top | item 10150523

(no title)

msm23 | 10 years ago

I prefer to trust the NSA on these matters. They end up saying much of what the author has written, but they make it clear why you want to use one vs the other.

The excerpt below is from https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/S... (which in turn also references https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/S... )

Unix-like Platforms (e.g. Linux, Android, and Mac OS X):

Application developers should use the fread function to read random bytes from /dev/random for cryptographic RNG services. Because /dev/random is a blocking device, /dev/random may cause unacceptable delays, in which case application developers may prefer to implement a DRBG using /dev/random as a conditioned seed.

Application developers should use the “Random Number Generators: Introduction for Operating System Developers” guidance in developing this solution. If /dev/random still produces unacceptable delays, developers should use /dev/urandom which is a non-blocking device, but only with a number of additional assurances:

- The entropy pool used by /dev/urandom must be saved between reboots. - The Linux operating system must have estimated that the entropy pool contained the appropriate security strength entropy at some point before calling /dev/urandom. The current pool estimate can be read from /proc/sys/kernel/random/entropy_avail.

At most 2^80 bytes may be read from /dev/urandom before the developer must ensure that new entropy was added to the pool.

discuss

wfleming|10 years ago

Maybe I'm just tired & not able to detect sarcasm right now, but isn't 2^80 bytes more bytes than are currently stored in the world? That's on the order of 10^24, which is something like 1 million exabytes, which is a million squared terabytes, right?

mfukar|10 years ago

The amount of digitally stored information in the world as of May 2009 [1] is in the order of 2^71. There's no way a single process in a Linux distro will live long enough to read 2^80 bytes for the foreseeable future.

[1] http://www.theguardian.com/business/2009/may/18/digital-cont...

raverbashing|10 years ago

No, it's called being safe

And I wouldn't put it past them to have an attack (at least theorectical) that exploits this

viraptor|10 years ago

> in which case application developers may prefer to implement a DRBG using /dev/random as a conditioned seed.

Wait, what? dev/urandom is a DRBG seeded the same way dev/random is. This doesn't seem to make sense.

sago|10 years ago

Nods

You're very unlikely to be continually reseeding your own DBRG with new entropy, so it will be less secure than /dev/urandom, which is.

Suspiciously bad advice, there, from what I can see.

nshepperd|10 years ago

Is the joke that this is awful advice?

(Except for saving the entropy pool between reboots, which can be useful, afaik.)

ben_bai|10 years ago

> application developers may prefer to implement a DRBG using /dev/random as a conditioned seed

No. Doing random in userland is just wrong. If your program has access to /dev/urandom, use it. If not, use arc4random().

> “Random Number Generators: Introduction for Operating System Developers”

Or look how OpenBSD does it. (getentropy(), arc4random(), the subsystem)

> The entropy pool used by /dev/urandom must be saved between reboots.

OpenBSD does this, and more. The bootloader basically seeds the kernel with old entropy from before the reboot.

geofft|10 years ago

> - The entropy pool used by /dev/urandom must be saved between reboots.

Every single Linux distro does this.