Re: /dev/random broken?

Robert Love (rml@tech9.net)
28 Jun 2003 19:31:42 -0700


On Sat, 2003-06-28 at 19:10, Justin Pryzby wrote:

> /dev/urandom is what you want; it makes up its own entropy. /dev/random
> uses entropy from user input (low order bits I imagine). I assume that
> this is how other unixes work, too.

Actually, no. Both device files use entropy from the same location (the
entropy pool), which is derived from the same sources (various interrupt
timings and whatnot).

The difference between the two is that /dev/random keeps track of the
inherent entropy in the pool and will block when the entropy grows too
small. This is done as protection against any possible flaws in the
one-way hash employed on outgoing data. Theoretically, if someone was
able to break SHA-1, and they obtained a sufficiently large percentage
of the output data, they could theoretically determine some theoretical
state about the entropy pool. To prevent this theoretical attack,
/dev/random will not return any data while the entropy estimate is not
positive. This ensures there is enough entropy in the pool such that,
even if a single attacker has seen all the output thus far, they cannot
learn of the pool's state.

Also, as far as other Unix systems, I think /dev/random was first in
Linux. I know Mac OS X has /dev/random and /dev/urandom, but they both
behave like Linux's /dev/urandom.

Robert Love

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/