[cryptography] urandom vs random

Aaron Toponce aaron.toponce at gmail.com
Sun Aug 18 16:53:15 EDT 2013


On Sat, Aug 17, 2013 at 12:24:45AM -0000, D. J. Bernstein wrote:
> I'm not saying that /dev/urandom has a perfect API. It's disappointingly
> common for vendors to deploy devices where the randomness pool has never
> been initialized; BSD /dev/urandom catches this configuration bug by
> blocking, but Linux /dev/urandom (unlike Linux /dev/random) spews
> predictable data, causing (e.g.) the widespread RSA security failures
> documented on http://factorable.net. But fixing this configuration bug
> has nothing to do with the /dev/random superstitions.

That paper is actually a real good read, especially those for Fedora, CentOS,
RHEL, and other RPM-based systems, where SSH is installed by default, and the
boot-time entropy hole is a real concern. But, as the paper mentions, keys
generated late after boot weren't affected, and there were vulnerable keys on
BSD systems generated with arc4random(3).

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 519 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130818/c94984e5/attachment.asc>


More information about the cryptography mailing list