[cryptography] urandom vs random

D. J. Bernstein djb at cr.yp.to
Fri Aug 16 20:24:45 EDT 2013


Aaron Toponce writes:
> Cryptographers don't like the idea that it's possible, even if it's
> excessively remote, and highly unprobable. This is why you see suggestions
> to use /dev/random for long term SSH, SSL and OpenPGP keys.

Cryptographers are certainly not responsible for this superstitious
nonsense. Think about this for a moment: whoever wrote the /dev/random
manual page seems to simultaneously believe that

   (1) we can't figure out how to deterministically expand one 256-bit
       /dev/random output into an endless stream of unpredictable keys
       (this is what we need from urandom), but

   (2) we _can_ figure out how to use a single key to safely encrypt
       many messages (this is what we need from SSL, PGP, etc.).

For a cryptographer this doesn't even pass the laugh test.

I'm not saying that /dev/urandom has a perfect API. It's disappointingly
common for vendors to deploy devices where the randomness pool has never
been initialized; BSD /dev/urandom catches this configuration bug by
blocking, but Linux /dev/urandom (unlike Linux /dev/random) spews
predictable data, causing (e.g.) the widespread RSA security failures
documented on http://factorable.net. But fixing this configuration bug
has nothing to do with the /dev/random superstitions.

---D. J. Bernstein
   Research Professor, Computer Science, University of Illinois at Chicago


More information about the cryptography mailing list