[Cryptography] Dieharder & /dev/urandom

John Kelsey crypto.jmk at gmail.com
Tue May 14 19:41:36 EDT 2019


On May 14, 2019, at 9:17 AM, Michel Arboi <michel.arboi at gmail.com> wrote:

...
> I played with Dieharder (evolution of the famous Diehard statistics tests)
> There was a known bug wth 500 & 501 generators (/dev/random and /dev/urandom):
> https://bugzilla.redhat.com/show_bug.cgi?id=803292
> https://bugs.gentoo.org/677386
> 
> Once this bug is fixed, or by using a file filed with binary data
> (dieharder -g 201 ...) I still find weaknesses with urandom
> 1. I get at least one WEAK result nearly every time I run "dieharder  -a -g 501"
> 2. These weaknesses do  not appear with /dev/random
> 3. The tests which failed are not always the same.

/dev/urandom is giving you cryptographically processed bits, so I’m like 99.99% sure what you’re seeing is that you ran lots of tests each with a small probability of giving a false positive, and a couple false positives happened.  

The practical issue with /dev/urandom is that it’s never allowed to block, so in some extreme circumstances you could be getting output bits even though the system hasn’t managed to collect any entropy.  This was apparently behind the finding a few years back of a bunch of appliance routers and firewalls whose RSA keys shared primes.  (This demonstrates a disastrous lack of entropy!) Note the the statistics of those systems’ /dev/urandom outputs would have been fine if checked—the problem was only visible when you looked at many different machines’ outputs.  

—John



More information about the cryptography mailing list