Table of Contents
OneRNG Hardware Random Number Generator
I’ve wanted a hardware random number generator since I read about them in a tutorial for setting up a GnuPG Smart Card but the one they used wasn’t being manufactured anymore. Enter the OneRNG.
I started my search for another one and came across the OneRNG. At the time of purchase, I paid ($40) and waited for it to arrive. I ended up waiting a couple of weeks since it shipped from China.
Once it arrived I installed the software and tested it out.
Inspecting the OneRNG
One of the ‘features’ of this device is that it’s completely open. Open meaning open source software and hardware. You can physically inspect every aspect. They have images and schematics you can compare your device with to ensure that your device hasn’t been tampered with in transit. I looked mine over and took some pictures.
Take the ‘tin foil hat’ off and it reveals the components:
The back of the device is pretty boring, but you can see the traces.
Setting up the OneRNG
It doesn’t take much to get going with the OneRNG. A few packages and you’re ready to create oodles of random data.
Installing software
- In order for this thing to work properly, we need to install some packages on our host system:
[user@mainpc:~]$ sudo apt install at openssl python-gnupg rng-tools
- Finally, download the host software from their site, verify, then install it:
[user@mainpc:Downloads]$ wget -O onerng.deb 'https://github.com/OneRNG/onerng.github.io/blob/master/sw/onerng_3.6-1_all.deb?raw=true' [user@mainpc:Downloads]$ sha256sum onerng.deb a9ccf7b04ee317dbfc91518542301e2d60ebe205d38e80563f29aac7cd845ccb onerng.deb [user@mainpc:Downloads]$ sudo apt install ./onerng.deb
You can (and should) verify what I typed here at the Official Site: http://onerng.info/onerng/
rng-tools service
I noticed that rng-tools was failing to start due to not finding a hardware RNG device to use.
- Check the status of the service:
[user@mainpc:~]$ systemctl status rng-tools ● rng-tools.service Loaded: loaded (/etc/init.d/rng-tools; generated) Active: failed (Result: exit-code) since Tue 2020-06-16 13:31:13 EDT; 7s ago Docs: man:systemd-sysv-generator(8) Process: 29738 ExecStart=/etc/init.d/rng-tools start (code=exited, status=1/FAILURE) Jun 16 13:31:13 mainpc systemd[1]: Starting rng-tools.service... Jun 16 13:31:13 mainpc rng-tools[29738]: Starting Hardware RNG entropy gatherer daemon: (Hardware RNG dev> Jun 16 13:31:13 mainpc rng-tools[29738]: /etc/init.d/rng-tools: Cannot find a hardware RNG device to use. Jun 16 13:31:13 mainpc systemd[1]: rng-tools.service: Control process exited, code=exited, status=1/FAILU> Jun 16 13:31:13 mainpc systemd[1]: rng-tools.service: Failed with result 'exit-code'. Jun 16 13:31:13 mainpc systemd[1]: Failed to start rng-tools.service.
Fixing it
I was able to fix it by editing /etc/default/rng-tools
and pointing it to /dev/ttyACM0
.
- Edit the file:
[user@mainpc:~]$ sudoedit /etc/default/rng-tools
- Uncomment and edit:
HRNGDEVICE=/dev/ttyACM0
- Start the service:
[user@mainpc:~]$ sudo systemctl start rng-tools.service
- Check the status:
[user@mainpc:~]$ systemctl status rng-tools ● rng-tools.service Loaded: loaded (/etc/init.d/rng-tools; generated) Active: active (running) since Tue 2020-06-16 13:35:07 EDT; 3s ago Docs: man:systemd-sysv-generator(8) Process: 17170 ExecStart=/etc/init.d/rng-tools start (code=exited, status=0/SUCCESS) Tasks: 4 (limit: 4915) Memory: 708.0K CGroup: /system.slice/rng-tools.service └─17172 /usr/sbin/rngd -r /dev/ttyACM0 Jun 16 13:35:07 mainpc systemd[1]: Starting rng-tools.service... Jun 16 13:35:07 mainpc rng-tools[17170]: Starting Hardware RNG entropy gatherer daemon: rngd. Jun 16 13:35:07 mainpc systemd[1]: Started rng-tools.service. Jun 16 13:35:07 mainpc rngd[17172]: rngd 2-unofficial-mt.14 starting up... Jun 16 13:35:07 mainpc rngd[17172]: entropy feed to the kernel ready
System Info
Here’s the output of a few commands to show what the output is whenever the device is installed. Package
Let’s check to make sure the host software was installed properly.
The two i‘s (ii) at the beginning of the output stands for:
- status = installed
- error = none
[user@mainpc:~]$ sudo dpkg --list onerng | tail --lines 1 ii onerng 3.6-1 all Driver for the OneRNG open source hardware entropy generator
dmesg
Now we can check to see if the system recognizes it and what tty it’s assigned to.
[user@mainpc:~]$ sudo dmesg | grep usb [ 1.887348] usb 2-8: new full-speed USB device number 5 using xhci_hcd [ 2.030122] usb 2-8: New USB device found, idVendor=1d50, idProduct=6086 [ 2.030124] usb 2-8: New USB device strings: Mfr=1, Product=3, SerialNumber=3 [ 2.030125] usb 2-8: Product: 00 [ 2.030126] usb 2-8: Manufacturer: Moonbase Otago http://www.moonbaseotago.com/random [ 2.030126] usb 2-8: SerialNumber: 00 [user@mainpc:~]$ sudo dmesg | grep ttyACM [ 20.423233] cdc_acm 2-2:1.0: ttyACM0: USB ACM device [ 105.404973] cdc_acm 2-1:1.0: ttyACM0: USB ACM device
lsmod
Checking that the system modules are in use
[user@mainpc:~]$ lsmod | grep cdc_acm cdc_acm 28672 2 usbcore 253952 7 usbhid,ehci_hcd,cdc_acm,usblp,xhci_pci,xhci_hcd,ehci_pci
lsusb
Gather all the info about the device plugged in to the USB port.
[user@mainpc:~]$ sudo lsusb -v Bus 002 Device 005: ID 1d50:6086 OpenMoko, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 2 Communications bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 32 idVendor 0x1d50 OpenMoko, Inc. idProduct 0x6086 bcdDevice 0.09 iManufacturer 1 Moonbase Otago http://www.moonbaseotago.com/random iProduct 3 00 iSerial 3 00 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 67 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 200mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 1 AT-commands (v.25ter) iInterface 0 CDC Header: bcdCDC 1.10 CDC ACM: bmCapabilities 0x06 sends break line coding and serial state CDC Union: bMasterInterface 0 bSlaveInterface 1 CDC Call Management: bmCapabilities 0x00 bDataInterface 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 64 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 10 CDC Data bInterfaceSubClass 0 Unused bInterfaceProtocol 0 iInterface 4 Random Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x05 EP 5 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 1 Device Status: 0x0000 (Bus Powered)
Process Status
Confirm the rngd service is running.
[user@mainpc:~]$ ps aux | grep rngd root 30744 0.0 0.0 27036 808 ? SNLl 10:34 0:01 rngd -f --rng-entropy=.93750 -r /dev/stdin root 32076 0.0 0.0 92572 108 ? SLsl 10:34 0:01 /usr/sbin/rngd -r /dev/ttyACM0 [user@mainpc:~]$ pgrep -a rngd 30744 rngd -f --rng-entropy=.93750 -r /dev/stdin 32076 /usr/sbin/rngd -r /dev/ttyACM0 The output of -r /dev/stdin is indicative that you are using openssl for extra whitening (the default). It can be changed in /etc/onerng.conf.
ttyACM0
Info about the tty device
[user@mainpc:~]$ stat /dev/ttyACM0 File: /dev/ttyACM0 Size: 0 Blocks: 0 IO Block: 4096 character special file Device: 6h/6d Inode: 35324 Links: 1 Device type: a6,0 Access: (0600/crw-------) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2018-09-23 12:10:35.523596786 -0400 Modify: 2018-09-23 11:39:21.523596786 -0400 Change: 2018-09-23 11:39:16.523596786 -0400 Birth: -
/var/log/messages
Check the log files for information
[user@mainpc:log]$ sudo grep OneRNG /var/log/messages Aug 30 17:33:45 mainpc OneRNG: firmware verification passed OK - version=3 [user@mainpc:log]$ sudo grep ttyACM /var/log/messages Aug 30 17:31:43 gaming kernel: [ 5810.258554] cdc_acm 2-8:1.0: ttyACM0: USB ACM device
Testing the OneRNG
We can run it through a series of tests to verify it’s working.
There is a visual indication to verify it’s operation as well. When you use it, for instance by running cat /dev/random > /dev/null, the led light will dim on the device. Once you stop it by pressing <Ctrl>+C, it will go back to full brightness.
Create a 10M file
We’ll use dd to create a 10M file of random data. I’ll time it and see how long it takes for each. I ran 3 instances:
- /dev/random - OneRNG used through /dev/random
- /dev/ttyACM0 - Using the device directly
- /dev/urandom - Not using the OneRNG at all
Using /dev/random
[user@mainpc:~]$ time dd if=/dev/random of=random.img iflag=fullblock bs=1M count=10 status=progress 10+0 records in 10+0 records out 10485760 bytes (10 MB, 10 MiB) copied, 595.879 s, 17.6 kB/s real 9m55.880s user 0m0.028s sys 0m4.308s
Using /dev/ttyACM0
[user@mainpc:~]$ time sudo dd if=/dev/ttyACM0 of=tty.img iflag=fullblock bs=1M count=10 status=progress 10+0 records in 10+0 records out 10485760 bytes (10 MB, 10 MiB) copied, 182.066 s, 57.6 kB/s real 3m2.079s user 0m0.092s sys 0m1.016s
Using /dev/urandom
[user@mainpc:~]$ time dd if=/dev/urandom of=urandom.img iflag=fullblock bs=1M count=10 status=progress 10+0 records in 10+0 records out 10485760 bytes (10 MB, 10 MiB) copied, 0.05296 s, 198 MB/s real 0m0.056s user 0m0.000s sys 0m0.056s
Results
The results show that using /dev/ttyACM0
is roughly 3x faster than using /dev/random
while both are much slower than /dev/urandom
.
Stat | /dev/random | /dev/ttyACM0 | /dev/urandom |
---|---|---|---|
real | 9m55.880s | 3m2.079s | 0m0.056s |
user | 0m0.028s | 0m0.092s | 0m0.000s |
sys | 0m4.308s | 0m1.016s | 0m0.056s |
entropy_avail
You can check the amount of entropy available by reading the file /proc/sys/kernel/random/entropy_avail
.
Here's a oneliner I wrote to monitor it from another terminal while I ran the above tests:
while true; do cat /proc/sys/kernel/random/entropy_avail; sleep 1; done
I noticed that while idle and with the OneRNG plugged in, the value stayed above 2500 and would climb well past 3000 if left alone for a while. The max value can be found in /proc/sys/kernel/random/poolsize
(where mine is set at 4096).
- When running from
/dev/random
, the entropy_available quickly depletes until the task is finished.- When the OneRNG is plugged in, it instantly regenerates to above 2000 once the task is finished.
- When the OneRNG is not plugged in, it slowly starts rising once the task is finished.
- When running from
/dev/ttyACM0
, the entropy_available seems to stay the same while creating the 10M file. - When running from
/dev/urandom
, the entropy_available seems to stay the same while creating the 10M file.
ent
I passed the outputted files through ent - a pseudorandom number sequence test.
[user@mainpc:~]$ ent random.img Entropy = 7.999981 bits per byte. Optimum compression would reduce the size of this 10485760 byte file by 0 percent. Chi square distribution for 10485760 samples is 280.27, and randomly would exceed this value 13.28 percent of the times. Arithmetic mean value of data bytes is 127.4895 (127.5 = random). Monte Carlo value for Pi is 3.142349679 (error 0.02 percent). Serial correlation coefficient is 0.000131 (totally uncorrelated = 0.0). [user@mainpc:~]$ ent tty.img Entropy = 7.999983 bits per byte. Optimum compression would reduce the size of this 10485760 byte file by 0 percent. Chi square distribution for 10485760 samples is 249.34, and randomly would exceed this value 58.83 percent of the times. Arithmetic mean value of data bytes is 127.4574 (127.5 = random). Monte Carlo value for Pi is 3.142624337 (error 0.03 percent). Serial correlation coefficient is 0.000404 (totally uncorrelated = 0.0). [user@mainpc:~]$ ent urandom.img Entropy = 7.999983 bits per byte. Optimum compression would reduce the size of this 10485760 byte file by 0 percent. Chi square distribution for 10485760 samples is 249.17, and randomly would exceed this value 59.11 percent of the times. Arithmetic mean value of data bytes is 127.4838 (127.5 = random). Monte Carlo value for Pi is 3.144704874 (error 0.10 percent). Serial correlation coefficient is 0.000213 (totally uncorrelated = 0.0).
rngtest
Lastly, I ran the output through rngtest for 1000 passes and copied the output.
[user@mainpc:~]$ rngtest -c 1000 </dev/random rngtest 2-unofficial-mt.14 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 1000 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=68.024; avg=137.971; max=26609.332)Kibits/s rngtest: FIPS tests speed: (min=19.868; avg=74.944; max=105.378)Mibits/s rngtest: Program run time: 141815448 microseconds [user@mainpc:~]$ rngtest -c 1000 </dev/urandom rngtest 2-unofficial-mt.14 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 1000 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=866.977; avg=1898.615; max=2119.276)Mibits/s rngtest: FIPS tests speed: (min=37.108; avg=102.402; max=106.556)Mibits/s rngtest: Program run time: 196428 microseconds
Configuration and Log Files
There are a couple of files that could possibly be of interest to you:
- /etc/default/rng-tools - settings for rng-tools
- /etc/onerng.conf - configuration file for the device itself
- /sbin/onerng.sh - the main script
- /var/log/messages - where the log messages are sent
What does all this mean?
I don’t know!
Not sure what I will be able to use this for, but it’s pretty nifty to have around.
What do you use yours for?