Tip of the day: Using Cryptoucan™ as a random number generator

Written by Jiří Keresteš on December 12, 2019.

Did you know that you use your Cryptoucan™ as a hardware random number generator? Read on for details!

Cryptoucan™ is built upon Kinetis® K8x series MCU, which features a ring oscillator based HW random number generator (RNG). If you are interested in details, you can find more information in the reference manual[1]

But how do you access this RNG from your computer? OpenPGP card specification defines GET CHALLENGE command, which returns random bytes generated on the card. GnuPG’s smart card daemon scdaemon exposes this command via Assuan interface, available via gpg-connect-agent command-line utility.

Let’s see an example, 64 random bytes.

nephirus@soridormi:~$ gpg-connect-agent 'scd random 64' /bye
D nG7U

As you can see, there are some issues with the output. gpg-connect-agent outputs Assuan protocol messages. This means you cannot directly use this output as a random source, because returned data have “D ” header and “OK” footer. You might also prefer hex encoded output, if you are not redirecting the output directly to a file. Both can be quite easily fixed.

If you want hex output, just pass --hex parameter to gpg-connect-agent.

nephirus@soridormi:~$ gpg-connect-agent --hex 'scd random 64' /bye
D[0000]  E6 82 64 AF 19 4E ED 7F  34 6B 38 B1 ED 0E 8C 12   ..d..N..4k8.....
D[0010]  5C 52 BC 15 D6 35 29 C1  97 32 1D 27 1C 5C 60 A2   \R...5)..2.'.\`.
D[0020]  10 18 84 71 57 58 D6 33  85 60 56 C2 EF 58 13 FC   ...qWX.3.`V..X..
D[0030]  4C FC F9 DE 1E ED 6C 89  E0 50 99 55 FC 09 78 02   L.....l..P.U..x.

This is somehow better, but there is still some unnecessary Assuan garbage. Both problems can be fixed with a little bit of shell magic.

nephirus@soridormi:~$ gpg-connect-agent --decode 'scd random 64' /bye | sed -e's/^D //' | head -n -1 | xxd
00000000: 965c 200e 1549 3bc7 dbb7 45b8 1cb4 23a4  .\ ..I;...E...#.
00000010: b701 a8cd 31a5 68c0 8cd2 ad86 1f7a f35b  ....1.h......z.[
00000020: 9c40 8b6e cb07 55a6 36c2 b2c4 af50 44c6  .@.n..U.6....PD.
00000030: 2043 185d 0385 a593 2ca7 9258 60e6 6e67   C.]....,..X`.ng

Instead of piping output into xxd hexdump utility, you can redirect it into a file instead, if you wish.

nephirus@soridormi:~$ gpg-connect-agent --decode 'scd random 64' /bye | sed -e's/^D //' | head -n -1 > random.dat

Please be aware that Cryptoucan™ supports a maximum output length of 512 bytes in one request.

If you are still reading this, thanks for following us and see you next Thursday!


1. K82 Sub-Family Reference Manual, Chapter 41. Available from here.