Random numbers for embedded devices

By Jonathan Corbet
July 17, 2012

Secure communications are dependent on good cryptography, and cryptography, in turn, is dependent on good random numbers. When cryptographic keys are generated from insufficiently-random values, they may turn out to be easily guessable by an attacker, leaving their user open to eavesdropping and man-in-the-middle attacks. For this reason, quite a bit of attention has been put into random number generation, but that does not mean that problems do not still exist. A set of patches intended for merging into the 3.6 kernel highlight some of the current concerns about random number generation in Linux.

Computing systems traditionally do not have sources of true randomness built into them. So they have operated by attempting to extract randomness from the environment in which they operate. The fine differences in timing between a user's keystrokes are one source of randomness, for example. The kernel can also use factors like the current time, interrupt timing, and more. For a typical desktop system, such sources usually provide enough randomness for the system's needs. Randomness gets harder to come by on server systems without a user at the keyboard. But the hardest environment of all may be embedded systems and network routers; these systems may perform important security-related tasks (such as the generation of host keys) before any appreciable randomness has been received from the environment.

As Zakir Durumeric, Nadia Heninger, J. Alex Halderman, and Eric Wustrow have documented, many of the latter class of systems are at risk, mostly as a result of keys generated with insufficient randomness and predictable initial conditions. They write: "We found that 5.57% of TLS hosts and 9.60% of SSH hosts share public keys in an apparently vulnerable manner, due to either insufficient randomness during key generation or device default keys." They were also able to calculate the actual keys used for a rather smaller (but still significant) percentage of hosts. Their site includes a key checker; concerned administrators may point it at their hosts to learn if their keys are vulnerable.

Fixes for this problem almost certainly need to be applied at multiple levels, but kernel-level fixes seem particularly important since the kernel is the source for most random numbers used in cryptography. To that end, Ted Ts'o has put together a set of patches designed to improve the amount of randomness available in the system from when it first boots. Getting there involves making a number of changes.

One of those is to fix the internal add_interrupt_randomness() function, which is used to derive randomness from interrupt timing. Use of this function has been declining in recent years, as a result of both its cost and concerns about the actual randomness of many interrupt sources. Ted's patch set tries to address the cost by batching interrupt-derived randomness on a per-CPU basis and only occasionally mixing it into the system-wide entropy pool. That mixing is also done with a new, lockless algorithm; this algorithm contains some small race conditions, but those could be seen to make the result even more random. An attempt is made to increase the amount of randomness obtained from interrupts by mixing in additional data, including the value of the instruction pointer at the time of the interrupt. After this change, adding randomness from interrupts should be fast and effective, so it is done by default for all interrupts; the IRQF_SAMPLE_RANDOM interrupt flag no longer has any effect.

Next, the patch set adds a new function:

    void add_device_randomness(const void *buf, unsigned int size);

The purpose is to allow drivers to mix in device-specific data that, while not necessarily random, is system-specific and unpredictable. Examples include serial, product, and manufacturer information from attached USB devices, the "write counter" from some realtime clock devices, and the MAC address from network devices. Most of this data should be random from the point of view of an attacker; it should help to prevent the situation where multiple, newly-booted devices generate the same keys.

Finally, Ted's patch set also changes the use of the hardware random number generator built into a number of CPUs. Rather than return random numbers directly from the hardware, the code now mixes hardware random data into the kernel's entropy pool and generates random numbers from there. His reasoning is that using hardware random numbers directly requires placing a lot of trust in the manufacturer:

It's unlikely that Intel (for example) was paid off by the US Government to do this, but it's impossible for them to prove otherwise --- especially since Bull Mountain is documented to use AES as a whitener. Hence, the output of an evil, trojan-horse version of RDRAND is statistically indistinguishable from an RDRAND implemented to the specifications claimed by Intel. Short of using a tunneling electronic microscope to reverse engineer an Ivy Bridge chip and disassembling and analyzing the CPU microcode, there's no way for us to tell for sure.

Mixing hardware random data into the entropy pool helps to mitigate that threat. The first time this patch came around, Linus rejected it, saying "It would be a total PR disaster for Intel, so they have huge incentives to be trustworthy." That opinion was not universally shared, though, and the patch remains in the current set. Chances are it will be merged in its current form.

An important part of the plan, though, is to get these patches into the stable updates despite their size. Then, with luck, device manufacturers will pick them up relatively quickly and stop shipping systems with a known weakness. Even better would be, as Ted suggested, to make changes at the user-space levels as well. For example, delaying key generation long enough to let some randomness accumulate should improve the situation even more. But making things better at the kernel level is an important start.

Index entries for this article
Kernel	Random numbers
Kernel	Security/Random number generation
Security	Random number generation

Random numbers for embedded devices

Posted Jul 19, 2012 3:33 UTC (Thu) by rbrito (guest, #66188) [Link] (1 responses)

I just skimmed some of the patches (not the rest of the code, which may mean that I'm missing context), but what is reason for having the pool initialized to something while not adding entropy, as mentioned in the commit message of Ted's patch number 4?

Random numbers for embedded devices

Posted Jul 19, 2012 9:50 UTC (Thu) by ilmari (guest, #14175) [Link]

The "not adding entropy" refers to not incrementing the kernel's estimate of the amount of entropy in the pool, since the data being mixed in isn't really very random.

Random numbers for embedded devices

Posted Jul 19, 2012 15:19 UTC (Thu) by cpeterso (guest, #305) [Link] (2 responses)

Can the expensive mixing operations be moved to get_random_bytes(), so the mixing is only done when needed and the cost is paid by the caller, not interrupt handlers?

Random numbers for embedded devices

Posted Jul 20, 2012 0:53 UTC (Fri) by pr1268 (subscriber, #24648) [Link]

That might make get_random_bytes() very expensive (relatively speaking). My suggestion is that the mixing operations happen only when the entropy pool gets below a low-water mark (but then again perhaps this might make the RNG a little more vulnerable; I'm not totally sure about this).

Random numbers for embedded devices

Posted Jul 23, 2012 17:14 UTC (Mon) by tytso (subscriber, #9993) [Link]

The expensive (i.e., cryptographic) operations are already in get_random_bytes(). What we do amortized across multiple interrupts is a few xors, a rotate, and some memory accesses into a per-CPU memory pool. So the bulk of the cost is already paid by the processes that need random numbers.

Definitely not speaking for my employer, but here goes..

Posted Jul 20, 2012 6:04 UTC (Fri) by DavidJohnston (guest, #85852) [Link] (11 responses)

The argument that the random numbers from the RdRand instruction cannot be trusted, compared to the kernel RNG algorithms that extract entropy from interrupt timing doesn't really hold water. Especially in light of the recent studies showing the lack of boot time entropy.

To suggest that users 'wait' for entropy to be available from the kernel when their platform provides copious amounts of entropy before the first instruction has executed suggests that it is the kernel that is the problem, not the platform or user behavior.

Compared to the treatment of most CPU logic, Intel has been extraordinarily open with the design on the RNG, exposing the full algorithmic details and opening the design for external review. I've yet to see an comparable expositions of why we should believe the Kernel entropy gathering code achieves a well defined min-entropy.

When a user has paid for and deployed a RdRand capable machine that solves their boot time entropy problem, it is not in that user's interests that a paranoid design philosophy in the kernel leads to the user getting no entropy, rather than the 150MB/s+ that the platform can provide. They need the random numbers, not advice on who to trust and they should get those numbers if they trust the platform they run their software on.

Lack of entropy has been a problem that has dogged computer security for decades. Now that we are in sight of a comprehensive solution in hardware, the right approach for the kernel is to facilitate high bandwidth access to entropy through the /dev/[u]random interfaces, drawing from the underlying hardware.

The right approach for application software is to dispense with slow, large attack surface libraries and kernel calls and use the instruction based sources directly, rendering themselves immune from a large class of side channel and memory based attacks that can be raised against software entropy extractors and PRNGs. Existing and new software might continue to use /dev/[u]random, but where security and performance are a goal, RdRand and AES-NI are simply better.

The primary goal of RdRand is to make the platform entropy problem simply go away. In time it will, but we are in a position to speed the process by making the right design decisions, so the non cryptographers stand a chance of their security software working for them.

Definitely not speaking for my employer, but here goes..

Posted Jul 20, 2012 8:55 UTC (Fri) by Aissen (subscriber, #59976) [Link] (8 responses)

Could you provide links to the papers, algorithms and design source code ?

Definitely not speaking for my employer, but here goes..

Posted Jul 20, 2012 12:39 UTC (Fri) by nix (subscriber, #2304) [Link] (6 responses)

Links to proof that what's in the CPU matches that design would be necessary too, before this can be trusted. The point about those sources that currently contribute to the entropy estimate is that they are only those sources which an external observer can see cannot be controlled or predicted by an attacker. Something impossible to inspect buried inside your CPU by a major corporation is... not worthy of the same degree of trust.

It's not even worthy of the same degree of trust as, say, the Simtec Entropy Key, because at least Simtec is a small company and you can in theory get to know the people who did the work and become as sure as you wish that they did not get nobbled by the secret services -- though even that entropy is somewhat less trustworthy than environmental entropy not derived from a necessarily-opaque IC. Intel? It's a behemoth, and we know it therefore does business with all sorts of people. Who knows what pressures may have been brought to bear?

This isn't saying that I think pressures *were* brought to bear on Intel to nobble their RNGs -- it's just that had they *been* brought to bear, the design would have looked just like we see now (as the nobbling would happen later in the process, with less risk of public exposure), and the CPUs that resulted would have looked from the outside *just like the ones we see now* except that their 'random' numbers would be predictable by a suitably-privileged outside attacker. So we cannot distinguish between those cases, so cannot grant the entropy derived from those CPUs the same definitely-unpredictable status as entropy derived from environmental noise.

(This is not, of course, unique to Intel. I consider uninspectable RNGs and binary crypto blobs from all vendors untrustworthy, but larger vendors are probably less trustworthy than smaller ones, regardless of the quality of their engineering or employees, simply because they are easier for the security services to quietly nobble.)

Definitely not speaking for my employer, but here goes..

Posted Jul 21, 2012 3:22 UTC (Sat) by DavidJohnston (guest, #85852) [Link] (5 responses)

Then I suspect no hardware product will meet your needs.

Definitely not speaking for my employer, but here goes..

Posted Jul 21, 2012 13:48 UTC (Sat) by nix (subscriber, #2304) [Link] (2 responses)

Precisely my point. Or, rather, they do meet my needs, but my needs do not include having this stuff contribute to the entropy estimate. I can't trust that it is truly entropy. That doesn't mean it won't help keep your random numbers look random, of course: it still mixes into the pool.

Definitely not speaking for my employer, but here goes..

Posted Aug 18, 2012 16:32 UTC (Sat) by kjp (guest, #39639) [Link] (1 responses)

Use an FM or TV tuner and use the white noise for entropy. I'd trust that.

Definitely not speaking for my employer, but here goes..

Posted Aug 18, 2012 21:37 UTC (Sat) by nix (subscriber, #2304) [Link]

Really? That noise is often fearfully non-random and highly correlated, and anyone with a radio transmitter or indeed any electrical device can introduce new patterning. It's... not a good noise source on its own (though obviously it contains noise, so it could probably contribute *some* entropy.)

Definitely not speaking for my employer, but here goes..

Posted Jul 23, 2012 17:19 UTC (Mon) by tytso (subscriber, #9993) [Link] (1 responses)

Of course there could be hardware products that would meet an independent auditability criteria. It would require a completely open hardware design where the only thing that is done in hardware is a noise diode, and the minimal circuitry to convert the analog signal into a digital one. A quick google search reveraled something like this that could perhaps be used as a basis of such an implementation:

https://mywebspace.wisc.edu/lnmaurer/web/minirng/minirng....

Add a simple USB interface so it can be plugged into a laptop or a server, but the key point is that it's a open hardware design, using basic commodity parts whose operation can be easily verified.

Then what we do in open source software is all of the hard work of analyzing the raw output of the hardware circuit, to make sure it hasn't failed, and then all of the whitening using AES, etc. Alternatively, we could take the unwhitened output and just feed it into /dev/random (since the /dev/[u]random entropy pools will take care of doing the whitening for us).

Definitely not speaking for my employer, but here goes..

Posted Jul 24, 2012 16:59 UTC (Tue) by nix (subscriber, #2304) [Link]

Alternatively, we could take the unwhitened output and just feed it into /dev/random (since the /dev/[u]random entropy pools will take care of doing the whitening for us).

This is exactly what the Entropy Key's daemon does. There's no point in engaging in whitening and the like, since the key already does all of that (mixing together the output of two RNGs, making sure they are not correlated, and the like) and the daemon just asks the key 'are you broken?' and stops feeding entropy into /dev/random if it says it is.

Definitely not speaking for my employer, but here goes..

Posted Jul 21, 2012 3:11 UTC (Sat) by DavidJohnston (guest, #85852) [Link]

>Could you provide links to the papers, algorithms and design source code ?
The design source code isn't available. There's a lot more to designing chip RTL at 22nm than just the implementation of the algorithms, so I'm not at liberty to reveal the source code.

I'm working towards making some C code available that models the design. This served as part of the design validation (it helps show model equivalence and calibrate entropy estimates) but could also answer a lot of the detail questions people have about the nature of the raw entropy.

Patrick OKeef has done an efficient job of linking to all the information that is out there. https://sites.google.com/site/intelrdrand/references

You might find Jesse Walker's talk, particularly the stuff at the end on the Ornstein-Uhlenback process (which nicely models ES) informative. http://www.ists.dartmouth.edu/docs/walker_ivy-bridge.pdf

The Intel Developer Forum talk should be out there somewhere. If not I can send it.

These guys performed external review. They did get to see the source code and had access to raw data and the engineers. Fortunately for us they didn't find anything too horrendous. The paper is here: http://www.cryptography.com/public/pdf/Intel_TRNG_Report_...

I described the details of the conditioning algorithms here: http://software.intel.com/en-us/forums/showthread.php?t=1...

There's more on the way, but we have to write it first.

Definitely not speaking for my employer, but here goes..

Posted Jul 21, 2012 5:56 UTC (Sat) by dlang (guest, #313) [Link]

you don't have to 'wait' if you are willing to trust the /dev/urandom source, you only have to wait if you insist on getting a 'guarantee' that you are getting true randomness as opposed to just the best that the system can do.

The system will use the hardware RNG to modify the output of /dev/random and /dev/urandom, the only thing is that it doesn't increment the "guaranteed randomness available" counter.

realistically, I don't think it makes sense for anyone to depend on /dev/random and the 'available entropy' counter, the few cases that have super strict randomness guarantee requirements should just have a separate source of randomness

think of this as improving the quality of /dev/urandom rather than failing to get the full randomness of the hardware RNG

Definitely not speaking for my employer, but here goes..

Posted Aug 5, 2012 4:14 UTC (Sun) by mina86 (guest, #68442) [Link]

We should trust them because we all know that Intel would never release buggy hardware like random number generator or, oh I don't know, a floating point unit.

Random numbers for embedded devices

Posted Jul 21, 2012 8:38 UTC (Sat) by PaXTeam (guest, #24616) [Link]

concerned/interested readers might want to check out the latent_entropy plugin featured in the latest PaX patch. the idea is very simple: each basic block of boot-only functions is instrumented to compute a random function (based on add/xor/rol, hi Halvar :) whose output is then fed into the input/nonblocking pools after each initcall. tests show that even an allnoconfig amd64 kernel under qemu produces a few bits of entropy. at this point i'm interested in real field tests with embedded systems, so feel free to contribute :).

MAC address as random input?

Posted Jul 21, 2012 22:42 UTC (Sat) by Max.Hyre (subscriber, #1054) [Link] (5 responses)

This may just exemplify a little learning being a dangerous thing, but doesn't IPv6 put the MAC address in the packet header? If so, ungood.

MAC address as random input?

Posted Jul 23, 2012 19:14 UTC (Mon) by BenHutchings (subscriber, #37955) [Link] (2 responses)

By default, the local part of the IPv6 address is the MAC address with 16 constant bits in the middle. There is an option to use 'privacy extensions' which means the local part is randomised (sysctl net.ipv6.conf.all.use_tempaddr; Documentation/networking/ip-sysctl.txt).

MAC address as random input?

Posted Jul 25, 2012 18:45 UTC (Wed) by kleptog (subscriber, #1183) [Link] (1 responses)

Note that the default varies by implementation. Various versions of windows default to privacy extensions.

Privacy extensions means your IP changes regularly, usually once a day. For servers you don't want that, but for client PCs the tradeoff is different. If it bugs you you can set the IP address yourself.

Note the link-local address always includes your MAC address, but that address never leaves the LAN, and everyone on your LAN needs your MAC address anyway to talk to you.

MAC address as random input?

Posted Jul 26, 2012 12:18 UTC (Thu) by farnz (subscriber, #17727) [Link]

More accurately, it adds an extra IP that changes regularly; you still have the permanent IP that you would have if you didn't enable privacy extensions, but you also have a temporary IP that changes, and that is used in preference to your permanent IP for outgoing connections.

The idea is that if you give me your permanent IP, I can connect to you. If you don't, the only IP of yours I know about is your temporary IP, which changes regularly - so while it's fine for the duration of communication you initiated, it's not useful in a few days time.

MAC address as random input?

Posted Jul 25, 2012 21:37 UTC (Wed) by pjm (guest, #2080) [Link] (1 responses)

Another thing to note is that it doesn't hurt to add lots of attacker-known data to the pool, so long as there's at least k bits of attacker-unknown data also in the pool. So using the MAC address by default is fine if there are some systems where attackers don't trivially know the value.

MAC address as random input?

Posted Jul 26, 2012 8:01 UTC (Thu) by nix (subscriber, #2304) [Link]

Quite. This is one reason why the BSDs et al don't bother with an entropy estimate: as long as there's *some* entropy, you're fine, and if it's wrong, you're very much not fine.

(I like the entropy estimator for a much more selfish reason: collecting randomness from some sources can be quite expensive, and we can use the entropy estimator as a high-water-mark to indicate that there's no point whatsoever providing more randomness because nobody's read much since we last shoved a bunch in. We could do much the same thing with a simple counter of "bytes read from /dev/*random by other users since last entropy fed in by a /dev/random writer", but that leaks information about those other users and might be considered ugly. The BSDs don't have a counter like this, and it makes the ekeyd ridiculously costly on those platforms because it has to pull entropy from the key and remix it for /dev/random all the time, even if the system is otherwise totally idle.)