[Cryptography] random numbers on virtual machines?

Tom Mitchell mitch at niftyegg.com
Mon Jan 26 20:22:54 EST 2015 

On Mon, Jan 26, 2015 at 9:50 AM, Kent Borg <kentborg at borg.org> wrote:

> On 01/26/2015 09:57 AM, Henry Baker wrote:
>
>> So what's the best practice for random numbers on a virtual machine.
>>
>
> If I may carp: "best practice" is a horrible term.

......

> t want the best way you want bad ways, too, including discussions of what
> makes the bad!


Buttons are good especially when they ring clear and unambiguous alarms.
The concurrent discussion about the Rand-Pi illuminates this need.

A better practice might be to export random bits from one or
more devices on the network and blend them together in
a way that you know and hopefully understand.

Virtual machines have difficulty exporting individual hardware resources
to multiple VMs.  The hardware foundations of good RNG devices do not lend
themselves
to virtualization  and/or  multiplexing the way network connections do.  So
yes, better solutions should be considered.   Multiplexing the host random
bits can involve a mutual exclusion lock that slows things down.  Owning
the host itself is not an option in many cloud solutions.

Network connection to a port on a set of machines you have some control over
and a process on each that can  read /dev/*rand* and deliver a little or a
lot depending on
the hardware.  Use  good programming practices and perhaps iptables to
limit connections
as well as design the process to throttle connections and share the bits.

You can insert entropy into the local RNG under /dev/*rand* or address your
needs in different ways.

No matter what you elect to do you will promptly find a better way so make
sure
to isolate what you do so the new and better solution is easy to install.

There are network available random numbers that should not be trusted
as a single source.  Mixing three and adding bits of your own can seed
your local PRNG to good effect.  Good enough to invite critical review.

There are three obvious /dev/random /dev/urandom and library functions
like random(), rand() see srand().

See what this returns:
   cat /proc/sys/kernel/random/entropy_avail


-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150126/f0048429/attachment.html>

More information about the cryptography mailing list