[Cryptography] Plenty random for everyone

ianG iang at iang.org
Fri Feb 21 07:23:50 EST 2014 

On 21/02/2014 07:13 am, John B wrote:
> Hi All,
> 
> Long time lurker - first time posting. Please be nice...
> 
> I've been pondering Ted's comments here:
>> Some people have whined at me about the speed of /dev/urandom, and how
>> "wasteful" it is in CPU utilization.  In my original conception of the
>> world, something like the Open VPN server or the Kerveros KDC server
>> would periodically grab randomness from /dev/random, and then run
>> their own CSRNG in userspace.  Originally back in 1994, /dev/urandom
>> was almost an afterthought; I thought the more popular interface would
>> be /dev/random.  Which shows you how much I knew back then.  :-)
>>
>> Over time, it's been clear that people don't want to implement their
>> own CSRNG in userspace, and they would much rather use /dev/urandom
>> for everything --- session keys, random padding, even to wipe a hard
>> drive ("dd if=/dev/urandom of=/dev/hdc bs=8k").  The last is probably
>> ludicrous, but if you have a really prolific user of /dev/urandom,
>> this can be a measurable amount of CPU time (and battery consumed).


If the user is a person who typed the above command, then 'whatever'.

If however the user is an app on a mobile phone where battery is
important then I guess their battery will tell them that using urandom
for that purpose is less than friendly.  But again it seems like an
optimisation best left to user space.


>> For example, if you set up the kernel tracepoint
>> "extract_entropy_user", and then try reading e-mail using the Chrome
>> browser and gmail, you will probably be quite astounded how reads from
>> /dev/urandom you will find.
> 
> So my question is, assuming using /dev/random as a seed for a userspace
> CSPRNG is the 'right' way to go about the business of getting random
> numbers,

That's a big assumption.


> should (/could) we perform this action on the applications behalf?

> As an example, a process with PID 2 (init was already using 1 :-)) does a
> read of /dev/random. Kernel side creates a slab of mem for holding the
> state of a CSPRNG for that specific PID which is then seeded by the 'real'
> /dev/random and returns data from that instead. This state continues to be
> used as more data is requested by the app. The state will be periodically
> seeded as and when needed.
> Similarly, PID 3, 4 etc would get their own independent slab/RNG state.


So, you are assuming that all this 'equality' of purpose lies within the
PID process, and firewall should be erected between the PID/processes.
I'd say that was just another assumption taken from the pov of
convenience.  E.g., we can do that, regardless of whether it is helpful.

Two counterpoints: Some apps are spread across multiple processes.  Some
apps have high quality needs and low quality needs.  E.g., the wiping of
data /versus/ construction of high quality keys.

> As I understand it the benefits would be that:
> a) One particular app can't DOS the system (not sure about that?)


Now they all can, together or individually :)

> b) Craziness like "dd if=/dev/random of=/dev/sda" should work 'better'

I don't know how you derive that conclusion...

> c) Attacks where a malicious actor attempts to manipulate the state of the
> entropy pool by writing data to /dev/random should be mitigated as the
> attacker can only manipulate the state of PIDs they own.*

True in principle, but I personally would rather concentrate on finding
the primary weakness and fixing it.  For all processes, assuming they
are all equally important.  OK, I see the point of this if userland is
used as a sort of sandbox as it is in Android.

> d) Apps designers don't really need to worry about if they should be using
> /dev/random or /dev/urandom

This is a point that has been highlighted by FreeBSD's approach.  What I
would like to see is some empirical observations as to whether this
approach has worked better/worse over the long term.  They've been doing
it for about a decade (memory?) so we should have some sense of the
benefit here.

> e) No more blocking on /dev/random

Right, but this is also gained by just turning random to be symlink to
urandom.


> Some drawbacks:
> a) it may somehow affect backward compatibility (?)

Random numbers are inherently backward compatible :)

> b) some people may insist on getting 'true' randomness and not just CS
> randomness** (?)


Right, why?  Q for FreeBSD.  What was that insistence really about?  I'm
genuinely curious as to where we need real random numbers as opposed to
CSRNs.

> c) It requires some more memory kernel side
> d) point e, f and g where I have overlooked something obvious and in all
> likely-hood show stopping...
> 
> Regards,
> John
> 
> * I've not read *anything* that leads me to believe an attack like this is
> actually plausible - but it may help address those ongoing concerns I've
> seen on this mailing list.
> 
> ** Tongue in cheek comment. Flame at will.


Well, it is a good time to explore all this.  I would say brave effort,
but you have failed to make your case, at least for me.  This is a good
example of how hard it is to do 'better' than the platform, which
presumably has smart people working for a long time on the problem, with
lots more research and support.

Or, 'use what your platform provides' aka Rule #1 as epoused here:
http://iang.org/ssl/hard_truths_hard_random_numbers.html



iang

More information about the cryptography mailing list