Using smartcard as RNG

Henry Hertz Hobbit hhhobbit at securemecca.net
Sun Apr 14 07:23:17 CEST 2013


On 04/14/2013 12:55 AM, Hauke Laging wrote:
> Am So 14.04.2013, 00:18:09 schrieb Henry Hertz Hobbit:
>> On 04/13/2013 11:04 AM, Pete Stephenson wrote:
>> <SNIP>
>>
>>> [1] http://www.entropykey.co.uk/ [3]
>>
>> <SNIP>
>>
>> Are you sure you aren't advertising it?
> 
> Would that make sense? I tried to buy one moths ago. Ordered it via their web 
> page (and Google) and never heard of them. Not even when asking what's up.

I am sorry you are having problems getting it but I do NOT
represent the company in any way.  I knew nothing until the
original question was posed.  Aaron Toponce, Werner and others
know MUCH more than I do.  It is also time for them to speak
up and for me to butt out.

The original question doesn't make sense either given how easy
it was for me to find the answer.  Well it is easy for somebody
like me who can find almost anything on the Internet and even
see some of the problems with hashed JS scripts without even
unsalting them.  I also have one of the RealTek SHA1 certs
that was used in Stuxnet.  It passed muster until the keys
were revoked.  What I had was NOT Stuxnet.  I got it from a
middle school in Southern California.  Think about that long
and hard before specifying SHA1 as your first hash choice.

Maybe you are using the wrong search engine or typing something
wrong or accepting their changes.  I just gave entropykey as the
search term to DuckDuckGo.com and came up with much better
results than those purportedly bad hosts somebody had.  Here is
one of the links:

http://pthree.org/2012/10/05/the-entropy-key/

I have Aaron's key on my key-ring.  Look up
aaron(GNAT)rootcertified.com at MIT's key server and import
his key to see his email addresses.

http://pgp.mit.edu/

I suggest using his gmail address.  Anyway, Aaron said he has
purchased five of them.  They do say on the order form page
that it is in high demand right now.  Aaron will more likely
represent Ubuntu rather than entropykey.co.uk.  He posted it
on 2012-10-05 if that helps you make sense on why you are
having problems getting yours.  But Aaron says they are NOT
mixing them into /dev/random but have their own /dev/entropykey/
folder and you use the ekeyd daemon which sets up a tty for
each connection there.  That means code changes WOULD nned to
be made for gpg and other applications (and that means it is
time for me to shut up and let Werner and the others write).

What I was referring to in the Benoit Mandelbrot self similarity
was that IBM was using the telephone lines for SNA networking.
Benoit was assigned to find why there was a problem with what
they thought were random glitches in the transmission.  What he
found was it wasn't random at all.  The disturbance periods were
periodical (but not symmetric) and repeating in nature.  Even
worse than that, when you made the time durations either longer
or shorter the very same patterns showed up.  When they say
they are using PN semiconductor junctions referse biased driven
to high enough voltages to be near to but not beyond breakdown
in order to generate noise I begin to get worried.  But without
hard tests by MANY people you have no way of knowing just how
random they are

HHH
PS  Don't be surprised if they show up packaged in a Brillo box.
    #^)  - Fairchild Semiconductor


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130414/796f6144/attachment.sig>


More information about the Gnupg-users mailing list