In this month’s Linux User & Developer, following my regular four-page news spread, you’ll find a review of a device that’s a little out of the ordinary: the NeuG, a true random number generator (TRNG) which costs a remarkably small amount.
When you’re using cryptography, you’re chewing up your system’s supply of randomness – or entropy. Linux, in common with other operating systems, works to fill its entropy pool by sampling a variety of things: traffic coming in on the network port, where you’re pointing the mouse and how fast it’s moving, and even how long it takes you to press particular keys. That’s all well and good for a desktop, but for a headless server it can take a while to fill a depleted entropy pool.
Coupled with the fact that it’s very difficult for a computer to produce truly random output, there’s a market for true random number generators. These devices typically cost a small fortune but use a variety of techniques – ranging from physically breaking down pieces of hardware with high voltages and measuring the resulting changes to pointing a webcam at a lava lamp – to generate a constant stream of high-quality entropy.
Enter the NeuG, which was kindly supplied for test by the Free Software Foundation. While it looks like a flash drive that has lost it’s casing, the device is actually a miniature computer in its own right. Using on-board analogue sensors, the NeuG can generate what is claimed to be a stream of true random numbers – numbers which are then pushed through a conditioning hash and spat out of a virtual serial port. Simply link the NeuG to something like the rngd entropy gathering daemon, and kiss goodbye to entropy exhaustion in even headless or virtualised environments.
I have been extremely impressed with the NeuG, especially given its low $50 cost. While there are cheaper alternatives – such as using a $5 Pi Zero and USB TTL serial adapter to create something similar using the BCM2835’s on-board hardware random number generator module – the NeuG’s free nature, whereby the design and source code are all available for review and modification, make it a great choice where certified security isn’t a requirement.
For the full run-down, including benchmarks, you can pick up the latest issue of Linux User & Developer from your nearest newsagent, supermarket, or electronically via Zinio and similar digital distribution platforms.