The technical stuff

Photo of a biscuit panel of many Entropy Keys

The Entropy Key uses P-N semiconductor junctions reverse biassed with a high enough voltage to bring them near to, but not beyond, breakdown in order to generate noise. In other words, it has a pair of devices that are wired up in such a way that as a high potential is applied across them, where electrons do not normally flow in this direction and would be blocked, the high voltage compresses the semiconduction gap sufficiently that the occasional stray electron will quantum tunnel through the P-N junction. (This is sometimes referred to as avalanche noise.) When this happens is unpredictable, and this is what the Entropy Key measures.

These noise generators are then coupled to a 72MHz ARM Cortex-M3 on the device. This processor samples the generators at a high frequency, forming a stream of random bytes. These stream of bytes is then analysed using √úli Maurer's universal test for random bit generators whereby the amount of entropy in the streams is estimated rather conservatively. The streams are also exclusive-ORed together and that stream's entropy is estimated in the same manner. If the raw streams appear to have severely reduced entropy then it indicates a fault in that generator, if the third stream has low entropy then it indicates that the generators have correlated and are not independently gathering entropy. Any of those three states are considered a failure mode and will result in the Entropy Key locking itself out of the host, returning only an error code instead of generating entropy packets.

The two raw streams are then processed further and their entropy estimated after a debiassing process has been performed. Again, if the estimated entropy in the stream is seen to vary too wildly at this stage, the Entropy Key will lock itself out. The processed streams are then mixed into a pool, made with a secure hashing function, which once at least 50% more entropy has been mixed into the pool than it could possibly hold it is finalised and another pool initialised. Once enough pools have been processed to fill 20000 bits of pool, the totality is subjected to the tests stipulated in FIPS 140-2. These tests produce a PASS/FAIL indicator for the block. On its own, this is not useful, since a perfectly random block could quite plausibly fail the tests. The Entropy Key therefore keeps running statistics on the FIPS 140-2 tests and will lock itself out if the ratio of failed blocks to passed blocks rises above a conservative estimate of the statistical likelyhood of failure. Once the block has been analysed, it is chopped up into 32 byte packets and this is handed off to the protocol handler in the device. Through this process, each 256 bit block of data handed to the host was formed from somewhere in the region of 3840 bits read from the quantum generators.

The protocol handler deals with the communication to the host computer. The device emulates a standard USB CDC serial port, with out-of-the-box driver support for numerous platforms. The Entropy Key encrypts all random data it sends to the host using a session key and marking each one with a sequence number, stopping when the sequence number gets too high. The Entropy Key authenticates all packets it sends using a packet-MAC mechanism where the MAC includes the session key generated during communication with the host. The session key is routinely regenerated using a shared secret, unique to each Entropy Key, which can be changed at will by the owner of the Entropy Key. The protocol handler also handles telling the host computer about failures and possible attacks, such as the generators becoming correlated or failing. The protocol handler periodiclaly reports various statistics to the host, such as the current state of the stream estimators and the FIPS 140-2 test statistics, as well as information from the temperature monitoring parts of the device. An open-source daemon on the host side then communicates with the key, setting up sessions, receiving random data, checking its authenticity, and eventually using it to top up the system's own random number pool.

The Entropy Key can automatically detect various different physical attacks, such as temperature changes (by using a built-in temperature sensor), and opening of the case (as the final product will be injected with epoxy; opening the case will destroy it).

Currently, this daemon is available for Linux (and packages suitable for Debian and Ubuntu can be provided, as well as source tarballs), but other platforms are being investigated. It is licensed under the MIT licence.

Click for a diagram showing what happens inside the Entropy Key

Simtec Electronics, 130 Hesketh Lane, Tarleton, Lancashire, PR4 6AS, United Kingdom.
Tel: UK (01772) 977177 / International +44 1772 977117