Welcome to the Entropics: Boot-Time Entropy in Embedded Devices

We present three techniques for extracting entropy during boot on embedded devices. Our first technique times the execution of code blocks early in the Linux kernel boot process. It is simple to implement and has a negligible runtime overhead, but, on many of the devices we test, gathers hundreds of bits of entropy. Our second and third techniques, which run in the bootloader, use hardware features - DRAM decay behavior and PLL locking latency, respectively -- and are therefore less portable and less generally applicable, but their behavior is easier to explain based on physically unpredictable processes. We implement and measure the effectiveness of our techniques on ARM-, MIPS-, and AVR32-based systems-on-a-chip from a variety of vendors.

[1]  Daniel E. Holcomb,et al.  Power-Up SRAM State as an Identifying Fingerprint and Source of True Random Numbers , 2009, IEEE Transactions on Computers.

[2]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[3]  Sung-il Pae,et al.  DRAM as source of randomness , 2009 .

[4]  R. Heald,et al.  Variability in sub-100nm SRAM designs , 2004, ICCAD 2004.

[5]  Donald E. Eastlake,et al.  Randomness Recommendations for Security , 1994, RFC.

[6]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[7]  Markus Jakobsson,et al.  A practical secure physical random bit generator , 1998, CCS '98.

[8]  Thomas Ristenpart,et al.  When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography , 2010, NDSS.

[9]  Bruce Schneier,et al.  Cryptanalytic Attacks on Pseudorandom Number Generators , 1998, FSE.

[10]  John Kelsey,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2014 .

[11]  Benny Pinkas,et al.  Analysis of the Linux random number generator , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Bruce Schneier,et al.  Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator , 1999, Selected Areas in Cryptography.

[13]  Hovav Shacham,et al.  Hedged Public-Key Encryption: How to Protect against Bad Randomness , 2009, ASIACRYPT.

[14]  Noam Nisan,et al.  Extracting Randomness: A Survey and New Constructions , 1999, J. Comput. Syst. Sci..

[15]  Benny Pinkas,et al.  Cryptanalysis of the random number generator of the Windows operating system , 2009, TSEC.

[16]  Remco van Mook,et al.  Measures for Making DNS More Resilient against Forged Answers , 2009, RFC.

[17]  Patrick Lacharme,et al.  The Linux Pseudorandom Number Generator Revisited , 2012, IACR Cryptol. ePrint Arch..

[18]  Kris Gaj,et al.  An embedded true random number generator for FPGAs , 2004, FPGA '04.

[19]  Peter Gutmann,et al.  Software Generation of Practically Strong Random Numbers , 1998, USENIX Security Symposium.

[20]  Nicholas Mc Guire,et al.  Analysis of Inherent Randomness of the Linux kernel , 2009 .

[21]  Scott Yilek,et al.  Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine , 2010, CT-RSA.

[22]  Jan Bouda,et al.  Towards True Random Number Generation in Mobile Environments , 2009, NordSec.

[23]  Payam Heydari Analysis of the PLL jitter due to power/ground and substrate noise , 2004, IEEE Transactions on Circuits and Systems I: Regular Papers.

[24]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .

[25]  André Seznec,et al.  HAVEGE: A user-level software heuristic for generating empirically strong random numbers , 2003, TOMC.

[26]  Ross Ihaka,et al.  Cryptographic Randomness from Air Turbulence in Disk Drives , 1994, CRYPTO.

[27]  Amer Diwan,et al.  Computer systems are dynamical systems. , 2009, Chaos.

[28]  Berk Sunar,et al.  A Provably Secure True Random Number Generator with Built-In Tolerance to Active Attacks , 2007, IEEE Transactions on Computers.

[29]  J.-L. Danger,et al.  High speed true random number generator based on open loop structures in FPGAs , 2009, Microelectron. J..

[30]  Milos Drutarovský,et al.  True Random Number Generator Embedded in Reconfigurable Hardware , 2002, CHES.

[31]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[32]  Ernie Brickell Recent Advances and Existing Research Questions in Platform Security , 2012, CRYPTO.

[33]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[34]  Nitesh Saxena,et al.  Accelerometers and randomness: perfect together , 2011, WiSec '11.