Re: [gentoo-hardened] Bought an "entropy-key" - very happy

["Tóth Attila" <atoth@atoth.sote.hu>]

On Csü, Március 25, 2010 20:23, lists@m8y.org wrote:
> On Thu, 25 Mar 2010, Ed W wrote:
>
>> On 23/03/2010 21:02, lists@m8y.org wrote:
>>>  On Tue, 23 Mar 2010, Ed W wrote:
>>>
>>> >  OK, so to conclude the previous thread - I bought an entropy key
>>> from
>>> >  the nice folks at Simtec via http://entropykey.co.uk
>>> >
>>> >  Short version is you plug it in, install the ekeyd package and even
>>> on a
>>> >  hardened installation the entropy pool never deviates from full
>>> up...
>>> >
>>> >  Now, at £30 it seems like a bargain for a fancy random number
>>> generator,
>>> >  but then I read that the daemon can be switched to pipe the data out
>>> in
>>> >  "egd" format and essentially you can have one machine supply high
>>> >  volumes of random numbers for a fair number of networked clients.
>>> In my
>>> >  case this solves the problem of how to pipe entropy to some cheap
>>> rented
>>> >  servers where we don't get to touch the physical hardware...  Very
>>> nice
>>> >
>>> >  I have no relationship with the entropy-key guys other than being a
>>> >  happy customer.  They seem like a small shop and I think they
>>> deserve a
>>> >  plug (and really need to work on their presence via google...
>>> Searches
>>> >  on this stuff only turn up $400 alternatives... Sheesh)
>>>
>>>  I'm a bit puzzled how that offers much security.
>>>  Is the advantage that the algorithm for PRNG has to be extracted from
>>> the
>>>  chip inside the key before it can be abused?
>>>
>>>  Seems no better than, say:
>>>  http://www.debian-administration.org/users/dkg/weblog/56
>>>
>>>  Apart from at least adding a bit more layers in the algorithm.
>>
>> I'm not sure what you mean by the link referenced above?  The point is
>> that
>> once the entropy pool is depleted on Linux then operations against
>> /dev/random will stall, however, the evolution on linux has been that
>> since
>> /dev/random is "unreliable" most apps now seem to go directly to
>> /dev/urandom
>> which is similar, but doesn't block once the entropy pool is empty
>> (simply
>> the quality of random numbers declines) - however, it's reverting to a
>> pseudo
>> random number algorithm
>
> Right, he simply turned /dev/random into /dev/urandom.
> I was under the impression the entropy key was simply a fancy PRNG.  Now
> that I know it offers
> true randomness, I'm more impressed. Also curious exactly what it uses as
> a source.

http://www.entropykey.co.uk/tech/

Be aware of a 2.6.31 USB serial driver bug - already fixed.

Regards:
Dw.
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962