[Cryptography] Dieharder & /dev/urandom
ydroneaud at opteya.com
Wed May 15 05:28:01 EDT 2019
Le mardi 14 mai 2019 à 19:41 -0400, John Kelsey a écrit :
> The practical issue with /dev/urandom is that it’s never allowed to
> block, so in some extreme circumstances you could be getting output
> bits even though the system hasn’t managed to collect any
> entropy. This was apparently behind the finding a few years back of
> a bunch of appliance routers and firewalls whose RSA keys shared
> primes. (This demonstrates a disastrous lack of entropy!) Note the
> the statistics of those systems’ /dev/urandom outputs would have been
> fine if checked—the problem was only visible when you looked at many
> different machines’ outputs.
It's "only" a boot problem (albeit a big issue).
As soon as "enough" entropy is gathered, the kernel CSPRNG "well"
seeded, /dev/random and /dev/urandom output are of equal quality.
Anyway getrandom(,, 0) should be prefered now as:
1) it blocks until the kernel CSPRNG is seeded, eliminating the boot
issue, (except when you're PID 1, in charge of initializing the
2) doesn't block after that.
3) doesn't require opening a file
Entropy tracking done for /dev/random is controversial.
See this thread from Filippo Valsorda:
More information about the cryptography