An Evaluation On The Entropy Supplying Capability Of Smartphone Sensors

Abstract

Abstract Random numbers are very important for the security of computer system. However, generating qualified random numbers is difficult because we cannot always successfully introduce dedicated random number hardware into computer system. Although most operating systems provide random number generation capabilities, the effective entropy supply is still dependent on the hardware platform including memory and clocks etc. However, obtaining hardware events such as clocks requires system privileges, which is not conducive for entropy estimation at the application layer. In contrast, data related to the sensor hardware can be extracted directly at the application layer. These sensor data contain some randomness and may be used as a noise source. In this way, applications can use these sensors to implement their own proprietary random number generators. Before taking these sensors as the noise source, it is necessary to fully evaluate their entropy supply capability. In this paper, 300 Android smartphones and 30 iOS smartphones are selected as samples and their sensor entropy supply capabilities are comprehensively evaluated. Based on the entropy evaluation results, we give some suggestions on how to generate random numbers using these sensor data. We first design a framework for evaluating the entropy supply capability for smartphone sensors, based on the min-entropy estimation method proposed in NIST SP 800-90B. According to this framework, we simulate stationary and mobile working states for each smartphone, and collect sufficient sensor data as the min-entropy estimation dataset. The min-entropy estimation results show that in the stationary working state, each ACCELEROMETER sensor data collection can obtain at least 1.5 bits of entropy in Android, while each GYROSCOPE sensor data collection can obtain at least 20 bits of entropy in iOS. In the mobile working state, each ACCELEROMETER sensor data collection can obtain at least 1.9 bits of entropy, while each GYROSCOPE sensor data acquisition in iOS system can obtain at least 27 bits of entropy. This means that we can still get a stable entropy output from the sensor even when the smartphone is in stationary working state. Statistical analysis of the data using cross correlation methods suggests it is hard for an attacker to guess or predict the random numbers generated by a smartphone through another smartphone put in the similar external environment.