[Cryptography] randomness +- entropy
Theodore Ts'o
tytso at mit.edu
Sun Nov 10 09:44:39 EST 2013
On Sun, Nov 10, 2013 at 12:57:01PM +0300, ianG wrote:
>
> Also, it seems the preference to many is to block while not
> receiving quality RNs; is speed really an issue?
Some people have whined at me about the speed of /dev/urandom, and how
"wasteful" it is in CPU utilization. In my original conception of the
world, something like the Open VPN server or the Kerveros KDC server
would periodically grab randomness from /dev/random, and then run
their own CSRNG in userspace. Originally back in 1994, /dev/urandom
was almost an afterthought; I thought the more popular interface would
be /dev/random. Which shows you how much I knew back then. :-)
Over time, it's been clear that people don't want to implement their
own CSRNG in userspace, and they would much rather use /dev/urandom
for everything --- session keys, random padding, even to wipe a hard
drive ("dd if=/dev/urandom of=/dev/hdc bs=8k"). The last is probably
ludicrous, but if you have a really prolific user of /dev/urandom,
this can be a measurable amount of CPU time (and battery consumed).
For example, if you set up the kernel tracepoint
"extract_entropy_user", and then try reading e-mail using the Chrome
browser and gmail, you will probably be quite astounded how reads from
/dev/urandom you will find.
This is also a great way to find bugs such as the one in libnss which
opens /dev/urandom using fopen() in buffered mode, which means it
pulls in 4k out of /dev/urandom as soon as libnss is intialized. (And
apparently Chrome runs libnss in at least two sandboxes, so that's
responsible for two 4k reads from /dev/urandom at Chrome startup;
there's a bug filed already for that problem.)
> Presumably, if your need is only for whitening the output, you could
> also look at SHA3. The core algorithm comes from the same team (or
> close) and it has a lot of flexibility in its sponge construction
> that might help it play a bigger part. It should be faster than
> AES.
Yes, that's probably worth looking at as well.
Cheers,
- Ted
More information about the cryptography
mailing list