[Whonix-devel] GUChaos

[vladz]

Hi,

On Fri, Jan 31, 2020 at 08:57:08PM +0000, procmem at riseup.net wrote:
> GUChaos looks very interesting and we are thinking about including it in
> our OS. I was wondering if your implementation mitigates the risk of
> using a public and untrusted (their words not mine) source of randomness?

GUChaos is an old and not maintained project.  I made it in 2010 because I
needed entropy while playing with virtual test servers (as they didn't have
any physical keyboard or mouse, their entropy pools quickly remained
empty).  At that time (2010), nothing similar existed (except symlinking
random to urandom), and I wanted to do my own stuffs. :)

That said, I must say that I would never use it on critical environments.
Entropy is retrieved from a third party (random.org) which is against
cryptographic best practices.  Even xoring each retrieved bytes with
urandom's bytes would be a bad idea (quite equivalent to symlinking random
to urandom).

Other cons would be that this solution:

  - won't work offline
  - won't work during random.org outages
  - will quickly need update if random.org changes it's API (this already
    happened in the past)

I must admit that I recently thought to remove it from my old website [0].

Today, I don't have same needs, so I'm not aware of good tools.  But with a
quick search, I find projects that tend to retrieve random data from
hardware devices [1][2][3][4] or systems events [6].  That's sounds better
and maybe a good choice for your OS.

Hope this helps,
vladz.

  [0] http://vladz.devzero.fr
  [1] https://wiki.archlinux.org/index.php/Rng-tools (QEMU's virtio-rng, DNRG/TPM)
  [2] https://www.vanheusden.com/aed/ (soundcard)
  [3] https://www.vanheusden.com/ved/ (webcam)
  [4] https://www.vanheusden.com/te/ (timers)