This server uses hardware true random number generators (TRNG) to serve out true random bits to the Internet. Those bits are created using 5 Entropy Keys from http://entropykey.co.uk. As a result, these bits are of very high quality for use in the most demanding cryptographic applications, such as long term OpenPGP keys or SSL certificates. It's important to understand that these bits are not the result of a pseudorandom number generator, or PRNG such as you will find in most operating systems and software applications.
These bits are available for anyone on the Internet to use, free of charge. The benefit to you is to keep your entropy pool filled with high quality, true random data. Keeping your pool filled will speed up cryptographic software applications that need a lot of entropy for generating one-time session keys, long term keys, passwords, etc. You can follow the status of these entropy keys at http://zen.ae7.st/munin/ae7.st/hundun.ae7.st/index.html#sensors.
The domain "hundun.ae7.st" is assembled from two pieces. First is the concept of chaos in Chinese cosmogony. Hundun is the "primordial and central chaos", literally the power of chaos in Zen and the Tao. However, hundun is the supreme ideal of Taoism. Rather than noise as the Western society would have it, chaos is wholeness, oneness and nature. Chaos is the natural state of the world and the universe. Chaos is aesthetically pleasing- a state all taoists wish to achieve.
The second part of the fully qualified domain name, ae7.st, comes from my Amateur Radio callsign, AE7ST, who is Aaron Toponce, the administrator of this site. So, you could think of hundun.ae7.st as literally "chaos coming from Aaron Toponce". Further, having visited http://random.org, I wanted to provide random data to the community that they could do with as they pleased, rather than hand out the results. Thus, this server was created.
If you are interested in receiving these bits, you will need to install some software on your system to act as a client receiving them. I will assume that you are running Debian GNU/Linux as the client. Any GNU/Linux operating system should suffice, however. I have not tested this procedure with BSD, Mac OS X, Windows or mobile operating systems. However, the general idea is to connect to port 1337, decrypt the SSL-encrypted packets, and feed them into your operating system's entropy pool.
First install the software:
$ sudo aptitude install stunnel4 ekeyd-egd-linux
Configure stunnel to start on boot by editing the /etc/default/stunnel configuration file:
# /etc/default/stunnel # Julien LEMOINE <email@example.com> # September 2003 # Change to one to enable stunnel automatic startup ENABLED=1 FILES="/etc/stunnel/*.conf" OPTIONS="" # Change to one to enable ppp restart scripts PPP_RESTART=0
Then configure Stunnel to connect to the remote port by adding the following to your /etc/stunnel/stunnel.conf configuration file:
client=yes [ekeyd] accept=8888 connect=126.96.36.199:1337
Then configure the ekeyd-egd-linux client to start on boot by editing the /etc/default/ekeyd-egd-linux configuration file, and change the reconnect to 60 seconds, in the event of a network connection timeout:
# Change to YES to allow ekeyd-egd-linux to start. Ensure the below are # correctly configured first though. START_EKEYD_EGD_LINUX=YES # Change this if you want it to be something other than the default # HOST=127.0.0.1 # PORT=8888 # Number of bits minimum in the pool, below which the daemon will kick in # and transfer data from the EGD to the pool (providing it's available) # WATERMARK=1024 # Number of 1024 bit (128 byte) blocks to transfer to the kernel each # time it dips below the low water mark. # BLOCKS=3 # How many shannons-per-byte to claim for data pushed to the pool # SHANNONS=7 # How many seconds between connection retries. Zero means do-not-retry. RETRYTIME=60
Now (re)start the stunnel and ekeyd-egd-linux daemons:
$ sudo /etc/init.d/stunnel restart $ sudo /etc/init.d/ekeyd-egd-linux restart
Verify now that you have made the connection, and that you are filling your entropy pool:
$ netstat -tan | awk '/ESTABLISHED/ && /188.8.131.52:1337/' tcp 0 0 10.80.86.100:35829 184.108.40.206:1337 ESTABLISHED $ cat /proc/sys/kernel/random/entropy_avail 3968
Using these bits is completely harmless. Anyone on the system can write to /dev/random. Writing non-random, predictable data is harmless. Worst case, your entropy pool will not increase. Further, you can test the quality of randomness that I am serving, by using some random number tests, such as the FIPS 140-2 tests by rngtools:
$ timeout 90m rngtest < /dev/random rngtest 2-unofficial-mt.14 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: bits received from input: 2761920 rngtest: FIPS 140-2 successes: 138 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=448.557; avg=511.442; max=642.006)bits/s rngtest: FIPS tests speed: (min=11.226; avg=79.012; max=176.606)Mibits/s rngtest: Program run time: 5400000922 microseconds
This server is powered currently by a Raspberry Pi running Nginx behind a crappy DSL connection. As a result, I am constantly monitoring for abuse or heavy connections. If you are abusing my light setup, I will firewall you away from the hardware, and you will not be able to use the service. If you use the above defaults, and leave your box powered on 24/7, everything will be fine. If you change the WATERMARK to 4096, and run a cluster of computers as clients to this setup, you will likely be banned. So, please don't ruin it for everyone else by flooding my pipe with your datacenter. Instead, spend the $40 on your own entropy keys. If you are unsure, email me at firstname.lastname@example.org. Thanks.