LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Holes in the Linux random number generator?

Holes in the Linux random number generator?

Posted May 27, 2006 13:22 UTC (Sat) by kleptog (subscriber, #1183)
In reply to: Holes in the Linux random number generator? by zooko
Parent article: Holes in the Linux random number generator?

There's a lot of confusion about the difference between /dev/random and /dev/urandom. This also partly because the definitions vary across different systems.

For example, at one point libgcrypt might read a few KB of data from /dev/urandom to initialise its internal PRNG. After all, /dev/urandom is not really random so we'll just take as much as we can. On Linux ofcourse this breaks terribly because anything using /dev/random will now be without entropy. Other systems apparently run /dev/random and /dev/urandom from seperate pools, so it's not a big problem.

I think what really needs to happen is that people *think* about how much randomness they really need, given it is a somewhat scare resource. Using a few KB of entropy to seed a PRNG that only a few bytes of random data are going to be generated from is silly, you may as well read those bytes directly from the random device and save yourself a lot of effort.

(Log in to post comments)

Holes in the Linux random number generator?

Posted Jul 4, 2006 16:51 UTC (Tue) by unruh (guest, #32389) [Link]

I think that the main source of the confusion about /dev/random and /dev/urandom is the man pages. There is (almost) no case in which /dev/random is a better choice than /dev/urandom. While the claim on the man page that /dev/urandom uses a PRNG which might be in danger of attack, it is like saying that eating grapes might make you susceptible to Alzheimers and lowered sperm count. Yes, it might. There is absolutely no evidence thereof, and using /dev/random WILL cause far more problems by its blocking. Ie, the man page leaves exactly the wrong impression for a naive reader. (I just responed to a newgroup article where someone was doing
dd if=/dev/random of=/dev/hdb1
and wondering why the program seemed to hang).

Also the claim that /dev/urandom will use up the entropy pool for /dev/random on Linux does not seem to be born out tests.
dd if=/dev/urandom of=/tmp/tt &
Wait a minute ( or a few GB in /tmp/tt) and while that comand continues running do
dd if=/dev/random of=/tmp/t bs=1024 count=1
It does not block for me. It fulfills its request immediately
(Linux kernel 2.6.12-22mdk on Mandrake 2006)
(Then of course kill the first dd before you run out of disk space)

Your tests do not agree w/ mine.

Posted Nov 15, 2006 7:30 UTC (Wed) by simoncion (guest, #41674) [Link]

> Also the claim that /dev/urandom will use up the entropy pool for /dev/random on Linux does not seem to be born out tests.

My tests do not agree with yours:

dd if=/dev/urandom of=/tmp/rand1 &

Wait for a few hundred MB (This takes a couple of minutes)

dd if=/dev/random of=/tmp/rand2 &

Wait a couple of minutes, check the size of /tmp/rand2... It's 512 bytes in size.

cat /proc/sys/kernel/random/entropy_avail

And I get a number in the low double digits. When I terminate the first instance of dd, /tmp/rand2 (the file fed by /dev/random) begins increasing in size much more quickly. catting /proc/.../entropy_avail still returns a number in the single digits, as is expected. When I terminate the remaining instance of dd, catting /proc/.../entropy_avail reveals a number that increases to ~3500; also as expected.
Tested on 2.6.18-ck1-r1, Gentoo Linux.

Cheers,
Simon C. Ion

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds