> > > This looks promising.
> > > 
> > > The system(s) are Intel, high core count file servers with 12
> > > encrypted partitions and 40G TCP and 40G IB networking. Linked
> > > through glusterfs they are the storage cluster. I'm seeing
> > > haveged getting _used_ where it's not been used before.
> > > On Tue, 2019-03-19 at 16:54 -0400, dev null zero two via Ale
> > > wrote:
> > > > IIRC, the link I sent is for a Linux RNG patch that uses a FIPS
> > > > approved DRBG. If properly seeded, this can supply a ton of
> > > > secure random numbers without draining the entropy pool so
> > > > much.
> > > > 
> > > > On Tue, Mar 19, 2019 at 4:52 PM Alex Carver via Ale <
> > > > ale at ale.org> wrote:
> > > > > On 2019-03-19 13:31, Jim Kinney via Ale wrote:
> > > > > 
> > > > > > When the entropy pool gets low and all 200TB are encrypted,
> > > > > writes can
> > > > > 
> > > > > > slow down.
> > > > > 
> > > > > > 
> > > > > 
> > > > > > Looking at at hardware RNG devices. Found one that looks
> > > > > really cool,
> > > > > 
> > > > > > open, all the right buttons http://onerng.info/
> > > > > 
> > > > > > 
> > > > > 
> > > > > > Anybody used something like this?
> > > > > 
> > > > > 
> > > > > 
> > > > > I've seen mention more than once of using a Geiger counter
> > > > > with its
> > > > > 
> > > > > output tied to a serial port to generate random bits with a
> > > > > small
> > > > > 
> > > > > software shim to push them into entropy.  The advantage is
> > > > > that
> > > > > 
> > > > > radioactive decay is random and this kind of setup can't be
> > > > > influenced
> > > > > 
> > > > > from a distance.
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Diode noise is not fully random, it has a specific energy
> > > > > distribution
> > > > > 
> > > > > so there will be bias in the results (in which case you're
> > > > > depending on
> > > > > 
> > > > > these guys to have smoothed/whitened the noise properly).  RF
> > > > > noise is
> > > > > 
> > > > > also not random when the receiver is stationary.  The RF
> > > > > landscape
> > > > > 
> > > > > doesn't change too much and also has inherent bias (cell
> > > > > towers, wifi
> > > > > 
> > > > > APs, lots of other transmitters that don't move and sit on
> > > > > the same
> > > > > 
> > > > > frequency).  The RF generator would depend on the features
> > > > > that do
> > > > > 
> > > > > change which are fewer and slower.
> > > > > 
> > > > > _______________________________________________
> > > > > 
> > > > > Ale mailing list
> > > > > 
> > > > > Ale at ale.org
> > > > > 
> > > > > https://mail.ale.org/mailman/listinfo/ale
> > > > > 
> > > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > > 
> > > > > http://mail.ale.org/mailman/listinfo
> > > > > 
> > > > 
> > > > _______________________________________________Ale mailing 
> > > > listAle at ale.org
> > > > https://mail.ale.org/mailman/listinfo/ale
> > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > http://mail.ale.org/mailman/listinfo
> > > -- 
> > > James P. Kinney III
> > > Every time you stop a school, you will have to build a jail. What
> > > yougain at one end you lose at the other. It's like feeding a dog
> > > on hisown tail. It won't fatten the dog.- Speech 11/23/1900 Mark
> > > Twain
> > > http://heretothereideas.blogspot.com/
> > > 
> > -- 
> > Sent from my mobile. Please excuse the brevity, spelling, and
> > punctuation.
> -- 
> Sent from my mobile. Please excuse the brevity, spelling, and
> punctuation.
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

http://heretothereideas.blogspot.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20190319/5300f657/attachment.html>