Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Network Privacy Communications Security Software The Internet Technology Hardware Science

Tor To Use Distributed RNG To Generate Truly Random Numbers (softpedia.com) 130

An anonymous reader quotes a report from Softpedia: Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals. The most recent of these meetings took place last week, in Montreal, Canada. In this session, the team tested the next generation of the Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create random numbers and then blends their outputs together into a new random number. The end result is something that's almost impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used. Last week, two University of Texas academics have made a breakthrough in random number generation. The work is theoretical, but could lead to a number of advances in cryptography, scientific polling, and the study of various complex environments such as the climate.
This discussion has been archived. No new comments can be posted.

Tor To Use Distributed RNG To Generate Truly Random Numbers

Comments Filter:
  • why is this needed? (Score:5, Interesting)

    by slashmydots ( 2189826 ) on Thursday May 26, 2016 @02:09AM (#52185355)
    Why are people still complaining about random numbers? Over 10 years ago I saw a documentary that showed off a quantum photon splitter PCI card that could go in any computer. The API let you generate random numbers based on splitting photons left or right and it was deemed closer to 50% each side than any other randomizing system ever invented. So...what happened to that? Doing quantum tasks with photons is actually relatively easy so the story was believable. I can't think of a better way in the physical universe to generate random numbers. So besides the problem of requiring volunteers running relays to have one of these custom piece of hardware, why don't they attempt to use this solution?
    • They won't fit in a laptop.
      • by Dr_Barnowl ( 709838 ) on Thursday May 26, 2016 @03:11AM (#52185497)

        You don't need special magic entropy cards, there's entropy all around most computers in the form of white noise - just use randomsound [ubuntu.com]. Solves the problem on most laptops because they have a built in mic.

        • by Anonymous Coward

          Sure there's entropy in the natural environment. Problem is you have no idea how much. What looks random to you might have been carefully crafted by the enemy. Trusting the environment is a really, really bad idea in cryptography.

        • by geek ( 5680 ) on Thursday May 26, 2016 @09:26AM (#52186891)

          Entropy is a problem in VM's, especially when they don't have actual devices attached.

        • by DrXym ( 126579 )
          Or use your fingers. Assuming you're using the PC that needs the entropy then every time you type or move the mouse you're basically stirring the pool. On a Linux PC, you can add sources of entropy to the /dev/random including noise but anything you like. I assume anyone *that* paranoid about randomness certainly wouldn't be asking Tor to provide them with some random numbers.
        • Any method of producing 'random' numbers or bits that can be subjected to any sort of attack to influence or control it's output has to be excluded from the list of 'valid' sources. Guarantee you that anything using a microphone as input can be manipulated to produce a predictable output. Do you really want your banking transactions' encryption keys protected by such a source? I think not.
    • by jonwil ( 467024 )

      What about people running TOR nodes on computers that cant use one of these cards for whatever reason?

    • by ledow ( 319597 ) on Thursday May 26, 2016 @02:46AM (#52185459) Homepage

      Because paying for cards for every machine in the word, and mandating their use for every transaction from any machine, plus avoiding that device being compromised by a government entity, or turned into a TPM module is difficult enough.

      Seriously, imagine if your bank's said, to comply with PCI DSS standards, you had to install this special card in your server.

      1) That's enforced server downtime.
      2) Most servers are virtual nowadays and not actually physical (and thus you can't guarantee that that "PCI card" your computer sees is even a real PCI card)
      3) Are you going to trust a random piece of government- or even bank-mandated hardware in your machine reading the entire memory bus?

      Nobody would touch it, even in the server-arena, let alone "every client in the world".

      There are already lots of "random number generator" hardwares, everything from white-noise microphones to random instructions inside chips based on quantum noise (now obsolete and nobody really used them, except VIA chips). Nobody touched them. Where it matters, hardware exists to make it happen. Few use it.

      Mandating it to every client or even every SSL-using server? Good luck. It just doesn't provide an advantage. Even those places with SSL accelerators (that just offload SSL transactions kind of like a reverse proxy) don't use them.

      And the fact is that almost every weakness so far is not in the choice of random numbers but in the way those random numbers are handled later on. Except for embedded boards and no-permanent-state devices (which you should realise shouldn't be used for this kind of thing), filling up the entropy pool on any modern, network connected machine is pretty trivial.

      • by Hentes ( 2461350 )

        There's no reason to buy a separate card though, most modern cpus have builtin hardware rng [wikipedia.org].

        • by Anonymous Coward

          That are black-boxes without any information given from the manufacturer of how it does it..

          But sure, those are useful as *one* of the sources of data you feed to the PRNG you run.. The more sources the better... If one source is "corrupt" it does not make the whole PRNG to fail..

          • by Hentes ( 2461350 )

            When your processor is compromised, everything is compromised. If you believe your cpu is malicious, the rng is the least of your worries. Guess what, your "secure" prng also runs on the cpu.

    • That alone warrant that it will never be a consumer product, unless provided ad-hoc on main boards. Remember tor is used by normal average consumer (with respect of using such specialized hardware).
    • For some purposes (and I don't know if this applies to Tor's intended use) I've heard that real physical sources of entropy simply don't generate it fast enough, especially after their output bit rate has been reduced by whitening to remove bias and correlation.
    • by gweihir ( 88907 )

      These things are unworkable in practice. Too expensive, too unreliable and nobody wants to pay for them. OS support is typically lacking as well.

    • Note: I am not associated with the Tor project, just an interested observer. I happen to be implementing a similar protocol for something else.

      Because it needs to be resistant to compromised nodes. The reason for this that hidden service connection details (though not the server IP obviously, since all of this happens through Tor channels) are stored in directory servers which are randomly assigned each day. The choices of directory server are derived from a pseudo-random string [1] [torproject.org]

      descriptor-id =

  • by andrewbaldwin ( 442273 ) on Thursday May 26, 2016 @03:01AM (#52185479)

    Just use the daily finance / economic forecasts and predictions of the impacts on personal budgets, jobs, immigration.... that are being spouted by both sides of the current BREXIT** debate.

    This can be generalised to any politician's promises but the current round are particularly egregious.

    ** Referendum for UK to leave/remain in the EU

  • White Noise (Score:4, Interesting)

    by Dr_Barnowl ( 709838 ) on Thursday May 26, 2016 @03:07AM (#52185489)

    I ran into entropy problems when signing a lot of JAR files in a build process - turns out modern computers with their large RAM that caches disk etc don't generate as much entropy as they used to.

    The solution I used was the randomsound [ubuntu.com] daemon, which samples white noise from your mic to inject into your entropy pool.

    Why not just use that? There's a crapload of white noise in most server rooms, even near most consumer PCs (just tape a mic next to one of the cooling vents). Actual genuine entropy rather than this card-shuffled pseudo entropy - making things complex just obscures things further, it doesn't really create randomness.

    • by Viol8 ( 599362 )

      I suppose one argument against is that any white noise from a device not designed to generate pure white noise could be baised in some way and while this wouldn't make it predictable it could narrow its range of truly random values.

      However I agree that its still better than the pseudo random stuff we use now. Its not like an analogue white noise generator would be hard to build and include in a CPU which could then be A->D'd by the chip and an instantanious value made available via a register.

    • I would think that in a modern world, that sound is one of the most predictable sets one can choose from. Our world is filled with white noise that is actually cyclic in nature, which produces random noise, but with very little variation, which makes the sample set much smaller than you would think. This is why sound engineers can filter ambient sounds from audio to isolate the actual sounds they want to hear.

      My guess, is that the best way to generate truly random numbers is to combine several sources toget

    • by gweihir ( 88907 )

      And then you have a machine with a digital input that is actually fed digital music. And, oops, you are screwed. The problem here is that for one user that knows what he is doing, this is fine. As a general solution, this falls flat on its face. The actual solution would be something like the Intel RDRAND instruction, but unfortunately that is a compromised design that you cannot trust. ("Compromised Design" means they can swap out the actual secure implementation for a compromised one and the design preven

    • by CAIMLAS ( 41445 )

      Virtualized platforms also have a hard time with entropy, as their hardware is emulated.

      There are several daemons you can use, eg. haveged or randomsound, or entropyd. You can also use network broadcast traffic to seed entropy (can't recall how at the moment), and various other sources. What's needed, I think, is a means to source all of these to generate entropy so this becomes less of a problem.

  • Someone putting a number of RNG systems onto TOR so they control providing the "random" number.

  • by Anonymous Coward

    In the world of crypto, I'd much rather be using something that's been around long enough to be thoroughly analysed. Every so often someone pops up with something new and exciting and different, then six months later gets shot down by the experts who describe exactly how to break it.

    Telling us "even the authors can't predict what will come out of it" doesn't raise my confidence, either. I'd be a lot happier with a statement like "rigorous analysis shows that the random numbers generated will be uniformly di

  • What happened to "Randomize timer"?
  • by rebelwarlock ( 1319465 ) on Thursday May 26, 2016 @07:05AM (#52186121)
    "Shake laptop to generate private key."
  • What the hell is a distributed ranger?

    Sent from FF XI.

    • A distributed ranger is one what was left sitting on a railroad crossing until a freight train arrived.

  • The generation of random numbers is too important to be left to chance.
  • My parents had gotten the conference calling feature with our new phone service, and my friends and I decided to try a pen and paper RPG session over the phone, instead of having to meet up at one person's house. We ran into an obstacle with the dice rolls. The players wanted to make their own dice rolls - they felt that their characters' fate should be in their hands and thus they should be the ones to roll the dice. I was GM and worried that players would cheat on the dice rolls if I couldn't see the d
    • ... I had them roll a die and tell me the result. Then I flipped a coin. Heads, their die roll stood. Tails I used 7 minus their die roll (we were playing Traveller, which only used d6), which inverted the result of their roll. They got the satisfaction of controlling their own fate by rolling their own dice, and I was satisfied there was no cheating going on.

      While this solved the immediate problem of being able to trust the players, it fails to provide any guarantee to the players that you aren't cheating when it comes to the coin-flip. You know their dice roll before you report the coin result, so you could easily manipulate the outcome (to an extent; you can only choose between N and 7-N).

      I'm not quite sure how to reduce this to something you could easily do by hand, but there is a way around this issue when computers are involved. Instead of a dice roll, gen

      • GM = God. It doesn't matter if God cheats.

        • GM = God. It doesn't matter if God cheats.

          Then why bother with the players' input at all? Just have the GM choose the result. While the GM may be the ultimate authority, the players clearly do care about the GM's ability to influence the result, or they would just let the GM roll the dice for them.

          Anyway, the principle is applicable to situations other than role-playing games where it is important that neither side has the ability to cheat. For example, online blockchain-based lottery systems like SatoshiDice are based on a similar principle, with

    • by Agripa ( 139780 )

      Cryptography can be used to generate shared random numbers for multiple parties.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

  • And you should care why

    the philosophical question what "random" means is completely immaterial

    Yes, just like ALL philosophical questions, isn't that right?
    We just need to get our job done and then EVERYTHING is just fine! We don't have to worry about anything else, ever. Curiosity killed the cat. Blinders on, job done, life good. This is how our ancestors went from common apes to homo sapiens. And anyway, what makes it doesn't keep it!

    Or you could not be fucking retarded.
    It may be tempting to go with the fl

  • Hardware RNGs are like 50 bucks. Wikipedia even has a compare page, and you can go higher if you need to. It is unusual to need a shockingly large amount of random bits to begin with, after all.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    So this TOR thing is nice, especially because computers baseline can generate psuedorandom numbers pretty darned quickly, and merging them is better than not merging them. But if you, personally, care, using a hardware RNG and having it seed and combine with your prng (such as Linu

  • Not even Tor devs can predict the output of the new distributed RNG

    No shit Sherlock. No devs of any RNG should be able to predict the output when it's in the deployed. And Tor devs is not a team of Avengers.

  • People keep talking about getting the "perfect" random number. Since when is the random number the weakest link in security?
    Just throw some mouse, keyboard, microphone input into your pseudorandom number generator, and it's impractical to break.

  • I believe that every town should have their own entropy source. It should probably be an offline source. Where the citizens can come and obtain large amounts of entropy onto say a DVD or USB stick. This source should be protected by armed authorities. Our leaders and lawmakers should be working to empower individuals with high security and best practices to ensure individual privacy. This is the type of government I want.

If you have a procedure with 10 parameters, you probably missed some.

Working...