Using smartcard as RNG

Henry Hertz Hobbit hhhobbit at securemecca.net
Sun Apr 14 02:18:09 CEST 2013


On 04/13/2013 11:04 AM, Pete Stephenson wrote:
<SNIP>
> [1] http://www.entropykey.co.uk/ [3]
<SNIP>

Are you sure you aren't advertising it?   Using the URL
you supplied, this one has been written about and the link
you are looking for (well, at least one of them) is from
its links:

http://www.entropykey.co.uk/comments/
http://lists.gnupg.org/pipermail/gnupg-users/2009-September/037301.html

David Shaw wrote:

"The developers of  the entropy key were clever and instead of
making programs write new code to use the key, they made a
program that reads the key and feeds the Linux entropy pool.
Thus, anything that uses /dev/random (like gpg) benefits
without code changes."

Or were you after the argument that despite their best efforts
it isn't as random as hoped?  David Shaw intimates along those
lines with "evil".  I would say the self-similarity of Mandelbrot
meaning order is coming out of chaos despite our best efforts to
prevent it.  I don't think the card is some sort of malevolent
creature with a mind of its own.

You should be able to just plug it in and use it with Debian
and Ubuntu after you install the packages for handling it.  For
other Linux distros they have the source code. So from a mechanical
level (meaning no consideration of just how random it is) it works
with very little effort.

Can somebody point to code that can be used for testing how well
it works?  I as going to give my code for making alpha-numeric
hashes for athletic drug samples but it is totally unsuitable.
The labs have been broken into many times so encountering an
alpha-numeric hash rather than a name would foil sample tampering
for physical break-ins in many cases.  I was more concerned with
hash collisions and just used srand() / rand().  WADA would
probably just store the person <--> hash pairings in a DB on
their Windows machines unencrypted anyway.

HHH




More information about the Gnupg-users mailing list