Init RNG seeding seemingly very predictable on Arduino Uno

[lonjil]

I wrote a test program which does hydro_init(), and then writes the random state over serial.
In the first test, I did soft resets with the RESET pin, and in the second test I disconnected power manually for a few seconds to reset. As you can see, most repeats are close to each other, but in some cases the same state appears again several minutes of testing later. In the soft reset case, there are only 5 different states in total, the least common of which appears 3 times, and the most common one appears 35 times. In the hard reset case, there are 18 different states, of which 10 appear only once each, and the most common state appears 9 times.

https://paste.sr.ht/~lonjil/a9f50c3e28beb4cf26f1632f3caef315e859974b

Am I perhaps doing something wrong? Is there something I could do to mitigate this?

[DeeFuse]

The AVR random implementation relies on TIMER1 as a source of random data.
This can lead to "predictable" or "similar" states after boot.

A better source of randomnes would be reading an ADC

[jedisct1]

Thanks! Would you be able to submit a pull request for this?

That would be amazing. Thanks!

[lonjil]

For that, it would probably be a good idea to let the user choose which analog pin to read from at init somehow, and note in the documentation that the chosen pin must not be connected to anything that could pull it low or high.

I just gathered a lot of analog input, and after settling it seems to move randomly between 203 and 208. Not sure how much entropy there is per reading there. With a random bit of wire plugged in, presumably acting as an antenna, there was much more variation, but I'm not sure if that's a good thing to rely on, since it might give an attacker a lot of influence, reducing effective entropy.

Would it be a good idea to have some basic sanity checks? Like returning an error code if the same value comes in many times in a row, or if values look like they're pulled high or low.

[DeeFuse]

The example in my link is usig an internal reference and is not dependend on an external pin.
In addition it pulls the intenal reference high / low to depelte / recharge the smothing capacitor, combined with a "random" conversion freqency this leads to quite good random results.

[lonjil]

Oh! Firefox scrolled me to the top of the page, so I missed that answer. That looks really good.

[DeeFuse]

@lonjil I've create a branch in my fork with the mentioned code HERE
Could you check if it compies and is working?

[lonjil]

@DeeFuse Compiles and runs fine, and passes a basic sanity check.

[tsegers]

Would it perhaps be prudent to remove the claim "Can generate cryptographically-secure random numbers, even on Arduino boards." from the README until this issue is resolved?

[jedisct1]

Best thing to do would be to actually solve the issue. Unfortunately I don't have an Arduino board any more, so help would be appreciated.

[tsegers]

I have an Arduino board, but I'm not sure if there is any actual source of randomness that can be used to seed the RNG. Even reading the ADC like proposed above can be risky, since any attacker with physical access to the chip can control those readings.

[DeeFuse]

There is a open PR improving the AVR RNG generation: #116
With those changes I achived pretty good randomness at the cost of execution time.