[Cryptography] Random numbers only once

Theodore Ts'o tytso at mit.edu
Wed Feb 5 10:46:57 EST 2014

On Mon, Feb 03, 2014 at 09:12:55PM -0800, Watson Ladd wrote:
> As DJB pointed out on another listhost, one only needs 256 random bits
> once, and can then use a PRF to generate an indefinite number forever.
> Why does /dev/random not do this and so avoid blocking after startup?
> It wouldn't be that hard to write to a defined block of a disk image
> these 32 random bytes.

Linux distributions extract some number of bytes from /dev/urandom and
then use this to seed the entropy pool for the next boot cycle, and
have since the very beginning[1].  This is done at shutdown, and also
right after the entropy pool is seeded at startup (so the value used
to seed the system at boot can not be exposed, and so we don't use the
same seed value after an unclean shutdown).

[1] I have been amused for a while now how many people have been
making assumptions without understanding how things actually work.

However, because the state file could get compromised (i.e., the disk
image gets copied/ghosted or accessed directly while the system is
shut down), we don't make any assumptions about the state file being
secure, and hence give no entropy credit.  


					- Ted

More information about the cryptography mailing list