Schneier on Security

Clive Robinson • July 1, 2019 6:46 PM

@ Denton Scratch,

I tried this with a reverse-biased Zener diode, feeding op-amps, feeding a voltage comparator, feeding a shift register. The analog output from the op-amps looked fine; but as soon as I coupled in the digital stuff, it all became horribly predictable. I also tried rings of inverters, as a fully-digital randomness source. That also failed – I used about a dozen inverters, I think the pro stuff uses rings with hundreds of inverters.

In theory a TRNG is easy to make, in practice however…

As you have found it can be quite difficult to get it to produce output at all let alone something that has real entropy.

First you need to understand what the circuit problems are likely to be, and also that what looks random may well not be. It can more often than not be determanistic or chaotic not truly random. In fact with most electronic analog noise sources without great care you will find that,

0, They oscillate or nearly oscillate due to excesive gain and feedback.

1, Determanistic (system) noise is likely the greatist signal.

2, Chaotic noise is most likely the next greatest signal.

3, with the true random or entropy signal being the smallest.

Thus you need to work out how to prevent oscillation and remove the system and chaotic noise, to leave a rough entropy signal. But even when you have that rough entropy signal it is as with many things likely to be biased in some way and have bandwidth limitations.

In practice you will need to add your own bandwidth and gain limitations to stop oscillation, and regenerative noise. That is system noise is predominately low frequency noise from power supplies, semiconductor noise etc. Which means putting in a filter to remove signals below a few kilohertz will remove much system noise as will not using switching power supplies unless correctly filtered to -100dBV or better below rail swing. Or differential circuit design with high CMRR low noise –not FET– opamps in instrumentation input configuration with earth guard rings around the inputs and minimal earth current is used. Likewise as low an impedence as possible used on the “zenner effect” noise source, which unfortunatly will mean high earth curents that need to be kept away from the opamp circuitry by use of seperate return circuits/traces to the lowest impedence point on the power supply filter which should use as lower ESR capacitors of as highest capacitance as possible. To get an idea of how to do this have a look at the design of either high quality DC instrumentation inputs or high quality audio preamplifiers for the likes of ribbon mics.

Thus whilst an actuall –real– Zener diode can be used the noise source that many end up using is the reversed base emmitter junction of a bipolar NPN (2N2222) transistor using two resistors of about equal value such that the reverse biased junction DC connected across the inputs to the low gain instrumentation opamp configuration. The output of which is then fed into a bandpass filter circuit.

Another way of getting the noise is to look up the design of an “HF/VHF/UHF RF Noise Source” as described in the “test instruments” section of the ARRL or RSGB manuals. Such high frequency sources can be usefull when using a “decimating” or “sampling” input via the likes of a Double or Tripple Balanced Ring Diode Mixer.

It’s very important to keep gain down and take care to avoid phase shifting feedback otherwise the circuit will either self oscillate or become “regenerative” which whilst not breaking out into self oscillation will exhibit chaotic behaviour thus chaotic noise close to the 360 degree feedback frequencies giving a very non uniform noise spectrum.

In practice I’ve found the best way to amplify the raw entropy signal after bandpass filtering is to use it to drive the input to a Voltage Controled Oscillator (VCO). This converts the entropy in the voltage domain into entropy in the frequency domain which can with a little thought can reduce feedback issues quite well. As the VCO ouput frequency is likely to be above the MF band you will need to “mix it” with another oscillator running above or below the VCO bandwidth cutoff frequency. In practice in the past I’ve used a D-Type latch as the mixer, the output of which should be monitored with a spectrum analyser (use a $15 Software Defined Radio “RTL Dongle” and any of the Open Source SDR receiver software with decent “waterfall display”) to get the desired noise spectral density in a suitable form for analysis.

What will usually be clear is that the output is offset biased. The easiest way to remove this is to feed it to a two bit shift register and feed the two inputs into an XOR gate. This is the hardware equivalent of a von Neumann “de-bias” circuit and either one of the shift register outputs and the XOR output can be feed into the inputs of a microcontroller chip.

I used a MicroChip “PIC Chip” which implemented a modified version of the ARC4 algorithm that had a state array that was 1024 bytes long. The algorithm was run in the “keying mode” continuously with the “key input” actually being from the von Neumann de-bias circuit converted into 10bit integer numbers.

Whilst the ARC4 algorithm ran as fast as it could in the PIC fore ground mode the converting of random bits into 10bit key inputs was done in the timer interupt algorithm.

Also running in the PIC interrupt was “bit banging serial convertion. This enabled a “free-wheeling” effect to interupt the main ARC4 generator so that it suffered from a fairly frequent “stop-n-go” behaviour making it’s random evolving of the ARC4 Sarray even less predictable to an observer.

I hope that gives you some “food for thought” and let me know if you need any further info.

Clive Robinson • July 2, 2019 6:15 AM

@ Bruce,

One thing it is worth users noting. From the security advisory,

A random value is used as a basis for keys derivation used by RSA and ECDSA algorithms leveraged in some YubiKey FIPS Series applications. The buffer holding the value contains some predictable content making the value less random than intended. This issue occurs during power-up of the YubiKey only.

This could lead the average user to think that only the “first use” on pluging in the device into the USB port is what is at risk.

That unfortunately is not true, you need to remember that the power to USB ports can be regarded as being under “software control” in that they can often be turned off when not in use and the computer is in a partial shutdown state (hibernate / suspend etc) in normal operation.

Thus it is possible for malicious code to cycle the USB power to the key device when ever it wishes to, as the current keys do not have power or usage/communications indicators on them.

These lack of indicators can be regarded as a security vulnerability in it’s own right as having them would alert users to “unusual activity” with the key devices.

Clive Robinson • July 3, 2019 9:58 AM

@ Jon,

That way a small cyclical signal will get lost – in that any small signal input change will cause vast differences in the output.

No it won’t get lost.

A hash of a values that are less than the hash size is in effect a simple substitution cipher with a large alphabet, nothing more.

It in no way adds entropy which is why for several decades I’ve called it “Magic Pixie-dust Thinking”.

If you consider an opponent like the NSA they will buy up one or more devices with TRNG’s in and “tear them down” to find out exactly how they work, and more importantly all the weaknesses.

They will carefully examine the output of the noise source prior to any magic pixie dust crypto and make detailed charecterisations of it and any bias and range in it’s output. They will also study the other parts of the analog circuitry for determinancy or chaotic behaviour in their output, as well.

They will use this information to produce a statistical model of the input to the hash function and then use it to build the equivalent of a sparse dictionary attack rainbow table so that they can determain synchronization points. This might be just a few thousand values either side of the effective zero crossing point or likewise a known maxima or both.

If you are going to use a crypto function on the output of a TRNG then you realy need to use a Crypto-Secure (CS) algorithim in a mode where there is a lot of feedback from the output mixed in to the input.

One such way is the equivalent of a feedback multitap shift register with nonlinear mixing, which is in effect a form of stream cipher generator.

Another is to use the likes of shift registers and block cipher such that a mixing function between various TRNG values drives the “key input” to the block cipher whilst other TRNG values drive the “data input” to the block cipher.

Another method to spread the entropy of each TRNG output across many DRNG outputs is to use an entropy mixing pool. That is you have a storage array which you mix up with a mixing function for each TRNG output, and a selection function selects a small subset ot the values in the storage array to combine in a suitable combining function such that when the result appears at the DRNG output it can not be reversed back to a unique known input even with a dictionary attack, thus the state of the storage array can not be uniquely determined from the observed output of the DRNG.

Another advantage of a storage array is that you can use it to also de-bias any residual non true entropy output from the TRNG. To see how this might be implemented look up the various “card shuffling algorithms” around.

Clive Robinson • July 3, 2019 7:56 PM

@ Alyer Babtu,

Is there a connection with the antenna-fu you describe?

Yes very much so, there is hardly a day goes by when I don’t use the products of his fertile brain.

He designed and wrote the software for the “JT” “weak signal” protocols such as JT8 that have spawned other work such as JScall etc.

Most amateur radio operators whi build and test antennas use weak signal reporting stations connected to the Internet to see where their signal is being picked up around the world.

Unfortunatly his systems don’t realy work above the bottom end of the microwave bands.

The reason is the very very narow bandwidth of the tones used requires good frequency stability with respect to the tones. Thus telling the difference between 1000Hz and 1010Hz is ~1% which requires a frequency stability of about 1/4 that which is achivable with just RC timing circuits. Now consider 10Hz difference at 1GHz (10e+9) you need stability a million times better which is beyond even TCXO’s. You can just about do it with “GPS Disciplined Oscillators” using High overtone XTAL oscillators but upwards of that you need to start using atomic standards and mixing techniques, but they run out of steam as well. Beyond that you are looking to the stars, or more specifically Joyciln Bell’s “LGM’s” and friends.

There are other techniques but they are strictly highly specialised labarotory equipment that is hand built and cryo-cooled to bring the noise down.

Clive Robinson • July 8, 2019 3:54 PM

@ Bob Paddock,

Have you looked at any of the recent MEMs parts, especially the newest 5G ones?

Even though hermeticallt sealed they don’t hydrogen or helium near them, it gets through the case and in the case of hydrogen have non reversable effects. Even helium has quite significant adverse effect on their operation, but atleast they are reversable.

Have an Internet search for “helium dump” and iPhones stoping working.

Have you ever considered what would happen if you took the ARRL Antenna Handbook and did it all backwards?

I have and currently am redoing some of it. The problem is the likes of NEC programs, whilst they arevery powerfull they are only a far from perfect “mathmatical model”. And there are somethings they definitely get wrong that with experience and pencil and graphs you can get much closer to what actually happens in practice.

Then there are “the myths” as you may know there are resonant antennas, non resonant antennas and those that behave like transmission lines that get terminated.

Traveling wave tetminated antennas might dump on average 50% of the power at the feed point into the terminating resistance, and you get mainly broadband performance as a result. However there are plebty of non terminated antennas that are at best 10% efficient. Try convincing some they are better off with a terminated antenna and you will have a sisyphean task on your hands.

One example to consider is the harmonic dipole antenna. If you center feed it you get all sorts of problems. However “ofset feed” it then conventional wisdom says 1/3 2/3 split is what you should use (it’s actually 36% 64%) but you get a better response around 1/6 5/6 and then add a resistor across the feed point. Which can be further improved with a capacitor at the dipole mid point. I’ve built a couple to use as vertical dipoles where the choked coax actually formd the 1/6th element, thus easy to throw in a tree no wories about getting the coax at 90degrees at the feed point or having to have a thoudand feet of copper wire buried an inch under the ground. There is another trick that you can do which is to shorten the 1/6th and add a “corona ring” that adds capacitance, that also acts a little like very short raised radials that change the radiation pattern benificially for some activities… So far I appear to be the only person to have done this, not that it’s clever, it’s just a logical progression.

Have any experience with Plasma Antenna’s?

Yes some I’ve made a few in the past when I had a University glass blower who normally worked in the laser lab to do things for me.

Most standard antennas can be made in glass tube with the appropriate gas in them. The problem is “striking and maintaining” the plasma. Put simply 6KV-25KV for the strike and 1.5KV-6KV for maintaining the plasma has it’s own interesting issues not least of which they need a conductor very much inside the near field…

The way I got around it was a “folded monopole” over a “ring/halo ground plane”. The not mentioned but important reason for investigating them is TEMPEST / EmSec. People tend to think antennas are only detectable when they are transmitting. The reality is they are detectable as long as they are conducting and they are just as detectable as “window” or “chaff” that has been used since WWII to jam radar systems. The thing about a plasma antenna is when there is no “struck” plasma they are non conducting glass tubes that don’t be have as resonant antennas.

Oh and antennas don’t have to be made of conductors… People tend to forget that dialectrics such as plastics, ceramics and glass “bend EM radiation” just as glass lenses focus light… I’ve got a 10GHz antenna I made with plastic disks seperated by expanded polystyrene spacers it’s incredibly light, very strong and works better than expected…

@ Wael,

Missed this reference to me because I only scan the top 100 comments these days.

Which probably means you will miss this as it’s too far down the comment to appear on the 100 last comments page. I’ve missed a few coments from @65535 and one or two other regulars I’ve only later found by accident.

I’ll wait a day or so to see if you catch this, otherwise I’ll post a short comment 😉

Clive Robinson • July 8, 2019 6:49 PM

@ Wael,

The next one was that antennas may not be “material” at all.

Yes in theory EM waves are the result of the movment of “fundemental charges”, and most “forces” can be brought to bear on them.

For instance I guess you know how a “sun and planet” cavity resonator magnetron works?

Well the principle also works as an amplifer, but as it “bunches) as well it is also behaving like a lense. Spin a tube of sufficient size woth magnets down the inside then suprise surprise it will act as a lense. Oddly at first is the notion of a “hot air lense” you simply take a metallic tube spin it around it’s axial length and heat it up with a blow torch and the difference in the density in the tube gives you a lense when you look down the inside length pf the tube. Two such tubes will give you the equivalent of an old faahioned “Spy Glass” style telescope…

Some are even talking about the lensing effect of “dark energy” though I must admit I’m somewhat skeptical about the whole “dark” notions comming out of astro physics anyway.