[tor-talk] Tor relay on small and cheap devices

Mirko Vogt mirko at openwrt.org
Sat Jan 19 19:54:24 UTC 2013 

On 01/18/2013 01:46 PM, Okhin wrote:
> However, given the relatively limited capability of those devices, 4il wondering if they can have enough entropy to run Tor safely, and if it won't endanger the network.
> So,before going further on the step of propagating those Tor small boxes, I need advices about this entropy. Is it an issue? Is there a way to work around it (generating keys and certificates on a different computer maybe? but then, how?)

Yes, there is definitely an issue with entropy which should be kept in
mind. Lot's of embedded devices / SoCs do not have enough entropy
sources (or software/drivers which could at least make the most out of
what's there) to ensure cryptographically secure keys.

You might be surprised how often dropbear (an lightweight SSH server -
used by e.g. OpenWrt) generates the _exact very same_ SSH host keys
during the first boot on some devices. I ran into this issue several
times when I had to flash bunches of devices.

And that wasn't even the AR7240. The AR7240 - in this manner - is the
worst SoC I've ever seen. They cut it down to its basics, dropping every
kind of source where entropy could be gathered from.
Take a look at /proc/sys/kernel/random/entropy_avail right after boot to
get an idea (and it might be actually higher than it would have been
without you looking at it :)). It might be even 0(!) right after boot[2].

What we (OpenWrt) do for example regarding Wifi WPA session keys (using
/dev/random, which mostly doesn't contain enough entropy yet to generate
a secret key): We postpone the key generation until the first
Wifi-client connects. The first handshakes usually create enough entropy
to fill the pool - being able to generate a secure key and complete
negotiation with the client. Worst case here is, the first clients
attempt to connect to the AP fails.

Please don't drop the AR7240 because of that. Most devices have those
issues.
Ensuring to gather enough noise from e.g. wifi in advance might ensure
an appropriate amount of entropy for running tor safely - however that's
just _one_ source of entropy which might not be considered enough.

There's also this haveged[1] using the havege algorithm. However to me,
as a non-mathematician, this sounds a bit like "we make a lot [of
entropy] out of little". Maybe somebody could shed some light on this..

> 
> With datalove,

Dito

> Okhin

  mirko

[1]http://www.issihosts.com/haveged/
[2]https://dev.openwrt.org/ticket/9631

More information about the tor-talk mailing list