Re: [gentoo-hardened] Bought an "entropy-key" - very happy

[lists@m8y.org]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2313 bytes --]

On Thu, 25 Mar 2010, Ed W wrote:

> On 23/03/2010 21:02, lists@m8y.org wrote:
>>  On Tue, 23 Mar 2010, Ed W wrote:
>> 
>> >  OK, so to conclude the previous thread - I bought an entropy key from 
>> >  the nice folks at Simtec via http://entropykey.co.uk
>> > 
>> >  Short version is you plug it in, install the ekeyd package and even on a 
>> >  hardened installation the entropy pool never deviates from full up...
>> > 
>> >  Now, at £30 it seems like a bargain for a fancy random number generator, 
>> >  but then I read that the daemon can be switched to pipe the data out in 
>> >  "egd" format and essentially you can have one machine supply high 
>> >  volumes of random numbers for a fair number of networked clients.  In my 
>> >  case this solves the problem of how to pipe entropy to some cheap rented 
>> >  servers where we don't get to touch the physical hardware...  Very nice
>> > 
>> >  I have no relationship with the entropy-key guys other than being a 
>> >  happy customer.  They seem like a small shop and I think they deserve a 
>> >  plug (and really need to work on their presence via google... Searches 
>> >  on this stuff only turn up $400 alternatives... Sheesh)
>>
>>  I'm a bit puzzled how that offers much security.
>>  Is the advantage that the algorithm for PRNG has to be extracted from the
>>  chip inside the key before it can be abused?
>>
>>  Seems no better than, say:
>>  http://www.debian-administration.org/users/dkg/weblog/56
>>
>>  Apart from at least adding a bit more layers in the algorithm.
>
> I'm not sure what you mean by the link referenced above?  The point is that 
> once the entropy pool is depleted on Linux then operations against 
> /dev/random will stall, however, the evolution on linux has been that since 
> /dev/random is "unreliable" most apps now seem to go directly to /dev/urandom 
> which is similar, but doesn't block once the entropy pool is empty (simply 
> the quality of random numbers declines) - however, it's reverting to a pseudo 
> random number algorithm

Right, he simply turned /dev/random into /dev/urandom.
I was under the impression the entropy key was simply a fancy PRNG.  Now that I know it offers
true randomness, I'm more impressed. Also curious exactly what it uses as a source.