![]() ![]() With rng-tools, hardware random number generators like Entropy Key, etc. The entropy pool can be improved by programs like timer_entropyd, haveged, randomsound etc. With Linux kernel 3.17+, the VirtIO RNG was modified to have a default quality defined above 0, and as such, is currently the only HWRNG mixed into /dev/random by default. This means that no userspace daemon, such as rngd from rng-tools, is needed to do that job. With Linux kernel 3.16 and newer, the kernel itself mixes data from hardware random number generators into /dev/random on a sliding scale based on the definable entropy estimation quality of the HWRNG. The raw output of such a device may be obtained from /dev/hwrng. The Linux kernel provides support for several hardware random number generators, should they be installed. This issue, they note, is particularly critical in the case of a wireless router whose network traffic can be captured from a distance, and which may be using the RNG to generate keys for data encryption. In the case of a router for which network traffic represents the primary available source of entropy, they note that saving state across reboots "would require potential attackers to either eavesdrop on all network traffic" from when the router is first put into service, or obtain direct access to the router's internal state. For a system with non-volatile memory, they recommend saving some state from the RNG at shutdown so that it can be included in the RNG state on the next reboot. Perhaps the most severe issue they report is with embedded or Live CD systems, such as routers and diskless clients, for which the bootup state is predictable and the available supply of entropy from the environment may be limited. Gutterman, Pinkas, & Reinman in March 2006 published a detailed cryptographic analysis of the Linux random number generator in which they describe several weaknesses. ![]() The current amount of entropy and the size of the Linux kernel entropy pool, both measured in bits, are available in /proc/sys/kernel/random/ and can be displayed by the command cat /proc/sys/kernel/random/entropy_avail and cat /proc/sys/kernel/random/poolsize respectively. ![]() Non-random data is harmless, because only a privileged user can issue the ioctl needed to increase the entropy estimate. This allows any user to mix random data into the pool. It is also possible to write to /dev/random. However such an attack is unlikely to come into existence, because once the entropy pool is unpredictable it doesn't leak security by a reduced number of bits. While /dev/urandom is still intended as a pseudorandom number generator suitable for most cryptographic purposes, the authors of the corresponding man page note that, theoretically, there may exist an as-yet-unpublished attack on the algorithm used by /dev/urandom, and that users concerned about such an attack should use /dev/random instead. This means that the call will not block, but the output may contain less entropy than the corresponding read from /dev/random. Ī counterpart to /dev/random is /dev/urandom ("unlimited" /non-blocking random source ) which reuses the internal pool to produce more pseudo-random bits. This is suggested by the authors for use in generating cryptographic keys for high-value or long-term protection. The intent is to serve as a cryptographically secure pseudorandom number generator, delivering output with entropy as large as possible. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered. When read, the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool. From this entropy pool random numbers are created. In Ts'o's implementation, the generator keeps an estimate of the number of bits of noise in the entropy pool. Fast recovery from pool compromise is not considered a requirement, because the requirements for pool compromise are sufficient for much easier and more direct attacks on unrelated parts of the operating system. The implementation was also designed with the assumption that any given hash or cipher might eventually be found to be weak, and so the design is durable in the face of any such weaknesses. The implementation used secure hashes rather than ciphers, to avoid cryptography export restrictions that were in place when the generator was originally designed. Random number generation in kernel space was implemented for the first time for Linux in 1994 by Theodore Ts'o. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |