[cryptography] urandom vs random

coderman coderman at gmail.com
Sat Aug 24 00:26:36 EDT 2013

On Thu, Aug 22, 2013 at 9:40 AM, Nico Williams <nico at cryptonector.com> wrote:
> ...
> What I'd like is for the HW RNG source configutation to be made very
> clear to users: at boot time, at login time, when source availability
> changes, and at critical secret or private key generation times.  That
> last is difficult without changing implementations of all sorts of
> things.

it is straightforward to do this, if you enforce hw entropy sources as
a requirement:

1. modify initramfs / init to load and initialize any hwrandom
modules. halt boot if hw source is not present or usable.
2. have early init perform sanity check (1-5s) of hw entropy before
continuing boot. halt is hw source is not viable.
3. modify rng daemon to exit with special value and trigger halt on
trng read failure or out of bounds statistical behavior (e.g.
continually failing trivial FIPS checks).

thus you know that hardware and other entropy sources are active and
running at boot.

thus you know that key generation is always utilizing good entropy
pool state or else host would halt. (excluding active intervention,
which may be in your threat model!)

i first implemented this in a custom kernel+initramfs for the C5/C7
VIA systems with loop-aes FDE of a slackware based system. for any of
the recent ubuntu, knoppix, tails, qubes, fedora and slack distros you
can modify the post-FDE protected init scripts to do this, with a
simple modification to the rngtools daemon and init script. (i still
use mtrngd myself ;)

there, entropy problem solved. now go worry about crypto/security
problems not from the 1970's!

More information about the cryptography mailing list