Video of the debconf presentation

I really like the way Keith talks for some reason.

In that case, why not purchase a cheap pcie usb host card. It'd be isolated from other USB busses. I guess then you'd have to trust the USB card, but what else are you trusting already?

Your question reminds me of a Dilbert comic:

about the output being random:

remember that the linux kernel *combines* the different entropy source to generate randomness.

though there might some fine details in the implementation it self (XORing to a fixed register to add the entropy from a on-CPU hardware number generator is a bad idea as it is open to firmware attacks - successfully demoed attacks), from theoretical point of view by doing combinations, even if one of the stream is conpromised, the output is secure. an attacker would need to compromise *absolutely all* sources of entropy for the output of /dev/random to be insecure.

(there was the same discussion back when Intel and VIA released their CPU instructions for HWRNG)

even if keith was an evil spy working for the NSA and the USB's output was actually predictible (e.g a simple password+counter ran through AES encryption. can't be distinguished from real randomness except for someone knowing the password) the NSA would need to know all the other bits of entropy you got from your CPU Network and HDD timers.

and about uses:


cryptographically secure numbers are important to create cryptographic keys (e.g: DSA is extremely sensitive to the randomness of the chosen primes) and agree on ephemeral shared secrets (diffie-hellman).


on embed systems and on virtual machines (that don't have much background tasks to introduce varations, nor much hardware to get timing from - except maybe a network port, and the CPU with tools like haveged) this is a challenge. it's a documented security problem that some such systems will need to generate SSH keys before enough entropy has been gathered.

being USB, it's very easy to plug this device into an embed system, or pass it (entirely or some of its stream) to a VM, in order to make up for the reduced entropy sources.

As said, using USB for this purpose can be dangerous, which defeats original intent - safety increase. You rely on your "safe" RNG, which resides on totally unsafe bus and thus makes things much worse than before.

WRT to laptops, they already have PCIe, albeight in another form - ExpressCard, minipcie etc. Minipcie is _perfect_for such role, for example.

Which is already used for the laptop's wifi card. Or in the case of a 2nd mPCIe slot, a WAN card. Besides, mPCIe has been phased out in favor or M.2 already.

Which has its PCIe component.

WRT to laptop, you have to sacrifice something- in this case WAN seems as acceptable choice for most.
Going for USB there means sacrificing safety for the sake of safety- which is nonsense.

Since both Intel and AMD already have instructions for random numbers, I dont think this is primarily targeted at desktops.
Many SOCs usually have a RNG too, but often lack any documentation about the expected entropy. The stick could help raising the level there, that is if it proves to be a good source.

I suppose you mean secure instead of safe, so in what way is USB less secure than PCIe? If someone has physical access to your device it doesn't matter, if someone gets root access it doesnt matter either.

1. Why do you trust their RND implementation ? How do you know they can't circumvent it ? I remember reading materials, showing how easy it would be for them to poison that RND implementation with predictable component.

WRT to USB, RTFM. USB was meant to be as promiscuous as a cheap hooker. It was meant to be a bus for every trivial thing. Main selling poiunt of this bus is cheapness, accessibility and PnP, not security in any way. PCIe is substantially different.