True RNG in STM32F0

[danils]

Hi,

A customer asked me to implement a webserver on a STM32F0 that, as you know, lacks a RNG peripheral. Replacing the MCU at this stage of the project is impractical. I was thinking about adding a RNG IC like https://www.microchip.com/en-us/product/rng90#Overview.

Yet, in order to save BOM cost and PCB space, I was thinking about using an ADC channel reading a temperature sensor mounted on the PCB (unfortunately I have not spare ADC channels to read its random noise - but the temperature sensor should exhibit some random noise too) and I was thinking to use its data to seed this library:
https://github.com/Oryx-Embedded/CycloneCRYPTO/tree/master/rng

Would it make a robust true randomness implementation for feeding the TLS library?

Thanks

D.

[incf]

I don't think so.

Consider using a well behaved noise source like a reverse biased BJT.

But if you don't need security you could just fake it with a psudorandom generator.

[peter-h]

Assuming the RTC is running, just read all the registers, add them up, and do a CRC32 on them

If this is a security risk, the attacker is already running his code in your product

[woofy]

Pretty much anything which introduces randomness will do.
Try reading a time server for example, then using sysclk for the seed.

[MT]

Hi,

A customer asked me to implement a webserver on a STM32F0 that, as you know, lacks a RNG peripheral. Replacing the MCU at this stage of the project is impractical. I was thinking about adding a RNG IC like https://www.microchip.com/en-us/product/rng90#Overview.

Yet, in order to save BOM cost and PCB space, I was thinking about using an ADC channel reading a temperature sensor mounted on the PCB (unfortunately I have not spare ADC channels to read its random noise - but the temperature sensor should exhibit some random noise too) and I was thinking to use its data to seed this library:
https://github.com/Oryx-Embedded/CycloneCRYPTO/tree/master/rng

Would it make a robust true randomness implementation for feeding the TLS library?
Thanks D.

Certain STM32F models have a terrible ADC which some folks here are using as noise source. There are entire threads about that.

[bson]

Fill a block of memory from the ADC and hash it with MD5 or the like.  The noise level of the ADC just determines the size of the block you need, but with cryptographic hashes in general changing a single bit on the input on average changes half the bits on the output, so it doesn't require much in the way of randomness to generate good seed.  (I assume this is to seed an RNG to be used later.)

Edit: 100 random bits out of 8192 16-bit samples, where there are up to 512 random LSBs would give 2859462363045362175889689804776516690968873940358319686157275755047898300652764867714064617203401346847080320 possible random combinations, so still plenty to seed any RNG (including cryptographic ones).

[AndyC_772]

If you're doing a respin of the board anyway, I wouldn't add another IC - I'd replace the STM32 with one that has the RNG integrated.

Take the opportunity to migrate to a newer device. I hear the C series is cheap.

[thm_w]

https://www.reddit.com/r/embedded/comments/14s4utm/random_number_generation_on_an_stm32_using_dual/
https://community.st.com/t5/stm32-mcus-products/generate-random-number-for-stm32f030/td-p/360838

[__george__]

If your customer wants to implement a webserver with TLS and you are considering the ADC or any other solution discussed here for random numbers I hope you understand that you will implement a (at least cryptographically) broken TLS essentially.

If this is not the use case and the random numbers are just needed for other reasons you can also just store true random numbers (taken from a PC or something) in flash and use them as a seed for some sort of pseudorandom generation function.

[peter-h]

you will implement a (at least cryptographically) broken TLS essentially.

In theory, but in practice if you implement an HTTPS server, on an open port, in an embedded box like this, having possibly ever so slightly less than "perfect" RNG will be the least of your problems

Give it a few hours and you will have a sizeable chunk of china and russia hitting this server...

[DavidAlfa]

Upgrade to a G0, they have TRNG...