On a device that does not have a hardware RNG, what is the best source for entropy?
Some options and pitfalls floating around:
Most microcontrollers that are suitable for crypto I've seen have a variant with a hardware RNG. For example the PIC32 series by Microchip.
However, if not, what you could do is attaching some sensor to an ADC. It would depend on your environment what kind of sensor you could use. It can be anything, which is not easily manipulated (at least not in the LSB(s)).
Then, take the LSB(s) from the ADC, or better yet, use a randomness extractor. How often you can fetch me bits, and how many you can fetch at a time, depends on the ADC, the sensor and the environment, and the security level you want to reach.
If you can go a bit further than just your microcontroller, there are some small hardware circuits that can be used to create randomness. One example is using a diode's avalanche effect.
Avalanche noise is the noise produced when a junction diode is operated at the onset of avalanche breakdown. It occurs when carriers acquire enough kinetic energy under the influence of the strong electric field to create additional electron-hole pairs by colliding with the atoms in the crystal lattice. If this process happens to spill over into an avalanche effect, random noise spikes may be observed.
In short, we can use a diode with some external circuitry to create random noise spikes. If we then amplify that signal and feed it to a comparator, we get a random bit string.
I have done some experiments here: https://github.com/kuro68k/xrng
TL;DR using the LSB of an Atmel XMEGA's internal temperature sensor and VCC/10 inputs to the ADC, then feeding that through a CRC32 algorithm for whitening resulted in an RNG that passed Diehard, NIST's tests and looks good in ent.
