![]() ![]() I generally take "random value" to mean "a value which can not be predicted". It also depends a lot what you mean by random. I should probably state to be clear that I am not a cryptographer. > since you seem knowledgeable about this On the other hand a true random source may generate a very long sequence of zeros, the probability would be infinitesimal, but it is entirely possible and doesn't mean that the source isn't random. For example a "random number generator" that just has a large hardcoded list of random-looking values and loops over the list may pass a test if the list is long enough that the loop can't be detected, even though the values are decidedly not random. The have both false-positives and false-negatives. ).īut it is important to clarify that these tests are guesses. Basically these tests are looking for common failure modes and expected statistics that are likely to fail if your source isn't truly random (for example distribution skew, repeating patterns. However there are many well-accepted tests for judging that a sequences of bits is likely to be random. You can't truly measure randomness, by definition a true random source would have exactly the same probably to produce any sequence of bits, so given any two sequences it is impossible to say for sure that one is "more random" than another. Many kernel procedures handling interrupts have the latent_entropy attribute. ) and NUMBER are randomly generated at compilation time. Void foo(bool a) _attribute_((latent_entropy)) The latent_entropy attribute is implemented by a GCC plugin and adds random operations on the latent_entropy seed to a procedure. ![]() Latent entropy is a 64 bits unsigned that has its state modified every time a procedure with the attribute latent_entropy is executed. * From latent entropy every time a process is created. * By retrieving the cpu cycles counter (RDTSC on x86) from random interrupts. * Every time there is an input event (mouse, keyboard. * The kernel command line string at boot. Last time i checked, /dev/random was receiving entropy from accept new entropy from the system after outputting bits) functionality I personally think a cryptographic sponge is ideal for this, since sponge functions have absorb, output, and duplex (absorb after output, i.e. However, if it doesn’t, we want other sources of entropy (microphone output low bits, interrupt timings, etc.) so /dev/random or /dev/urandom still gives us strong entropy even if RDRAND is completely busted. However, it’s widely available and probably makes good random bits. įor example, there is some controversy with the RDRAND (the x86 ”give me random bits” op code) operation, with concerns that maybe the numbers weren’t truly random, and at least one known security hole where the RDRAND output could leak under some circumstances. A good entropy (random number) source takes entropy from a number of different sources and combines it with a cryptographic strong algorithm: Either a strong hash whose output is made the key and IV for a stream cipher, or directly using an Extendable-Output Function (XOF) such as a cryptographic sponge. There is a lot said for making the Linux random number generator configurable. Yes, it's a "worked on my laptop" problem, but an unnecessary rake to leave out in the garden. Use /dev/random sparingly to seed your own PRNG, change your Java config to use /dev/urandom, or (shudder) use rngd to make it seed itself.Īt least once a year I hit some COTS product that craps itself under load blocking on /dev/random on a VM, causing an outage. Unfortunately, it's "good enough" to not HAVE to change. It's crazy that the OS that runs all the things essentially has a roll-your-own-crypto PRNG at its core rather than relying on actual experts for that. have blocked, belittled, or ignored any movement there. (Seriously, measuring entropy?) But Torvalds, Ts'o, etc. ![]() have moved past the (blocking) /dev/random vs /dev/urandom to more mathematically sound solutions. This article doesn't go into more depth so I don't know if it's just tacking on more entropy sources and algorithm support or a real modernization. There has been no interest in modernizing the Linux PRNG really ever. This is something that has frustrated me for years. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |