[ubuntu-hardened] rngd: enable hardware-supported random generators.
Seth Arnold
seth.arnold at canonical.com
Wed Dec 23 07:06:47 UTC 2015
On Tue, Dec 22, 2015 at 01:46:47PM +0100, daniel curtis wrote:
> $ sudo cat /proc/sys/kernel/random/entropy_avail
> [...]
> I would like to ask if I should install, for example, 'rng-tools' [1] a
> daemon to use a Hardware TRNG? It seems, that it may also
> improve the quality (entropy) of the randomness of /dev/random.
>
> The true reason why I'm asking is the fact that if 'entropy_avail'
> returns anything less than 100 - 200 then it is pretty bad.
> Honestly, I don't know if it is true, but I read it somewhere.
Hello Daniel,
The Linux /dev/random and /dev/urandom interfaces are tricky. There's
widespread agreement that these interfaces are needlessly difficult to
use correctly.
There's also widespread agreement that the entropy estimation used by
the Linux kernel is also very tricky. Estimating the amount of entropy
available in the different sources that are available is extremely
difficult.
There's contentious debate about the way the /dev/random interface
decreases the "amount of available entropy" when /dev/random is read. My
favorite critique of this is from DJB:
http://lists.randombit.net/pipermail/cryptography/2013-August/004983.html
djb> [...] whoever wrote the /dev/random
djb> manual page seems to simultaneously believe that
djb>
djb> (1) we can't figure out how to deterministically expand one 256-bit
djb> /dev/random output into an endless stream of unpredictable keys
djb> (this is what we need from urandom), but
djb>
djb> (2) we _can_ figure out how to use a single key to safely encrypt
djb> many messages (this is what we need from SSL, PGP, etc.).
djb>
djb> For a cryptographer this doesn't even pass the laugh test.
I don't think you need to worry about how much entropy is reported via
the entropy_avail interface unless you find programs that read from
/dev/random are blocking.
If you do have a hardware RNG, using it would certainly reduce the chances
of programs blocking due to a low entropy count. However I do not think
that having one or not would actually influence your system's security.
If you are going to measure the entropy_avail stat over time, it'd be best
to do so with a single process, re-reading the file and then sleeping in
a loop. If I've read the kernel's exec() code correctly, every exec call
decreases the amount of available entropy by 16 bytes. (This data goes
into the AT_RANDOM entry of the auxiliary vector -- see the getauxval(3)
manpage for more information.)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20151222/e4c75761/attachment.pgp>
More information about the ubuntu-hardened
mailing list