[guardian-dev] Mobile Entropy Sources (was Re: Android SecureRandom bug mitigation)

Hans-Christoph Steiner hans at guardianproject.info
Tue Aug 13 11:59:36 EDT 2013



On 08/13/2013 10:56 AM, Abel Luck wrote:
> Michael Rogers:
>> On 12/08/13 20:39, Lee Azzarello wrote:
>>> It would be interesting to build a library that uses the
>>> microphone, accelarometer and any other sensor that might produce
>>> entropy for randomness. Nathan, didn't you do this in an old
>>> version of the Cryptocat Android app?
>>
>> The way I'm planning to handle this in Briar is to implement Fortuna
>> in Java, with an interface that can be implemented by 'entropy plugins'.
>>
>> Possible plugins include sensors such as accelerometers, event
>> listeners for keyboard/mouse/touchscreen events, hardware RNGs such as
>> RDRAND, and system PRNGs such as /dev/urandom, depending on what's
>> available on each platform. Maybe this is an area where we could
>> collaborate?
>>
> 
> Absolutely! This is something we've been wanting to do for awhile.
> 
> The initial implementation for the Cryptocat app several years ago was
> done with Phonegap, and not really portable or generalizable.
> 
> What are your requirements regarding root?
> 
> I've thought about porting rngd that comes with linux kernel >= 3.6 to
> android [0][1], but I would like a solution that works for root and
> non-root users.
> 
> ~abel
> 
> [0]: https://lwn.net/Articles/525459/
> [1]: http://linux.die.net/man/8/rngd

I can contribute in generating sources of noise aka random.  I've done a lot
of work in digital signal processing, mostly of audio and sensors.  Every
sensor including microphone and camera will have a constant stream of noise.
The tricky part is separating out the noise from the data in a reliable way.
For the microphone and accelerometer, that could be done pretty reliably based
on tracking the amplitude.  If there is a period of time where the amplitude
never goes above a certain threshold, then the signal will be basically only
noise.  That threshold can be dynamically set based on tracking.

Another problem to be aware of is that the sensor noise will be affected by
the activities of the device's CPU, memory, etc.  This is something that would
need to be looked into.  If the noise coming from the sensors is mostly coming
from the CPU and memory, and that activity is very regular, the sensor noise
might not be very random.

.hc

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81


More information about the Guardian-dev mailing list