Infinite Noise TRNG

Open hardware USB true random number generator

Feb 18, 2019

Project update 10 of 10

Security Update

A new important security update, release 0.3.1 is out! Please update if you’re been using the multiplier and version 0.3.0.

All the details

The issue

You’re only affected if you are:

Thanks to GitHub user wk3-org for the excellent and easily reproducable bug report.

The bug was introduced only in the last release 0.3.0, so if you are on 0.2.6, whether you’re using the multiplier or not, you’re fine.

However, the example configuration shows a multiplier of 10, so it was pretty easy to walk into the trap when you tried the multiplier. Also the CI tests which actually run dieharder tests with multipliers of 10/100/1000 and 10.000 did not catch this.

This seems like a good point to mention that you should not use the multiplier unless you really need it and know what you’re doing.

The fix

Basically, I forgot to adjust a buffer size after the libinfnoise refactoring. This led to repeating patterns on those multipliers (x%4!=0) as more data was read from the buffer than written to in that round (and the last bytes of previous loop-cycle were read twice).

Maybe it would make sense to simply not allow multipliers that result in uneven result sizes (limiting to multipliers dividable by four). Please leave your thoughts in the GitHub issue mentioned above.

So after some debugging, the actual fix was really simple, see this commit

Sign up to receive future updates for Infinite Noise TRNG.

Subscribe to the Crowd Supply newsletter, highlighting the latest creators and projects