[Cryptography] Dieharder & /dev/urandom

Yann Droneaud ydroneaud at opteya.com
Wed May 15 05:28:01 EDT 2019


Slightly off-topic:

Le mardi 14 mai 2019 à 19:41 -0400, John Kelsey a écrit :
> 
> The practical issue with /dev/urandom is that it’s never allowed to
> block, so in some extreme circumstances you could be getting output
> bits even though the system hasn’t managed to collect any
> entropy.  This was apparently behind the finding a few years back of
> a bunch of appliance routers and firewalls whose RSA keys shared
> primes.  (This demonstrates a disastrous lack of entropy!) Note the
> the statistics of those systems’ /dev/urandom outputs would have been
> fine if checked—the problem was only visible when you looked at many
> different machines’ outputs.  
> 

It's "only" a boot problem (albeit a big issue).

As soon as "enough" entropy is gathered, the kernel CSPRNG "well"
seeded, /dev/random and /dev/urandom output are of equal quality.

https://www.2uo.de/myths-about-urandom

Anyway getrandom(,, 0) should be prefered now as:
1) it blocks until the kernel CSPRNG is seeded, eliminating the boot
issue, (except when you're PID 1, in charge of initializing the
system).
2) doesn't block after that.
3) doesn't require opening a file

Entropy tracking done for /dev/random is controversial.
See this thread from Filippo Valsorda:

https://twitter.com/FiloSottile/status/1125843366837616640

Regards.

-- 
Yann Droneaud
OPTEYA




More information about the cryptography mailing list