Persisting /dev/random state across reboots

Thu Jul 29 17:25:19 EDT 2010

On 07/29/2010 12:47 PM, Richard Salz wrote:

> At shutdown, a process copies /dev/random to /var/random-seed which is 
> used on reboots.  [1]

Actually it typically copies from /dev/urandom not /dev/random,
but we agree, the basic idea is to save a seed for use at the
next boot-up.

> Is this a good, bad, or "shrug, whatever" idea?

Before we can answer that, we must have a brief "what's your 
threat model" discussion.  As always, I define "random" to 
mean "random enough for the application".  The demands vary 
wildly from application to application.  Interesting use cases
include:
 a) low-grade randomness: For non-adversarial applications
  such as Monte Carlo integration of a physics problem, 
  almost any RNG will do.
 b) high-grade randomness: For high-stakes adversarial
  applications, including crypto and gaming, I wouldn't trust 
  /dev/urandom at all, and details of how it gets seeded are 
  just re-arranging the deck chairs on the Titanic.

Discussion:

A) For low-grade applications, procedure [1] is well suited.
It is clearly better than nothing, although it could be
improved.

A conspicuous weakness of procedure [1] is that gets skipped
if the machine goes down due to a software fault, or power
failure, or really anything other than an orderly shutdown.

Rather than writing the file at the last possible opportunity,
it would make at least as much sense to write it much earlier, 
perhaps immediately after boot-up.

B)  At the other extreme, for high-grade applications, /dev/random
is not (by itself) good enough, and asking how it gets seeded is 
just re-arranging deck chairs on the Titanic.

Tangential remark:  It would be nice if the random-seed file 
could be written in a way that did not deplete the amount of
entropy stored in /dev/random ... but given the existing linkage 
between /dev/random and /dev/urandom it cannot.  On the other 
hand, if you have reason to worry about this issue, you shouldn't 
be using /dev/urandom at all anyway.  Remember what von Neuman 
said about living in sin.

Tangential remark:  You could worry about how carefully we
need to read-protect the random-seed file (and all backups
thereof).  But again, if you are worried at that level of
detail, you shouldn't be using a PRNG anyway.  If it needs 
a seed, you are living in sin.

Constructive suggestion:  Use something like Turbid:
  http://www.av8n.com/turbid/
i.e. something that generates a steady stream of honest-to-
goodness entropy.

If you are not sure whether you need Turbid, you ought to use 
it.  It's cheap insurance.  The cost of implementing Turbid is 
very small compared to the cost of proving you don't need it.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com