7

I've started some work of which requires some quality random bytes, such as 32 at a time for an initialising vector for certain cryptographic applications. My issue is, this may be called upon multiple times simultaneously and I cannot afford the block /dev/random issues to wait for more collection of entropy.

I could use it to seed other algorithms, for example what /dev/urandom may do - however I do not trust what I cannot understand, I do not have any readily available resource on its method nor do I know if it remains the same between many kernel versions, I prefer a well defined method of some sort.

Are you aware of any methods you can think of over standard PRNGs that would be suited enough to use for (simultaneous) key generation and alike?

Would certain ciphers such as RC4 with a large seed be sufficient to generate random output? (I've seen a /dev/frandom implementation that uses this, however am not entirely sure of it.)

If it means anything, I am on a headless Debian server, reason of lack of entropy gathering.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Alexander
  • 1,053
  • 11
  • 16
  • When I was a student, a long time ago, the KISS PRNG had the reputation of fitting your criteria. I post this as a comment because I do not know if it's still considered valid. http://gcc.gnu.org/onlinedocs/gfortran/RANDOM_005fNUMBER.html – Pascal Cuoq Aug 04 '11 at 22:53
  • 1
    Probably better use something else: http://fse2011.mat.dtu.dk/rump/KISS%20A%20bit%20too%20Simple.pdf – Pascal Cuoq Aug 04 '11 at 22:59
  • There's some (old) discussion on dev/random|urandom here http://lwn.net/Articles/261804/ – nos Aug 04 '11 at 23:03
  • I appreciate this discussion, I find it fascinating. – Alexander Aug 05 '11 at 02:52
  • You can use a device like the [entropykey](http://www.entropykey.co.uk/) to ensure your headless server has a good supply of randomness. – caf Aug 18 '11 at 13:41

3 Answers3

16

The response is simple: use /dev/urandom, not /dev/random. /dev/urandom is cryptographically secure, and will not block. The "superiority" of /dev/random over /dev/urandom exist only in a specific theoretical setting which makes no sense if the random bytes are to be used with just about any "normal" cryptographic algorithm, such as encryption or signatures.

See this for more details.

(Trust me, I am a cryptographer.)

Community
  • 1
  • 1
Thomas Pornin
  • 72,986
  • 14
  • 147
  • 189
  • I've numerously really wanted to drop what I am doing and start studying cryptography in-depth, this is another one of those times. – Alexander Aug 05 '11 at 02:47
  • 1
    Valid answer, but "Trust me, I'm X" is not really a valid justification – ofaurax May 06 '21 at 09:01
1

On a modern CPU with AES hardware acceleration, you can easily reach more than 1 GiB/s of random data by encrypting a string of zeros using a random password (from /dev/urandom), as shown by another answer on serverfault. Note that the random password is passed as a pipe, so that it doesn't show up in the process list.

On my machine, this approach is roughly 100 times faster than /dev/urandom:

$ openssl enc -aes-256-ctr -pass file:<(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64) -nosalt < /dev/zero | pv > /dev/null
11.2GiB 0:00:09 [1.23GiB/s] [           <=>                           ]
$
$ # Let's look at /dev/urandom for comparison:
$ pv < /dev/urandom > /dev/null
  48MiB 0:00:04 [12.4MiB/s] [     <=>                                 ]

If you put this in a shell script, you can easily pipe it into other processes:

$ cat ~/.bin/fast_random 
#!/bin/bash
openssl enc -aes-256-ctr \
    -pass file:<(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64) \
    -nosalt < /dev/zero
Fritz
  • 1,293
  • 15
  • 27
1

Consider using a hardware random number generator. For example, the entropy key or Whirlygig. Using /dev/urandom instead will avoid blocking but may (depending on your level of paranoia) degrade security (you'll output more random bits than you have input entropy, so in theory the output is predictable - this isn't a problem if you're just using it for IVs however)

bdonlan
  • 224,562
  • 31
  • 268
  • 324
  • I've really wanted a dedicated HRNG, if I ever start to get paranoid I will try to get one of those for my machine. – Alexander Aug 05 '11 at 02:44