Sunday, December 13, 2009

A USB Entropy Drive

A UK company called Simtec Electronics has created a USB thumb drive device with dedicated hardware for producing a continuous stream of high entropy bits, suitable for mixing into an existing entropy pool on your device or feeding directly into applications and protocols that require sources of randomness. The product is called Entropy Key and and can be ordered from the website for £36.00, with further discounts for bulk orders

An overview of the process for producing the entropy is given in the diagram below. There are two independent noise generators based on P-N junctions that are sampled at a high rate to produce a stream of bytes. The output of each generator and their XOR are subjected to the universal statistical bit test devised by Ueli Maurer. If the sequences pass this test then von Neumann’s debias trick is applied, and then another round of universal testing, followed by hashing with Skein. This process blocks at any stage if the computed statistics fall outside conservative estimates of the properties of random generators.


These steps are repeated until 20,000 bit have been collected, upon which the statistical tests recommended by FIPS 140-2 are applied. The 20,000 bit pool is then parcelled into blocks of 256 bits, and Simtec estimates that each such bock has been generated from about 5,000 bits of noisy hardware samples.

There is quite a reliance on Maurer’s universal statistical bit test, and perhaps justifiably so since this test is specifically designed to detect deviations from expected statistical properties in a bit generator by computing an estimate of the generator’s entropy using ideas from universal data compression algorithms. The test is quite simple, and there is a reasonable description and parameterization given in NIST SP-800 22, which also contains a description of a large number of other statistical tests. A research paper on a finer analysis of Maurer’s test can be found here.

The output rate is, by its nature, variable but an average rate of more than 30 kilobits per second is expected. The complete client daemon source is provided under an MIT license which means everyone is free to examine the code for themselves. SimTec also notes that the Entropy Key can automatically detect various different physical attacks, such as temperature changes (by using a built-in temperature sensor), and opening of the case. The device is currently undergoing testing with "select customers” but is available for general ordering. There is an IRC channel #ekey on the oftc network if you want to discuss any of this further.

(Thanks to Vincent Sanders for providing some more technical details)



olj said...

Very interesting story about producing entropy. Have you order one already?

Unknown said...

I am asking santa!

Unknown said...

Lovely. Although the kernel warnings are a trifle offputting, that's not their issue and they have user-space workaround.

The final hash obviously makes investigation of any remaining device bias difficult. But does the final Hash mean this source's quality is limited by the quality of the chosen cryptohash?

The suggestion of blending these bits into system-produced bits in /dev/random seemingly allays fears of the device as trojan horse. But to have actual value, its source will produce bits far faster than the intrinsic system sources -- else why bother -- so the dilution is pretty low. Are the proprietors (and any offshore manufacurering partners) known in the Community?

Unknown said...

Hi Bill,

the details are sketchy, more an outline than an algorithm. I think there would be a lot of tuning involved to get the tests rights from one stage to the next.

As to the hashing, it should act as a compression function that preserves high entropy, joining the two streams together. Perhaps it would be easier to just run Maurer's test on the XOR of the streams.

They have some graphs to show that the usb source can be used to replenish server randomness but I don't think they give a rate. I am not familiar with company and no names are listed.

BTW, I did post a while back a thesis on the analysis of the Linux RNG (their target platform it seems) to scribd here

984 reads so far

rgs Luke

Anonymous said...


Vincent Sanders said...

Hi, Just a couple of quick points.

The Entropy Key is on general sale now via the website.

We use the skein functions for both the hashing and encryption of the data from the device, this still leaves one shannon per bit in the resulting data.

The statistic interface gives you the values from each stage of the process as outlined in the diagram so statistical biasing etc. can be monitored by the client, however as the key locks itself out if these values fall outside our rather conservative estimates of "good" its difficult to observe this.

We provide the complete client daemon source under an MIT license which means everyone is free to examine the code for themselves.

The output rate is, by its nature, variable but we expect an average rate from a key of more than 30 kilobits per second.

We have run the output of several randomly selected devices through die harder and after gathering several gigabytes of output they have always passed.

We have an IRC channel #ekey on the oftc network if you want to discuss any of this further.

Unknown said...

Thanks Vincent, I will make some changes to the post

rgs Luke

Anonymous said...

Thanks for the interesting post about entropy. The promo usb entropy drive is quite impressive, it manages to get quite close to 4096 bytes most of the time, which is brilliant for our purposes.

Anonymous said...

really interesting post I entertain reading this.

Laby[big and tall suits]

SummitTechnology said...

USB entropy drive is described here. Read details from here
CD distribution

Unknown said...

I am going through this post and thinking of it’s theme and trying to understand what is this post about. At last I can have found something from this post which feels pretty good.
DVD packaging