Date: Tue, 14 Jul 2015 14:30:17 +0100 From: Vsevolod Stakhov <vsevolod@FreeBSD.org> To: Yuri <yuri@rawbw.com>, Freebsd hackers list <freebsd-hackers@freebsd.org> Subject: Re: Does /dev/random in virtual guests provide good random data? Message-ID: <55A50EE9.1020900@FreeBSD.org> In-Reply-To: <55A3763B.7010303@rawbw.com> References: <55A2FB68.3070006@rawbw.com> <CCCC361E-70E1-4BA4-9765-65653F40DBC7@kientzle.com> <55A3763B.7010303@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13/07/2015 09:26, Yuri wrote: > On 07/12/2015 18:14, Tim Kientzle wrote: >> http://www.2uo.de/myths-about-urandom/ >> >> In particular, it has this interesting comment: >> >> FreeBSD does the right thing: they don't have the distinction > > There are two approaches in random stream generation. One is to have the > sufficient random seed, and keep generating the following pseudo-random > numbers only from this seed. The second approach is to also continuously > feed the stream from some external source of entropy. > > The fact that the long running linux VM still blocks on /dev/random > indicates that linux tries to collect more entropy on the go, following > the latter approach (intuitively I would also agree this is better for > randomness). > > So it isn't clear why FreeBSD random stream would be of the same > quality, if it doesn't collect entropy on the go. Because both Linux and > BSD have exactly the same entropy sources in VM. That's *not* the correct definition of how the modern PRNG work. In both Linux and FreeBSD there are a single or multiple pools of entropy that are seeded from many entropy sources (the algorithm of entropy distribution among pools can vary). These pools are used to seed generator which subsequently generates blocks of pseudo-random data. A cryptographic PRF (such as AES-CTR) is used for generator, hence, by definition, there are no *efficient* ways to distinguish its output from purely random. Moreover, since it is seeded with true random data, an attacker cannot predict the subsequent data without controlling *all* entropy sources in system. The key difference between FreeBSD and Linux is that in Linux, /dev/urandom *never* blocks which is bad: on boot, when there is no entropy gained, it is really a bad idea to generate something like SSH keys. On the contrary, FreeBSD /dev/urandom will *block* if there is no entropy in the pools. In conclusion, it is always safe to use both /dev/random and /dev/urandom in FreeBSD and it is safe to use /dev/urandom in Linux almost all the time but not before the initial entropy harvesting that occurs on boot (but you can check the amount of entropy in the pools prior to generating something sensible, e.g. keys generation or DSA/ECDSA). There are some improvements in the Fortuna algorithm that's going to replace Yarrow in the HEAD. They are negligible for the most systems but are quite useful for low entropy systems (but there are no practical attacks on yarrow as well AFAIK). -- Vsevolod Stakhov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55A50EE9.1020900>