[Cryptography] randomness +- entropy

John Kelsey crypto.jmk at gmail.com
Wed Nov 6 19:16:30 EST 2013 

On Nov 5, 2013, at 6:09 PM, Theodore Ts'o <tytso at mit.edu> wrote:

> On Tue, Nov 05, 2013 at 05:31:12PM -0500, John Kelsey wrote:
>> 
>> Is there any way for a program to find out if /dev/urandom has been
>> seeded properly?
> 
> Currently, there isn't.  We could add it, but most programs aren't
> going to check for such a flag.  

It seems like this would allow stuff like OpenSSL to do the right thing (initialize from /dev/urandom, but only once it has reached a secure state) with no more performance impact than necessary.  Ideally, /dev/urandom would accumulate entropy till it had a lot and then catastrophically reseed and set its "ready" flag.  And then any crypto application could check the flag, and read its PRNG seed or starting value for its prime number search from /dev/urandom only when the flag was set.

--John
...
> My current thinking is that whether or not urandom is fully
> initialized by the time should really be more of an attribute of the
> overall system design rather than the application program.  Hence my
> emphasis on having kernel printk's so we can understand whether or not
> we have a problem, and if so, how bad is it.  My expectation is that
> we're probably fine for most x86 desktops and servers (so most
> developers who use those as development machines don't have a strong
> incentive to do much on those platforms), but we have a much bigger
> problem on ARM and MIPS embedded/consumer electronics devices.

It seems like the best way for things to work would be that /dev/urandom always gave cryptographically strong random numbers.  But if that isn't always going to be the case, then application programs that really need that should be able to check to see if they can safely draw a PRNG seed out of /dev/urandom yet, or if they need to wait or ask the user to do something.  The alternative is silent failures that lead to low-entropy keys and breakable systems.

> I could add an ioctl which returns the state of the pool initialized
> flag, or which blocked until the pool is considered initialized, but
> I'm not convinced that enough programs would really use it.  

I don't have any intuition for how much work this is, but it seems pretty critical.  Right now, if someone is generating a cryptographic key on a Linux system, there seems to be no way for them to generate that key from /dev/urandom safely, because they can't really know if /dev/urandom will be in a secure state when they need to generate their key.  I guess the right guidance to give them now is "generate your key from /dev/random."  

>                   - Ted

--John

More information about the cryptography mailing list