[Cryptography] Linux /dev/random and /dev/urandom

[Isaac Bickerstaff]

On 09/30/2013 09:28 AM, dan at geer.org wrote:

> If there is anything I've learned about "the Internet" it is that
> if you ask a difficult question you will get very little in the
> way of answers you can trust a priori.  However, if you make a false
> claim, then people will come out of the woodwork to tell you that
> "You are a doofus and here is why."

That reminds me of the Linux device driver for /dev/random and 
/dev/urandom.

We know it is highly reliable, because it is used for a wide 
range of critical applications, and nobody would use it if it
weren't reliable.  Users -- as well as kernel developers -- 
are all keenly aware of how much modern cryptography depends 
on random numbers ... and how much security depends on attention 
to detail.

We know it is a "strong" RNG, because it says so, right at the 
top of the file, the drivers/char/random.c file.  Therefore there
is no need for anybody to review the code, let alone measure its
performance under real-world conditions.

I'm sure the driver was written by highly proficient cryptographers,
and subjected to a meticulous code review.

There is no way the code could have bugs that waste entropy.  There
is no way the code could have bugs that waste buffer capacity,
degrading the response to peak demand.  There is no way a variable
could be used with one undocumented meaning and then used with a
different undocumented meaning a few lines later.  There is no 
way anybody would ever create a PRNG with no lower bound on how
often it gets reseeded.

I haven't looked at the code -- heaven forbid -- but it "must" 
be well commented, in accordance with the high standards found 
throughout the kernel.