Linux-style kernel PRNGs and the FIPS140-2 test

clenahan at fortresstech.com clenahan at fortresstech.com
Tue Jan 15 18:00:21 EST 2002


At 03:23 PM 1/15/2002 -0500, Thor Lancelot Simon wrote:
>Many operating systems use "Linux-style" (environmental noise
>stirred with a hash function) generators to provide "random"
>and pseudorandom data on /dev/random and /dev/urandom
>respectively.  A few modify the general Linux design by adding an
>output buffer which is not stirred so that bits which have already
>been output are not stirred into the pool of "new" "random" data
>(IMO, not doing this is insane, but that's a different subject).
>
>The enclosed implementation of the FIPS140-1/2 statistical test
>appears to show that such generators fail the "runs" test quite
>regularly.  Interestingly, the Linux generator seems to do better
>the longer you let it run (which, perhaps, suggests that quite a
>bit of data should be run through it at boot time and discarded)
>but other, related generators do not.
>
>The usual failure mode is "too many runs of 1 1s".  Using MD5
>instead of SHA1 as the mixing function, the Linux generator
>also displays "too many runs of 1 0s".  I have not yet seen
>other failure modes from these generators.
>
>To reproduce my results, just compile the enclosed and do
>"a.out < /dev/urandom" on your platform of choice.
>
>Thor
>

What happens when you do it to /dev/random?

My understanding was that /dev/random while on return data if it
has enough entrophy , otherwise it blocks. /dev/urandom will get its
values from /dev/random until it blocks then it continues by output psuedo 
garbage.

The use of /dev/urandom is for non-cryptographic stuff that can't block
on it's reads, like a read to /dev/random would.

Plus, shouldn't you only be using it as a seed to a Yarrow or a FIPS PRNG 
like X917?





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list