I think what's so attractive about the RTL-SDR devices is that they're so cheap and have such a huge variety of applications.
With a $10 dongle, you can go from tracking airplanes, to reading your wireless electric meter, to listening to local amateur radio, and then to an additional entropy source.
I double I'll ever get tired of playing with this little radio.
one of the dangers of the RTL entropy source project is not that it is predictable, but that it can be made to become predictable. By determining the frequency the device is listening on, you could inject a signal over the air that causes the entropy to conform to a known pattern. Even Lavarand users blend their entropy sources.
Ive used the RTL as a blended entropy source for my kubernetes pi cluster project, but blended it with signal data from the open source FST-01 from the flying stone project. this in turn gets randomly audited by dieharder. http://webhome.phy.duke.edu/~rgb/General/dieharder.php
My RTL entropy generator changes frequencies every 6 hours to a frequency determined by a script referencing /dev/urandom.
> If you're serious about the cryptographic security of your entropy source, you should probably short, or put a 75 Ohm load on the antenna port, and put the whole assembly in a shielded box. Then you're getting entropy from the thermal noise of the amplifiers which is much harder to interfere with than atmospheric radio.
It's still always possible to just generate any radio signal close to the SDR at a low enough power that no one else can pick it up. Also, it would require special SDR transmitters, but you could in theory transmit on every frequency that an RTL-SDR could pick up (again, close by at a low power so you don't disturb other stuff).
A simple comb generator would fill all the frequencies nicely, and is very cheap compared to an SDR transmitter. I have no idea how useful the comb waveform is to "break" the RNG output though.
My company sponsored some enhancements to this project several years ago and I blogged about it back then (without much interest).
I still think it's a great effort but as others have pointed out here it shouldn't be your only source of entropy and I'd feel a lot better about it if it were properly reviewed/hammered on.
Still, it's really cool to randomly see the project front page on HN years later!
That would mean that the attacker can already predict /dev/urandom, rendering it effectively useless. So the parent is right, "the result will be as strong as the best source of entropy", if both sources are bad then the result will be as well.
It is true under the assumption that the two sources are independent of each other. If one of the sources is entirely known or predictable, this will not affect the entropy of the other source.
You have two adversaries. Adversary A have control over your hardware source, and adversary B have control over /dev/urandom. If you XOR them A and B must cooperate to compromise your random generator. You can combine as many sources of randomness as you want, and each increase the difficulty for an adversary to defeat your generator.
In most cases you can use the Intel CPU included RNG by installed rng-tools to feed it into the kernel entropy pool
Otherwise I’d be happier using a similarly priced USB tool that is at least designed for the job such as the ChaosKey which is also open hardware and firmware and has a Linux driver in tree
Edit: Just curious: are people downvoting because they disagree with my proposed spelling, or because they don't like the correction? Please let me know so I can integrate this knowledge into future comments.
Thermal and other noise by analog electronic parts (resistors, transistors pushed to high gain etc.) comes to mind. They are much safer compared to an online service, app or a piece of hardware one doesn't have the source for, but I have no idea if that noise is good once sampled to be used in cryptography or other non-analog fields.
You have to sample the noise, and deskew it, and check the components are still operating. This is where the errors normally lie.
It's probably a fun project to try, but I'd be wary of using it for cryptography if only because we have other better methods.
I collected a bunch of links a while ago. Here they are, I don't know if these are still working or interesting, but they might be useful: https://news.ycombinator.com/item?id=6060636
I've seen enough of these discussions to be able to parrot back to you some of the usual responses. Basically, say that you point your webcam at a perfectly black sheet (0x000000 in color). Will you get any actual entropy from this? No.
Now say you point your webcam at the night sky. On a clear night, I will more or less know what your camera is looking at, and will be able to to narrow down the huge field of possible values presented by sha256 to a much smaller set of possibilities. Knowing when you generated your private key and your method of getting entropy, I will be able to crack your key much easier (doesn't mean easy, just many orders of magnitude easier).
Now, say you point your webcam at a lava lamp, or the display showing characteristics of some quantum process, or something else provably random. Here I can't really tell wtf your camera is looking at. I can of course go and slide that black sheet in front of your camera for a bit. Or stand in front of it. But if you physically secure your camera, then yeah you are doing something right (though of course not everything, as it's quite possible that something in your algorithm is in fact reducing your possible output to only some subset of possible values produced by sha256).
It's the same thing with radio. If you tune it to a signal that's producing a sine wave with a stable frequency... I know exactly what your input is. If you tune it to something like the BBC, I know exactly what your input is, even with some noise. If you tune it to something really random, can I just put a very strong transmitter near your receiver and overwhelm the spectrum such that you are listening to only my signal? And the best part is that you won't know that this is happening even more than with a webcam.
Personally, I wouldn't really want to trust these devices. They are fun. but they aren't practical for this purpose. Where you need real entropy is a data center. And a data center won't be receiving too much radio.
Again, parroting every other thread about this, a reverse biased transistor will give you true quantum randomness which is very cheap, very easy to produce, and is difficult to temper with at a distance without disrupting the rest of your equipment too.
Again, you don't need as much entropy as you think. Your kernel will seed a CSPRNG with a tiny bit of entropy, which is enough to keep you safe for eons after that. You can't "run out" of entropy with that scheme. The biggest issue is to initialize the random number generator with true entropy before you start using it, which is only difficult if you are running virtual machines and the host doesn't provide entropy to it. I believe at least in some schemes the seed used is based on time or some such predictable factor, which doesn't help.
How will you be able to reduce the field of possible values presented by sha256 if you approximately know the source image? There is still noise in the image and several orders of magnitude more data. You assume that brute forcing similar images and hashing the result would be easier than just brute forcing the sha256.
That's exactly what I assume. If I know 90% of the image, but need to brute force 10%, I just reduce the possible field of values by an order of magnitude. The better I know what the image was to begin with, the easier it gets. That's exactly why poor RNGs are bad: I can brute force the value by knowing your method + approximately your input.
And if I can affect the image in a way that makes it even more predictable (black sheet over the camera, bright white light into the camera), it gets even easier.
Doing a little back-of-the-envelope math, a 1080p image has a total of 1920x1080x3 = 6,220,800 subpixels. That means each subpixel needs to have less than 0.00004 bits of entropy for there to be less than 256 bits in a single image. Surely a typical consumer CCD will introduce more noise than that. A potential catch is that the noise is likely correlated to a degree. Still, it's not clear that even a webcam pointed at a black sheet of paper is insufficient as a source of entropy.
10% of 1 megapixels divided by 24 is 4166. So, even if you only consider the least significant bit of one of the three subpixels in 10% of the image you still have 16 times more information than what you can represent in a SHA256 hash from a measly 1 megapixel image.
I think it is valid to question how you could reduce the search space enough to be more beneficial than brute forcing SHA256.
This is an interesting project and I've played with it in the past.
Note, however, you should not use this for any real purpose. I saw a video on Youtube a while back of the author presenting this (at a LUG meeting or some such) and even he warns against using it for any real purpose.
So play around with it, hack on it, etc., but do not, by any means, incorporate this into any process that requires actual entropy for cryptographic purposes.
A digital TV signal is a lot more repeatable than an analog one. A digital signal doesn't have the "TV static" effect of an analog signal that may introduce different entropy between two devices pulling the same signal in different locations
I'm not sure I agree that a digital TV signal has more repetition than analog. It is possible, but worth investigating.
That said, although the DVB-T dongles were intended for digital TV use, the typical demodulators (such as http://www.amateur-radio-wiki.net/index.php?title=RTL2832) have an extremely wide frequency range and can be repurposed all over that range.
Absolutely use extreme caution when adopting a new source of entropy.
Von Neumann debiasing is well known, but I was unable to find a reference for Kaminsky debiasing . Can anyone point me to a description of what that is?
I have used youtube-dl with video_entropyd on a newly created DO server. Could be a nice alternative for anyone who hasn't physical access to their server to install such a dongle.
Putting it in a box (what they suggest as an alternative) is better, and you don't need the RTL for that. The whole point is to take as local a measurement as you can.
With a $10 dongle, you can go from tracking airplanes, to reading your wireless electric meter, to listening to local amateur radio, and then to an additional entropy source.
I double I'll ever get tired of playing with this little radio.