LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

What's the problem?

What's the problem?

Posted Feb 16, 2003 10:29 UTC (Sun) by Peter (guest, #1127)
In reply to: What's the problem? by Ross
Parent article: Mandrake security update to util-linux

I thought that /dev/urandom was just as good as /dev/random unless someone has figured out how to break SHA-1?

If you're not feeding new entropy into your pool, SHA-1 is just as predictable as any other PRNG. Breaking SHA-1 would be necessary if you wanted to re-derive the raw PRNG input, but that's not particularly useful in this context.

I agree with you, though, that this doesn't appear to be very serious. In this case the random numbers are being used to produce a cookie for X11 authentication. Unless I'm missing something, this cookie can be sent in plaintext over the net - so the relative strength of /dev/urandom is most likely the least of your worries.

(Log in to post comments)

What's the problem?

Posted Feb 16, 2003 23:43 UTC (Sun) by Ross (subscriber, #4065) [Link]

I had read differently on the lkml a few years back. It was stated (IIRC) that /dev/urandom was safe on systems which had very little (or no) entropy gathered as long as:
1) the initial entropy pool contents were unknown to the attacker
2) SHA-1 could not be reversed

I don't see any flaws in the reasoning, but then again I'm not a cryptographer :)

Pseudo-random number generators are often weak cryptographically, but the only inherent weakness is that knowing the internal state at any point in the past will allow you to predict the output at any point in the future (assuming no re-seeding is performed).

Using /dev/random is probably better for generating keys out of paranoia. It is of course possible that someone will find a weakness in SHA.

What's the problem?

Posted Feb 19, 2003 8:28 UTC (Wed) by Peter (guest, #1127) [Link]

Well, on a scale of people who know anything about cryptographic PRNGs, I rate quite low. (:

I had read differently on the lkml a few years back. It was stated (IIRC) that /dev/urandom was safe on systems which had very little (or no) entropy gathered, so long as:
1) the initial entropy pool contents were unknown to the attacker
2) SHA-1 could not be reversed
I don't see any flaws in the reasoning, but then again I'm not a cryptographer :)

Ditto, squared. It sounds good anyway.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds