Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Encryption Security Hardware

VIA C3 Random Number Generator Reviewed 289

An anonymous reader writes "VIA has added a hardware random number generator to its Nehemiah C3 CPU. I found a recent review of its security. Interesting how it's done at the instruction level as opposed to the chipset level used by the i810 RNG (also reviewed there)."
This discussion has been archived. No new comments can be posted.

VIA C3 Random Number Generator Reviewed

Comments Filter:
  • Finally (Score:4, Funny)

    by kaamos ( 647337 ) on Monday April 07, 2003 @10:35PM (#5683660)
    I've been wanting to replace that Ti-80 that generated completely random 0-1 numbers.

    Hell, I couldn't even predict what would come next

    Oh wait...

  • by ihatewinXP ( 638000 ) on Monday April 07, 2003 @10:40PM (#5683687)
    Was just some guy they trained to sit there and yell numbers at them.

    Developer: Hey! Gimme a number!!!

    Idiot in corner: uh Seven boss!

    • I don't know if this is logical or psychological, but I notice 20+ occurences of the integer 42 daily. 9/10 that I look at my watch it's xx:xx:42, the lunch bell rings at xx:42:xx, it shows up in my Physics 2 book, etc.

      Just to keep this on topic, what's the difference between /dev/random and /dev/urandom aside from timing? Is one more secure? Does one use more possible bitvalues while the other sticks to text ones? Is one present in more unix flavors?
      • by gordyf ( 23004 )
        As far as I know, /dev/random gathers real entropy data from events occuring around the system - incoming network activity, keyboard strokes, mouse movement, etc... /dev/urandom, however, is a traditional prng, and not actually random. This allows it to be much faster, but /dev/random would supposedly be truly random.

        You'd use /dev/random for generating random data for, say, generating a key.. but /dev/urandom would suffice (and be far, far faster) for wiping data off a drive (cat /dev/urandom > /dev/h
        • No, /dev/random blocks when it doesn't have enough entropy. /dev/urandom doesn't block when it runs out of entropy, it just switches to an algorithm.

          Speed has nothing to do with it.
        • Actually the network activity is not used as an attacker could control that. However there is a patch that allows you to optionally add that feature, so you weren't entirely off base.
      • I tend to see 69 all over the place. Does that mean im a pervert or do the hairy palms already give it away.
    • Interestingly enough, when asked to pick a number from 1 to 10, more people seem to pick 7 than anything else. My source is an unscientific poll [rinkworks.com], but I trust its general accuracy because I have noticed similar results myself. 7, 4, 5, 6, 3, 8, 2, 9, 10, 1. While the differences among 3, 4, 5, 6, and 8 could be off and the order of those probably cannot be trusted, 7 is definitely picked much more often than any of those five, which in turn are more likely picks than the four nearest either of the extremes.

      I

      • I believe it has to do with Phi, or the golden circle ratio - it's part of what "proportions" are most pleasing to humans. We don't like the middle of a set of numbers, we don't like the ends.

        One of my teachers demonstrated this once, by drawing a line on a piece of paper. He asked us all to mark along the line wherever we wanted, and most of the marks were like this:

        Stupid cocking lameness filter. Well suffice it to say the marks were usually about 70% along the length of the line, or 30%. Never 50%,0,10
      • That was the other half of my joke. Not only does the prototype suck but being a human all he ever does is give you "Seven." Glad to see a few people picked up on the not-so-random number generator.
  • News Release (Score:5, Informative)

    by Anonymous Coward on Monday April 07, 2003 @10:41PM (#5683694)
    VIA Launches Seventh Generation 'Nehemiah' CPU Core, the First x86 Processor to Market with Embedded Security Features

    Combining an integrated PadLock(TM) Data Encryption Engine with a wealth of enhanced performance features, the new generation VIA C3(TM) provides the lowest power native x86 platform for the fast-growing market of connected PCs and home entertainment centers

    Taipei, Taiwan, 22 January 2003 - VIA Technologies, Inc., a leading innovator and developer of silicon chip technologies and PC platform solutions, today announced its new generation VIA C3(TM) processor integrating the 'Nehemiah' core. With its powerful PadLock(TM) Data Encryption Engine, this next generation VIA C3 is the first native x86 processor on the market with embedded security features that enhance the protection of sensitive corporate and personal data.

    Available now at a speed of 1GHz, the new processor core is based on an advanced new CoolStream(TM) processor architecture that delivers all the necessary performance for running even the most demanding digital media applications while maintaining ultra low levels of power consumption and heat dissipation.

    "The launch of the seventh generation VIA C3 processor extends our leadership in enabling the development of secure, quiet-running small form factor system designs for a rapidly growing number of exciting new lifestyle and productivity applications such as home digital media entertainment and connected computing," commented Paul Hsu, Executive Assistant to the President and Head of VIA's CPU Business Unit. "Integration of embedded security features in the processor provides the most robust and cost-effective solution for addressing the increased demands among individuals, businesses, and government organizations for enhanced authentication and protection of their data in today's connected world."

    PadLock(TM) Data Encryption Engine
    The PadLock Data Encryption Engine has been integrated into the new generation VIA C3 processor to ensure greater confidentiality, integrity, and authenticity of electronic data either stored in the computer or transmitted over a network or the Internet, and enables a host of powerful new security applications, including heavy-duty data encryption and safer online transactions.

    At its heart is an advanced Random Number Generator (RNG) that uses random electrical noise on the chip to securely produce random number values, and features a direct application level interface through a new x86 instruction. Developers can obtain random numbers directly from the hardware without having to use separate software drivers, thereby providing an inherently more secure and efficient solution than combined hardware/software RNG architectures. The RNG includes several operating modes, offering performance from 750K bits per second to as high as 6 million bits per second.

    "VIA's incorporation of a hardware random number source on the processor die is exciting for developers, since it provides a simple and effective way of obtaining high quality randomness. This is particularly important for security and cryptography applications, since it is notoriously difficult to generate random numbers of adequate quality without a hardware random number generator," said Paul Kocher, President of Cryptography Research, Inc. and co-inventor of SSL 3.0. "I am enthusiastic about the benefit to applications such as secure web browsing, cryptographic key generation, and protocols where randomness is required."

    CoolStream(TM) Architecture
    Based on the advanced CoolStream architecture, the new generation VIA C3 processor has a highly efficient design that, when coupled with the VIA Apollo CLE266 chipset, delivers performance increases of up to 20% over the current version of the VIA C3 processor in mainstream productivity applications and up to 73% for 3D graphics applications, while continuing to deliver the same benefits of low power and minimal heat dissipation.

    New performanc
    • Paul Kocher is one of the well-known experts in the practical crypto field. As you can see from his web site, he's done some innovative mean nasty approaches to cracking cryptosystems (mathematical proofs are a fine thing, but if you can figure out the state of the CPU by measuring its response time or detecting the power consumption, your system isn't as secure as you thought :-)
  • Testing bittorrent (Score:3, Informative)

    by Pathwalker ( 103 ) <hotgrits@yourpants.net> on Monday April 07, 2003 @10:42PM (#5683697) Homepage Journal
    I'm playing around with bittorrent.

    As a test, I put the PDF file of the review of the hardware RNG up here [ofdoom.com] (The summary is here [ofdoom.com]).

    If you have bittorrent installed, feel free to try to download from me.
  • "At its heart is an advanced Random Number Generator (RNG) that uses random electrical noise on the chip to securely produce random number values" If you keep inputting the same electrical signals (thus the same paths are taken) can you deduce the algorithm and thus crack the encryption scheme it supplies?
    • by jmv ( 93421 ) on Monday April 07, 2003 @10:52PM (#5683751) Homepage
      No. Generally the idea of devices is just to amplify thermal noise. Thermal noise is produced at the microscopic level with atoms bouncing into each other. There's no way to predict that... unless you tap directly into the generator (in which case it's simpler to just get the data on the computer before it's encrypted).
      • Mmm.. thermal noise (Score:3, Interesting)

        by Scorchio ( 177053 )
        Similar to what Douglas Adams suggested as a random number generator, 25 years or so ago, I guess. This implementation is a little more convenient - although slightly less tasty - than a fresh really hot cup of tea.
    • Presumably not, or else it wouldn't be a very good random number generator.

      What I'm interested in is whether or not there is any way for crosstalk from the zillions of other high-speed signals elsewhere on the chip to have any real influence, however slight, on the operation of the random number generator... if so, I wonder how long before the hax0rs will be trying to 0wn my RNG by writing fiendishly clever patterns out onto the address bus.

    • Damn it, forgot to insert a new paragraph tag.

      Thinking about it more, why dont they simply use the random electrical noise level for the random number?
      And isnt there a limited range of 'random' noise that can occur?

    • by plover ( 150551 ) on Monday April 07, 2003 @11:25PM (#5683897) Homepage Journal
      The input is not supposed to be determined by the current state of the processor (insert obligatory Knuth state-of-sin joke here.) Their design consists of a set of freewheeling* oscillators: a ~600MHz oscillator that is then further "jittered" by a ~450MHz and an ~810MHz oscillator, sampled by a much slower ~30MHz oscillator. Their engineers assume that manufacturing variances, temperature, current processor state and other external factors will all contribute to this jittery response.

      * Freewheeling means that these oscillators are not tied to a crystal, and the frequency they oscillate at is not precisely locked at any exact rate (as would be the case if it employed a crystal.) These minute variations in frequency are the source of entropy the chip designers are actually gathering.

      The sampled bits are then "whitened" to reduce biases, and the whitened bits are stored in a FIFO queue until used.

      The paper in the article explains all this, and it talks about a couple of other cool cryptogeek features. You can change the bias voltage via CPU instruction (which would affect the jitter,) but each request of "randomness" comes with a pedigree indicating what bias settings were used! Finally, Cryptography Research's testing showed that they believe the chip (with whitening enabled) is capable of generating bits with an entropy of 0.99 bits/output bit, although they recommend trusting only a conservative entropy factor of about 0.75 bits/output bit. And since it generates bits at a rate of 30-50 million bits per second, most applications can probably afford to throw away a few in the name of entropy.

  • by snillfisk ( 111062 ) <mats@noSpam.lindh.no> on Monday April 07, 2003 @10:48PM (#5683729) Homepage
    ok, i couldnt find the original strip, but here goes from memory:

    accounting troll: this is our random number generator
    troll: 9
    troll: 9
    troll: 9
    dilbert: are you sure that's random?
    accounting troll: thats the problem with randomness, you really can't be sure.

    .. and maybe that holds for your calculator too :-)
    • You *can* be sure whether it's random or not. "999" is not random. It may very well be randomly-generated, but that's not the same thing at all.

      Of course, it's not that simple either:

      If I have a RNG that spits a long string of the same number. Is the string random? Well, not really. So I take the string, and make sure it has the same number of each digit in it. But 1111222233334444 isn't random either, so now I make sure the same number of each pair occurs, so we've got as many 12s as we have 21s.
      • You *can* be sure whether it's random or not. "999" is not random. It may very well be randomly-generated, but that's not the same thing at all.

        I guess they don't have humor where you come from.

      • Random does NOT mean average. Something like flipping a coin is (almost) random... And as anybody knows, you can certainly hit tails 500 times in a row if you are LUCKY.
      • The order in which the balls come out of the lotto machine is (afaik) random. However, the sequence 1-2-3-4-5-6 is just as likely to come up as any other. Does that mean it's not random? No.

        One of the few accepted truly random physical processes is radioactive decay. It is however completely possible that 4 decay events occur, each exactly 2 seconds apart (for instance) - it doesn't mean our radioactive sample has suddenly broken the laws of physics.

        Your arguments are frankly bizarre, as determing randomn
    • by trezor ( 555230 ) on Tuesday April 08, 2003 @04:15AM (#5684857) Homepage

      In norwegian the strip is located in my Dilbert-archive [de-slumme.vv.no].

      Ofcourse I got an English archive [de-slumme.vv.no] as well, for you Dilbert fans out there!

  • Truly Random Numbers (Score:5, Informative)

    by polv0 ( 596583 ) on Monday April 07, 2003 @10:58PM (#5683779)
    The ideal source for random numbers has always been physical sources, such as the white noise you see on your television screen when tuned to an unused channel. The noise is generated by remnants from the big bang, and is cryptographically unusable (since the numbers are recordable by anyone). But is a good test for statistical algorithms such as evolutionary computation (which depend on randomn initial states).

    The idea of using electrical currents secured on a chip is much sounder - since the noise is locally generated and very difficult to tap. I project that as quantum mechanics become more mainstream, the random quantum effects of electrons will be tapped to generate even sounder and accessible random signals.
    • I read that only like 5% of a static TV screen is the remenants of the big bang.
    • by John Miles ( 108215 ) on Monday April 07, 2003 @11:30PM (#5683918) Homepage Journal
      The noise is generated by remnants from the big bang

      A myth, for the most part. It's generated primarily in the front-end amplifier of the TV tuner by virtue of the fact that its temperature is above absolute zero.

      All dissipative (resistive) elements, whether active or passive, generate thermal, or Johnson, noise. The noise power is expressed in watts as
      Pn=KTB, where K = the Boltzman constant, T is the temperature in degrees Kelvin, and B is the bandwidth you're looking at. TV signals occupy several megahertz' worth of bandwidth, so even the smallest amount of noise in the front end will dominate the noise from atmospheric and celestial sources.

      You can prove this by disconnecting the antenna. Even if you short the TV's antenna terminals with a paper clip, neither the audio nor the video noise will change much.
  • Randomness (Score:5, Insightful)

    by Viral Fly-by ( 662186 ) <ross@truman.edu> on Monday April 07, 2003 @11:00PM (#5683793) Homepage
    Isn't it interesting how much importance we place on quote unquote "true" randomness of numbers? We expect (or at least hope that) a computer can generate random numbers time and time again without fail...

    But any human being would prove horrible at such a task... In fact, if you ask a human being for 3 random numbers, odds are very good that they will give you at least two sequential ones...such as 7 6 2...or 5 9 8...

    I guess that's the point of computers though...if we could all calculate as fast as a computer, process data as fast as a computer, and perform other tasks as fast and as well as a computer, we wouldn't need computers, now would we?

    Random number generation is an interesting topic though because it is often seen as a fault of computers... People claim that computers are "incapable" of generating random numbers. So are human beings... I can understand a computer not being able to store a floating point number with a hundred digits after the decimal point being considered a fault, because FEASIBLY a human being COULD perform the operations and have the value exact out to a hundred decimal places. But with random numbers...a human couldn't do it even remotely as well a computer can, so why is it considered such a weakness of computers? Maybe the power of computers to break their own codes because numbers aren't truly random is the reason they are sought after in the first place.
    • by scotch ( 102596 ) on Monday April 07, 2003 @11:59PM (#5684024) Homepage
      Isn't it interesting how much importance we place on quote unquote "true" randomness of numbers?

      You know, when you're able to use quote marks (" for example) in a written medium, you really don't need to spell out quote unquote as well. It really just doesn't make any sense - we can see the quote marks you used, spelling that idiom out doesn't add anything. People sometimes say "quote unquote" because you can't see the quote marks in their speech. Even this practice is ill-advised as it makes one sound like a drooling marketdroid (e.g. "At the end of the day, we need to quote unquote actualize profits by exceeding expenses with net income in order to meet quote-unquote business objective. Take an action quote-unquote item").

      This is the most bizarre thing I've seen all day. Please don't do it again. Thank you.

      • Interesting, just last week I was writing a post and came across this issue. As I was saying the content in my head while writing it out, I stumbled on "quote unquote". You see, in my head I was saying those words, but since it surely wouldn't look right as text, I type real quotes.

        Problem is, reading back the text that had real quotes just didn't have the same kind of flow as a spoken message using the silly "quote unquote" substitute. They each come across in a slightly different way. I couldn't find
    • In fact, if you ask a human being for 3 random numbers, odds are very good that they will give you at least two sequential ones...such as 7 6 2...or 5 9 8...

      I'd expect 1 in 3 odds of that happening anyway.
    • In fact, if you ask a human being for 3 random numbers, odds are very good that they will give you at least two sequential ones...such as 7 6 2...or 5 9 8...

      What do you mean by "very good" odds? If you ask a TRNG (true random number generator) for 3 random numbers, odds are quite good (40%) that it will give you at least two sequential ones. This is just rough math (supplied upon request) off the top of my head with the assumption that 9 and 0 are considered to be adjacent; odds would be slightly lowe
    • But any human being would prove horrible at such a task... In fact, if you ask a human being for 3 random numbers, odds are very good that they will give you at least two sequential ones...such as 7 6 2...or 5 9 8...

      With a true random number generator then the pool of numbers is not altered by a pick. Consequently every possible number within the indicated range should have an equal chance of selection at each request for a new number. Under these rules a sequential number, or indeed the same number agai

    • I guess that's the point of computers though...if we could all calculate as fast as a computer, process data as fast as a computer, and perform other tasks as fast and as well as a computer, we wouldn't need computers, now would we?


      We need computers for porn. Nothing could ever possibly substitute computers in that regard.
  • Man... (Score:4, Funny)

    by Obiwan Kenobi ( 32807 ) <evanNO@SPAMmisterorange.com> on Monday April 07, 2003 @11:06PM (#5683817) Homepage
    Man, you know you're hardcore when you get excited about a built in random number generator.

    Sample convo after purchase:

    [girlfriend] Honey, what is that?
    [you] (with great awe) The Vee-Eye-Aye Nehemiah C3 CPU with-
    [girlfriend] How much did that cost?
    [you] Wait, lemme finish-
    [girlfriend] Rent. Where is it.
    [you] But it has a-
    [girlfriend] You are not going to tell me that you spent our next month's rent on that *censored* piece of plastic.
    [you] (correcting happily) Silicone!

    You stare off. Slowly, you speak.

    [you] But it has a...random..number...generator. For strong...uh...crypto. You know, cryptography? Big numbers? Random?

    *the sound of footsteps trail away from you*

    [you] Honey?
  • finite state machine (Score:4, Informative)

    by shird ( 566377 ) on Monday April 07, 2003 @11:18PM (#5683862) Homepage Journal
    This is awesome, but I feel it kind of skews one of the great things about CPUs. Presently, the same piece of code, run a million times, will always produce the same outcome, and follow the same path of execution (providing it accesses no hardware - ie, no io instructions). With the addition of this instruction, you no longer have this fixed execution path.

    Still, with IO this 'problem' exists anyway (although only at ring 0 -intel). It just makes it difficult for heuristic anti-virus progams, and debugging etc, when the path of execution can be arbitrary. Nonetheless, I think its a cool concept, and great its being done at ring 3.
    • note - by 'finite state machine' - I think I meant 'deterministic' or something :) not great with terminolgy, but at least I know what I mean.
  • Beware this (Score:2, Funny)

    by WetCat ( 558132 )
    1. A good hardware built-in RNG introduced
    2. Everybody starts using it
    3. Some guys in a CPU company change it to not so good
    hardware RNG (for example f(x)=exp(sin(x)) etc)
    4. ...
    5. Profit?!
  • by blitzoid ( 618964 ) on Monday April 07, 2003 @11:21PM (#5683884) Homepage
    I've got your random number RIGHT HERE...

    5,246,549!
  • by mao che minh ( 611166 ) on Monday April 07, 2003 @11:22PM (#5683885) Journal
    Despite my best efforts at randomly naming folders and subfolders, and randomly placing permissions on them, and then randomly naimg the files without any type of extension on them, my girlfriend is able to quickly locate and identify my porn - even though she barely knows how to operate a computer in general, let alone Linux. She is a natural at breaking encryption.
  • by starman97 ( 29863 ) on Monday April 07, 2003 @11:36PM (#5683935)
    Atom-Age made a hardware box that produced 64K of random numbers with
    every character entered in the serial port. They spent a lot of time
    isolating each stage to ensure no noise got to the thermal noise
    generator /amplifier. There was no whitening or other tricks played
    to make the numbers 'more random' There were 3 sets of batteries,
    a 9V for the noise source, C Cells for the microprocessor, and D cells
    to run the serial interface. The whole thing was encased in a steel box
    with sheilding around the connector and indicator lights. Analysis of
    the numbers showed very good randomness.

    Unfortunatly at $200 it never really sold well.
    They did release the code in the processor for inspection,
    I'm not sure about the schematics, probably not.
  • When will Microsoft support this chip feature in Quickbasic?

    I'm tired of RANDOMIZE TIMER ing, dammit!
  • 392! 3892! 7489!

    feel free to use any of those if you're short on cash and cant upgrade just yet.

    THEY ARE ALL OPEN SOURCE - FREE AS IN I'LL SUE YOU WHEN YOU GOT MONEY TO PAY!
  • by stj ( 607714 ) on Monday April 07, 2003 @11:54PM (#5684004) Homepage Journal
    I remember when Cyrix had it's 100MHz CPUs with huge fans and everybody tweaked them to 133MHz, every long-term calculation on that involving FPU would give random numbers as the result...
    So, where is the novelty? ;-)
  • by CoolGuySteve ( 264277 ) on Tuesday April 08, 2003 @12:18AM (#5684110)
    Everyone should use the same random number.

    I think 23 is a good one, nice an prime, and close to 21 too!
  • by Stormie ( 708 ) on Tuesday April 08, 2003 @01:00AM (#5684235) Homepage

    Does anyone know when VIA intend to release an EPIA MiniITX motherboard with a Nehemiah-cored C3 CPU? Apparently the M10000 they released recently was supposed to be so equipped, but turned out to only have a 1GHz version of the older Ezra-T C3 core. Since the Nehemiah core has a lot of improvements, this random number generator amongst them, I'd rather hang out for it than buy an M10000 now.. but how long must I hang?

  • Someone should ask Wolfram how the universe generates random numbers...
  • The Beatle random number generator:
    number 9
    number 9
    number 9

    The monty python random number generator:
    6, no 8...AAAAaaahhhhhhh

    the ask a person to guess a number between 1-10 random number generator

    7
    3

    the Slashdot random number generator
    3.14, 1701, 2001, 69, 1337

    The Microsoft Random number generator
    7,7,7,7 yes its random, says so in the eula

    the pepsi random number generator:
    1

    the buffy random number generator:
    "you dare insult buffy? you are stupid AND you suck."wait, that was the "angery buffy fan response to a minor critque of the show generator"... my bad.

  • by mindpixel ( 154865 ) on Tuesday April 08, 2003 @01:39AM (#5684415) Homepage Journal
    I remmeber going to the university science library when I was 14 to try to find out how to write a program to generate random numbers...found a big yellow book about pseudo-random number generators and thought, no, I want a real random number generator...of course I opened the book and discovered that it is impossible inside a deterministic system...you have to stick an antenna into an external universe...then I thought where the fuck did the universe get noise? Why isn't the universe one big symmetric crystal?

    Now I sit here looking at a 2 billion year-old hypernova and no one here can answer this question (There are at least 5 cosmoligists within spitting distance of me right now)...
    • by Anonymous Coward
      Because of quantum uncertainty. If there had been no quantum uncertainty then after the big bang every particle would have had perfectly equal forces on it and thus the Universe would have settled into a perfectly homogenous soup (or maybe a big symmetric crystal), quantum uncertainty caused minute vartiations in density, forces etc, which allowed clumps to form and hence stars, planets and everything else.
    • Consider a deterministic pseudorandom number generator that's highly sensitive to its initial conditions. Maybe that's the universe and we don't know it because we can't determine the initial conditions with absolute certainty nor can we even determine its current state with sufficient accuracy.

      What if space and time are discrete (Ed Fredkin and so on)? Of course, space couldn't be a rigidly even lattice (it could be a network of loosely connected nodes), but in this sense you have a rigorous foundation
    • where the fuck did the universe get noise?

      I think there are several conclusions you could come to:

      1. The book (or mathematics) is wrong
      2. The universe is not a deterministic system
      3. Random numbers do not exist

      I would lean towards 2 - aren't quantum processes such as radioactive decay non-deterministic? This seems to be a matter of opinion, even among great physicists [hawking.org.uk]. If, however you hold that the universe is deterministic, I suppose you would have to come to the conclusion that nothing is entirely random

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...