Linux Servers' Entropy Pool Too Shallow, Compromising Security

The BBC reports that Black Hat presenters Bruce Potter and Sasha Woods described at this year's Black Hat Briefings a security flaw in Linux servers: too few events are feeding the entropy pool from which random numbers are drawn, which leaves the systems "more susceptible to well-known attacks." Unfortunately, [Potter] said, the entropy of the data streams on Linux servers was often very low because the machines were not generating enough raw information for them. Also, he said, server security software did little to check whether a data stream had high or low entropy. These pools often ran dry leaving encryption systems struggling to get good seeds for their random number generators, said Mr Potter. This might meant they were easier to guess and more susceptible to a brute force attack because seeds for new numbers were generated far less regularly than was recommended. Update: 08/10 01:05 GMT by T : Please note that Sasha Woods' name was mis-reported as Sasha Moore; that's now been changed in the text above.

Random

So a random number walks into a bar. The barman says, "I was expecting you"

Re:Random

[darkain]

My dice rolls are pretty random... https://xkcd.com/221/

Re:Random

[fisted]

And your references are pretty stale.

cat videos for enthropy

Server rooms could have cameras filming cats to generate more entropy from.

Re:cat videos for enthropy

Subject: 01
Location: Window sill
Energy State: 0

Re:cat videos for enthropy

I was going to suggest using the contents of text messages from teenagers... but cat videos sound good also!

Re:cat videos for enthropy

And when all the cats decide to catnap at the same time?

Re:cat videos for enthropy

"Attack by catnip"

Re:cat videos for enthropy

[PPH]

Cats are too predictable

Re:cat videos for enthropy

[Sponge+Bath]

Film Schrödinger's cat. Until someone watches the film the seed will exist in a superposition of states.

Re: cat videos for enthropy

Nah, there is too little entropy in them. It's all LOLs and the same 25 abbreviations.

Re:cat videos for enthropy

[pi_rules]

SGI once did that with lava lamps. https://en.wikipedia.org/wiki/...

It wasn't a very serious project but I found it interesting and creative.

Re:cat videos for enthropy

[davester666]

There's always somebody who just has to look.

Re:cat videos for enthropy

[HiThere]

There was one with a bunsen burner, too. I think that one generated more entropy, but, of course, it also burned more gas.

SubjectsInCommentsAreStupid

[lesincompetent]

That's why i use
http://www.issihosts.com/haveg...
Wouldn't it be also beneficial to enlarge the pool size from the current 1024?

Re:SubjectsInCommentsAreStupid

I use https://github.com/waywardgeek...

Cheap, reasonable bitrate hardware TRNG, for adding entropy. Entirely open source (code and hardware) with plenty of documentation about how it works.

Not True

I wrote a software that used billions of random numbers drawn from /dev/urandom. Not only were they all unique when used as hashes of reasonable specific width in memory, but also when stored for permanent storage in databases over an extended period. Sure, that's not a good idea, but at the time the only solution we had. I think /dev/urandom is pretty good.

Re:Not True

Of course it is. Unless you're generating crypto keys and need to have a control over available entropy, there is absolutely no reason to use /dev/random instead of /dev/urandom. And you absolutely shouldn't use /dev/random when you don't have to, as it's able to create system-wide problems when used improperly.

Re:Not True

I wrote a software that used billions of random numbers drawn from /dev/urandom. Not only were they all unique when used as hashes of reasonable specific width in memory, but also when stored for permanent storage in databases over an extended period. Sure, that's not a good idea, but at the time the only solution we had. I think /dev/urandom is pretty good.

When you don't know what you're talking about, it's best to keep your mouth shut so as not to let everyone else know.

1,2,3,4... ad infinitum are ALL unique, but not random.

Re:Not True

[ultranova]

When you don't know what you're talking about, it's best to keep your mouth shut so as not to let everyone else know.

That's very rarely true. The typical result of showing ignorance is being corrected. What do you gain by keeping up (false) appearances?

Re:Not True

You gain something that is very important and valuable in our society: appearances.

Re:Not True

actually you might be misreading the post.

Although maybe he is getting this wrong, but the way I read it is he generated a large amount of random numbers from /dev/urandom
then creating a frequency plot, each result was unique.

your example of 1,2,3,4, ad infinitum being 'unique' is a misnomer. He's not saying the SET of numbers FROM which random numbers are drawn are unique, he's saying the RESULT of extracting billions of random numbers from /dev/urandom resulted in unique numbers.

i.e the set is all integers (1,2,3...n)
the set of random numbers he generated was (x,y,z,...k)
for each i in random number generated set, it exists once and only once in the set

Re:Not True

Yes, but that's not the point.

The point is that the question remains whether the unique set of numbers was actually sufficiently random or not. The sub-point being that a very large number (well, infinitely many, actually) of different sets of unique numbers are not random at all. As soon as you know the pattern, you immediately know exactly what came before and what comes after any given number in the set.

So, regardless of uniqueness, was the set (or were the sets, if plural) actually sufficiently random?

Re:Not True

Of course it was sufficiently random, otherwise those billions of numbers would not have been unique. I cannot mention the exact bit depth here since that would reveal the purpose. I'm not allowed to talk about my work.

Re:Not True

Of course it was sufficiently random, otherwise those billions of numbers would not have been unique.

But randomness and uniqueness have nothing to do with each other. As the second Anonymous Coward mentioned, the sequence: 1, 2, 3, 4, ... continues until infinity without ever repeating but it's not random at all. Once you figure out the sequence, you can figure out the outcome. This is not what a random number generator is. To satisfy randomness you don't need to have uniqueness.

Re: Not True

Your "of course" tells me you're not paying attention.

1, 2, 3, 4, etc are all unique. But is the set random? Just having unique numbers is insufficient to answer that.

Re: Not True

Also, what are the odds of drawing billions of random numbers without getting a single duplicate? That seems fishy. Hard to say how hard or easy without knowing the details.

Re: Not True

[david_thornley]

How many possible values are there? If you randomly draw billions our of only quadrillions, you're likely to get a collision or two.

Screw that petty layman random number generation

[Opportunist]

Time to go pro.

The pool's supposed to be a cache of entropy...

When the pool runs out, it has to GENERATE a new psuedorandom number. It doesn't "weaken" the randomness. And they call themselves security researchers...if this is what graces BlackHat these days...it's not worth the time of day as it's not even to 2600 standards.

Re:The pool's supposed to be a cache of entropy...

[cheater512]

Unless it is using /dev/urandom of course in which the security will decrease, but it won't block the app.

Which is why you never use /dev/urandom for crypto, and you never use /dev/random for a dice rolling app.

Re:The pool's supposed to be a cache of entropy...

[dkasak]

This is completely wrong. Modern cryptographically secure PRNGs can generate practically unpredictable sequences of as many numbers you'd like from an initial seed of >= 256 bits of entropy. This is actually how modern cryptography works in general: you wouldn't expect a 256-bit AES key to suddenly become insecure and predictable after encrypting a certain amount of data, would you? Why would a CSPRNG be any different?

In fact, both /dev/random and /dev/urandom are CSPRNGs. /dev/random is *not* a true RNG. It's just a CSPRNG that tries to reseed constantly and blocks when it can't based on an /estimate/ of the available entropy, but this constant reseeding is unnecessary for the same reason that we don't have to cycle AES keys constantly. It may make things harder for some contrived threat model when the attacker is able to glean your PRNG state periodically, but the practicality of this model is doubtful. djb has a very good article on this.

For once, Potter or so

[udippel]

have something useful to contribute. And not mess up whole eco-systems. ;-)

Re: For once, Potter or so

[Ukab+the+Great]

Two points for gryffindoor

Virtualization

[DarkOx]

How much of this problem is due to old assumptions about running on real hardware? That is to say the entropy pool is fed from lots of sources most of them system devices. Is this just an unintended consequence of running on cut down virtual hardware platforms?

Re:Virtualization

[swillden]

How much of this problem is due to old assumptions about running on real hardware? That is to say the entropy pool is fed from lots of sources most of them system devices. Is this just an unintended consequence of running on cut down virtual hardware platforms?

The researchers specifically addressed virtualization in the talk, providing different measurements of entropy available on real vs virtual machines. Real machines generate roughly twice as much entropy per unit of time, but both generate 2-3 orders of magnitude less than systems consume. However, as I noted in my other lengthy post, it's not clear that this really matters.

Re:Virtualization

It is well known to any expert that when you run virtualized, you must make sure that enough entropy is available in the VMs. This person has not found a defect in Linux, but one in virtualization software and set-ups.

Re:Virtualization

[lsatenstein]

How much of this problem is due to old assumptions about running on real hardware? That is to say the entropy pool is fed from lots of sources most of them system devices. Is this just an unintended consequence of running on cut down virtual hardware platforms?

The researchers specifically addressed virtualization in the talk, providing different measurements of entropy available on real vs virtual machines. Real machines generate roughly twice as much entropy per unit of time, but both generate 2-3 orders of magnitude less than systems consume. However, as I noted in my other lengthy post, it's not clear that this really matters.

How significant are these corner cases? It seems to me that the problem is critical only after a reboot. The warning is for some software that starts on reboot and that requires some random bytes. Can that software be made to wait two or three minutes to allow entropy to build up? (Systemd allows deferring the autostart of a program by some amount of time after a reboot. SystemD can be used as well in the Virtual system that is restarted at reboot time).

All I understand from the notice is that programmers should know about this corner case. The LInux man page states..." /dev/urandom should be used for everything except long-lived GPG/SSL/SSH keys." Nothing wrong with adding to the man page about Blackhat unproven statements.

Re:Virtualization

[swillden]

Can that software be made to wait two or three minutes to allow entropy to build up?

Even better, the software can be made to watch the entropy pool (there's an ioctl for that) and wait until there's enough. And it can also be made to re-seed periodically while running in order to limit any vulnerability arising from bad estimates early.

Old News.

This problem has been around forever, use a better software implementation or just use a hardware PRNG to generate more entropy like everyone else.

Re:Screw that petty layman random number generatio

But it is running windows XP

When is not enough entropy a problem?

[Sits]

For the interested: Understanding-And-Managing-Entropy-Usage Whitepaper Black Hat whitepaper.

So it seems this is the classic problem that (Linux) programmers are told to use /dev/urandom (which never blocks) and some programs are doing so at system startup thus there's the opportunity for there to be "insufficient" randomness because not enough entropy has been gathered at that point in time. In short: using /dev/urandom is OK but if you are using it for security purposes you should only do it after /dev/random would have stopped blocking for a given amount of data for the first time since system startup (but there's no easy way to determine this on Linux). Or is there? Since the v3.17 kernel there is the getrandom syscall which has the beahviour that if /dev/urandom has never been "initialised" it will block (or can be made to fail right away by using flags). More about the introduction of the Linux getrandom syscall can be read on the always good LWN. And yes the BSD's had defences against this type situation first :-)

So this is bad for Linux systems that make security related "things" that depend on randomness early in startup but there may be mild mitigations in real life. If the security material is regenerated at a later point after boot there may be enough entropy around. If the the system is rebooted but preserves entropy from the last boot this may be mitigated for random material generated in subsequent boots (so long as the material was generated after the randomness was reseeded). If entropy preservation never takes place then regeneration won't help early boot programs. If the material based on the randomness is never regenerated then again this doesn't help. If you take a VM image and the entropy seed isn't reset then you've stymied yourself as the system believe it has entropy that it really doesn't.

Not just virtualization

[Sits]

Virtualization is a strong candidate because everything can be so samey but it can happen on real hardware too - imagine a trying to generate randomness on a basic MIPS based home router with flash based disks, no hardware RNG, typically booting from a fixed extract RAM disk install and doesn't have hardware clock to save time when powered off but makes ssh certs early during its first boot...

Re:Not just virtualization

Does it not harvest entropy from the data packets? Why the hell not? The flash ads served with porn are an excellent source of entropy (not the content, but the inconsistent delivery rate). I have been researching entropy from porn, and I can prove it exceeds the enropy from cat videos, providing, of course, you exclude Schroedinger;s cat, which can contribute at most, one bit.

Re: Not just virtualization

Linux security devs though that using packet timings was insecure and so removed it as an entropy source some time ago. They took out some other entropy sources they thought could be manipulated too.

The result is that systems are lacking the entropy needed for secure operation.

Seems like they threw the baby out with the bath water to me.

Myths about urandom

[hankwang]

This article, Myths about urandom, explains why it's generally silly to worry about dried-up entropy pools. There are two scenarios where this might be an issue:

1. There is a compromise that allows an attacker to calculate the internal state of the PRNG.
1a. That could be because the PRNG is leaking information about its internal state through its output. That would be really bad, but there are no known or suspected attacks.
1b. The server is compromised in some other way. Then it wouldn't matter whether it's /dev/urandom or /dev/random; you are hosed anyway.

2. There is no 'true' entropy at all, which could happen on a server which does not store its internal state between reboots and which does not manage to gather 512 bits of true entropy-generating interactions between boot time and the first use of /dev/urandom. This would be an issue only in very specific use cases, certainly not as generic as TFA suggests.

Re:Myths about urandom

Jesus, what a wall of text. They couldn't fit their argument into 140 characters? Ain't nobody got time to read all of that.

Re:Myths about urandom

[Forever+Wondering]

Thanks for posting the link. It's so good, IMO, that I had it in my bookmarks. It points out that the entropy is fed to the CSPRNG.

Disclaimer: I'm not a crypto guy, but I do read a fair amount about it.

One CSPRNG algorithm is to use a CBC cipher in "counting mode". That is, run 1, 2, 3, ... through the CBC and use the output of that. You start with a random key. But, the security of the CSPRNG is based on breaking the CBC (e.g. finding the key) from the output of the CSPRNG/CBC that is the "random" that /dev/random gets. Later, as some true entropy bits arrive, the key is periodically refreshed/modified.

Thus, the CSPRNG can "free run" for quite a while before needing the key to be refreshed (e.g for an N bit CBC, it's 2**(N/2)). So, it provides plenty of random bits. And, because the key is changed randomly, based on the entropy bits, it's changed long before someone watching the output of the CSPRNG has enough data to get the key used.

There are a number of different entropy sources. Timer interrupts, disk interrupts, network card interrupts, rdrand instruction, etc. Even for something that seems highly predictable/periodic such as a timer interrupt at 1000 Hz, it still adds some entropy because if you take an [x86] TSC upon entry to the timer ISR [the TSC has a resolution of better than 1ns], you'll still get some variation in the deltas for this, because you won't always enter the ISR in exactly the same amount of time.

So, if you take TSCs at entry/exit of ISRs for timer, disks, network, etc. (or TSCs in other parts of the kernel) even for fixed/predictable data rates for these devices, the actual TSC deltas will vary a bit, enough to provide some entropy. This doesn't even include gleaning entropy from TSC deltas between these various sources.

So, IMO, Potter et. al. is assuming a fairly naive way to get entropy bits and is underestimating the number of reliable entropy bits you can use if you really look at how Linux derives them.

And, some of the entropy can be used to decide how and how often the CBC key is modified.

Thus, just looking at the absolute raw entropy sources and saying they don't provide enough entropy (vs. a pure hardware white noise source) isn't really true in practice.

Entropy as a service

I admit to running a server that does not do much in the way of actual work. It would be nice if entropy was offered as a service by the hosting provider.

Re:Entropy as a service

[heldal]

https://www.random.org?

Re: Entropy as a service

That's a really terrible idea, just like outsourcing the generation of your security keys would be.

We've Been Complaining About That For Years

[Greyfox]

There's just no more entropy, man! Entropy isn't what it used to be!

But I have a solution! A good solution! A GREAT solution! Behold! Yes, a banana! As we all know, bananas are radioactive! So all we need to do is attach a particle detector to our computer and put a bunch of bananas right on top! Boom! Bananarand! You'll just need to remember to change your bananas out every so often as their half-life is very short. After about a week your bananas will decay into fruit fly particles (I'm not a nuclear scientist, I just play one on TV.)

All right fine, if you don't want to use a banana, United Nuclear has some lovely uranium samples for sale at the moment. Pretty sure you get on a list if you actually order one. Possibly if you click on that link. The radioactive Fiestaware they're selling would probably also work. While you're there, check out their selection of EXTREMELY DANGEROUS MAGNETS!

Virtualization and Cloud issue

[ehiris]

This is very true now that everything goes towards virtualization and clouds. Systems in the cloud are especially susceptible to low entropy issues.
Companies like Amazon and Google should step up and provide true hardware entropy sources for systems that they host.
And it's a known problem because there was chatter about it for years yet no-one stepped up.
Hopefully exposure at Black Hat will finally get them to do something about it.

Re: Virtualization and Cloud issue

[guruevi]

People have already solved that problem eg using havege. I run entropy feeders on all my virtual hosts which helps a lot since all data communications should be encrypted when talking to 'foreign' hosts.

Your link explains the problem

[Sits]

This isn't so much about entropy "drying up" a few days after the system has booted - this is more about generating random numbers just after a system has booted and before "enough" entropy was gathered in the first place. From your link:

Not everything is perfect
[...]
Linux's /dev/urandom happily gives you not-so-random numbers before the kernel even had the chance to gather entropy. When is that? At system start, booting the computer.

but also from your link

FreeBSD does the right thing[...]. At startup /dev/random blocks once until enough starting entropy has been gathered. Then it won't block ever again.
[...]
On Linux it isn't too bad, because Linux distributions save some random numbers when booting up the system (but after they have gathered some entropy, since the startup script doesn't run immediately after switching on the machine) into a seed file that is read next time the machine is booting.
[...]
And it doesn't help you the very first time a machine is running, but the Linux distributions usually do the same saving into a seed file when running the installer. So that's mostly okay.
[...]
Virtual machines are the other problem. Because people like to clone them, or rewind them to a previously saved check point, this seed file doesn't help you.

So not great but not (always) a disaster and modern Linux allows programs to counter this if they wish by using getrandom.

Re:Your link explains the problem

[KGIII]

Why, in the real world, is this so important? I am obviously missing something. Hopefully someone will hit me with a clue stick. I fail to see why this desire for as close to truly random as one can get is actually a valuable thing for, well, pretty much anything. Given the frequency of these posts (with seemingly good replies) I am obviously not getting something.

Re:Your link explains the problem

[Fweeky]

Because a lot of security boils down to "I'm thinking of a number between 0 and $something, I bet an attacker can't guess it at a rate better than blind chance".

e.g. a 128 bit encryption key is a number between 0 and 340282366920938463463374607431768211455. With a secure random number generator, an attacker will have to on average test half of those possible keys before he finds the correct one, because he can't know anything that will reduce the space he has to search.

If your random number generator is broken - for an extreme example, say you only seed it with a 16-bit process ID - suddenly the random values you generate are trivially guessable, because there's only 65535 possible streams of randomness to check instead of $impossibly_huge_number. What should have taken longer than the age of the universe to crack now takes mere seconds.

Re:Your link explains the problem

[KGIII]

That makes sense. I knew I had to be missing something. I am not a crypto guy or even a systems hardening guy. Whilst I am a maths geek, I really do not do anything with crypto. Thanks.

Not a very good summary

[swillden]

I attended the (very interesting) Black Hat talk, and neither the article nor the /. summary do a very good job of summarizing it.

From memory (I didn't take notes), the key points were:

1. Tracking the entropy pool is a little harder than you might expect, because the kernel itself uses quite a lot. The primary reason is ASLR, but there other ways the kernel uses entropy itself. The kernel is effectively drawing from /dev/urandom at a very high rate, pulling thousands of bits every time it starts a process.

2. /dev/urandom vs /dev/random work a little differently than most people expect. There are actually three entropy pools, a "main" pool, a /dev/random pool and a /dev/urandom pool. Both /dev/random and /dev/urandom use the same PRNG, and both try to maintain 0 bits of entropy in their local pools, drawing a block from the main pool when needed and mixing it into their local pools (keep in mind that a pool is many bytes of data plus an estimate of how much entropy is in that data). /dev/random, obviously, blocks when it runs out of entropy in its local pool and there isn't enough in the main pool to satisfy the request. /dev/urandom works the same way, except that (a) it won't block and (b) it won't draw the main pool below 128 bits. When the main pool drops to 128 bits, /dev/urandom stops pulling from it.

3. The rate of entropy going into the main pool is low, on the order of single-digit bits per second. For some reason Potter and Moore didn't understand, using a daemon to get bits from the CPU HWRNG not only didn't increase the estimated entropy inflow rate, but actually decreased it (I had to step out for a bit around that point in the talk so I missed details).

4. Points 1, 2, and 3 taken together mean that the entropy pool is basically never above 128 bits. The kernel is always drawing on /dev/urandom, typically at a much higher rate (hundreds to thousands of bits per second pulled from urandom vs <10 bits per second going in).

5. OpenSSL seeds its internal CPRNG during startup and then just uses it, potentially forever, without ever reseeding. Worse, when it seeds from /dev/urandom at startup it makes no effort to check whether or not the kernel pool has any entropy to give it. It just gets some bytes and goes. This means that if an apache server starts up when there isn't much entropy in the pool, that very small amount of entropy could get stretched over a very large number of cryptographic operations. (Aside: I do a little work on and with BoringSSL, Google's OpenSSL fork, and it does reseed regularly, and also uses a more trustworthy CPRNG. I highly recommend using BoringSSL rather than OpenSSL.)

6. Android actually does better than desktop/server Linux, producing many more bits per second of entropy, though still far less than are demanded. Potter attributes this to the rich source of randomness available from the cellular radios.

How much any of this matters is hard to say. Entropy estimation is something of a black art at best, or wild ass guess at worst. Also, the kernel is known to be extremely conservative with at least one of its entropy sources: the HW RNG in most CPUs. Because there's concern the NSA may have backdoored those HW RNGs the kernel assumes their output is perfectly predictable, meaning that it provides zero entropy. The kernel mixes in HW bits anyway, because they can't hurt even if they are 100% predictable, and to whatever extent they're unpredictable they help.

In addition, the whole concept of entropy pools of known size which are drawn down and refilled is an extremely conservative one. Modern CPRNGs are able to produce enormous amounts of uniformly-distributed, unpredictable bits from fairly small seeds -- say, 256 bits of entropy. Assuming the kernel ever manages to get even a

Re:Not a very good summary

[hankwang]

5. OpenSSL seeds its internal CPRNG during startup and then just uses it, potentially forever, without ever reseeding. Worse, when it seeds from /dev/urandom at startup it makes no effort to check whether or not the kernel pool has any entropy to give it. It just gets some bytes and goes.

That would only be a problem if the boot scripts start up OpenSSL before seeding urandom. Are there any server distros that do that? At least CentOS 6 does it in rc.sysinit, way before the network-related stuff is started.

Re:Not a very good summary

[swillden]

5. OpenSSL seeds its internal CPRNG during startup and then just uses it, potentially forever, without ever reseeding. Worse, when it seeds from /dev/urandom at startup it makes no effort to check whether or not the kernel pool has any entropy to give it. It just gets some bytes and goes.

That would only be a problem if the boot scripts start up OpenSSL before seeding urandom. Are there any server distros that do that? At least CentOS 6 does it in rc.sysinit, way before the network-related stuff is started.

That only helps if there's some stored entropy to load during boot. There generally is something to load... how much entropy it has is harder to say.

Re:Not a very good summary

Basically there's no proof /dev/urandom is less safe than /dev/random - there have been no published results concerning it, and as it internally mixes in data from SHA-1 of entropy coming from random events, and known attacks against SHA-1 aren't very good, and that's before taking into consideration that we're mixing those hashes in well. There's a pretty good reason all the attacks come from lack of entropy, but as soon as you get a bit - you're set.

That said, if you have a source of random information you want to add, you can simply write to /dev/random - that mixes in a transformation on SHA-1 on your data - and adds randomness. Try, for instance, random from your network, lower bits of CPU load / temperature / RDTSC. This gets XORed in, so you can only add to the entropy (random^predictable is random).

Also, there's an ioctl you can use on /dev/random - RNDGETENTCNT - to see how much entropy your system currently has, if you want to play around with it a bit.

Re:Not a very good summary

[swillden]

Basically there's no proof /dev/urandom is less safe than /dev/random

Yep. As I said, the whole pool entropy measurement concept is extremely conservative in that there are no known theoretical attacks, much less practical ones, that depend on drawing from /dev/urandom when it has low entropy.

Also, there's an ioctl you can use [man7.org] on /dev/random - RNDGETENTCNT - to see how much entropy your system currently has, if you want to play around with it a bit.

Or you can cat /proc/sys/kernel/random/entropy_avail

Note that doing that will start a new process, which consumes entropy, so don't be surprised if it gradually drops over repeated calls.

Re:Not a very good summary

[hankwang]

That [restoring random seeds] only helps if there's some stored entropy to load during boot. There generally is something to load... how much entropy it has is harder to say.

Well, I'd say that managing entropy for the PRNG is mainly relevant for network-connected servers that need to generate encryption keys all the time. I assume that the timing of incoming network packets counts towards the entropy pool.(*) There should be plenty of network packets to ensure the accumulation of at least a kilobit of entropy during the normal course of operation.

(*) I can't find any list online of linux entropy sources that are used. There is LWN: Appropriate sources of entropy, where it's argued that it's difficult to make a reliable estimate of network-originated entropy. In the comments there, it is argued that one should still use the entropy from network interrupts, even if one chooses not to increase the entropy counter.

Re:Not a very good summary

I was doing some performance testing of HAVEGED a few months back, and was able to effectively exhaust the estimated entropy pool with less than 20 such `cat /proc/sys/kernel/random/entropy_avail`. I was surprised that it wasn't as gradual as I expected.

Re:Not a very good summary

[Kjella]

Also, the kernel is known to be extremely conservative with at least one of its entropy sources: the HW RNG in most CPUs. Because there's concern the NSA may have backdoored those HW RNGs the kernel assumes their output is perfectly predictable, meaning that it provides zero entropy.

So unless NSA has built in a backdoor and it's NSA trying to hack you, the CPU has plenty entropy. I'm glad they're trying to make it NSA-proof as well, but I would think any security is fucked if you can't trust the hardware to execute the instructions it gets.

Re:Not a very good summary

[hankwang]

was able to effectively exhaust the estimated entropy pool with less than 20 such `cat /proc/sys/kernel/random/entropy_avail`.

That's because the kernel randomizes the memory addresses of all dynamically linked libraries of the 'cat' command every time you do that.

Re:Not a very good summary

[sinij]

Entropy estimation isn't a black art. Here is how you do it: take SP 800-90B recommended tests - Markov, Compression, Frequency, Collision, and Partial Collection, collect 1 million samples, then take minimum of the individual test results. Or just do Markov. As long as you take care to analyze raw data (not conditioned), you can find our what is your entropy.

Re:Not a very good summary

[sinij]

This is not how it works. You take 1...2...3...n sequence, pass it through SHA-1 and you will get a very predictable set of random-looking numbers that will pass every test. As such "because SHA-1" argument is absurd.

Re:Not a very good summary

Yes. I understand ASLR. I was confirming what the parent poster said with anecdotal evidence; the best kind of evidence.

Re:Not a very good summary

I hope they are still _using_ it, but they stopped counting network input for entropy as it is potentially under the control of outside attackers.
I still think that's a case of the cure being worse than the illness here, but that's the situation.

Re:Not a very good summary

[swillden]

There should be plenty of network packets to ensure the accumulation of at least a kilobit of entropy during the normal course of operation.

Sure, eventually. But what happens later doesn't matter if Apache has already fired up its workers and they've already initialized their OpenSSL CPRNGs. This is why OpenSSL should re-seed periodically -- and why BoringSSL does re-seed periodically. So if you start with the CPRNG in a predictable state, at least it doesn't stay that way.

I can't find any list online of linux entropy sources that are used.

This is one of the other points the researchers noted: There's very little information available on how it all works other than the source code. Of course, the source code is both authoritative and exhaustive, but not as accessible as some good documentation would be.

Re:Not a very good summary

[swillden]

Entropy estimation isn't a black art. Here is how you do it: take SP 800-90B recommended tests - Markov, Compression, Frequency, Collision, and Partial Collection, collect 1 million samples, then take minimum of the individual test results. Or just do Markov. As long as you take care to analyze raw data (not conditioned), you can find our what is your entropy.

That doesn't tell you anything about the entropy of the data. At all. Try this: Take your favorite CPRNG and seed it with all zeros. Then generate all of the samples you need for exhaustive testing and run all of the tests. The completely deterministic output will pass with flying colors.

While you're at it, try this test as well: Take the output of a known quantum random process (thermal noise, etc.). Don't filter or process it in any way, use the raw data. Now run the tests on it. The truly random data will fail.

Those tests only validate the statistical properties of the samples. If they all pass, you can be pretty sure that the data is uniformly-distributed and free of biases. But they don't (and could never!) say anything about whether or not the output is random in any degree. Entropy is a measure of how much actual unpredictability exists in the stream. Your deterministic CPRNG seeded with a known value has beautifully uniform and bias-free output, but generates zero entropy. Your quantum mechanics-based TRNG isn't uniform and has various biases, but generates a lot of entropy.

Here's part of the black art: Tell me how much entropy the TRNG produces. It's less than one bit of entropy per bit of output. How much less?

I can easily condition the TRNG's output to make it uniform and bias-free (at least as far as standard statistical tests can tell), but that does not increase the entropy of the output. To estimate the entropy you need to analyze the TRNG's raw output both statistically and by examining the physical processes. One you have a reasonable guess, you can then condition the data to ensure that it does have a bit of entropy per bit, by compressing it in a way that reduces the output size but doesn't discard entropy.

But the kernel doesn't do anything like that. Instead, it looks at its incoming data sources and tries to estimate from the data itself how much entropy the data contains. It tries to be conservative, and the process of mixing the new data into the entropy pool is effectively an entropy-preserving compression function. But that estimation? Black art. Oh, there's some mathematical justification, but it rests on a lot of assumptions that are invalid to some degree.

Re:Not a very good summary

[swillden]

It's not about not trusting the hardware to execute the instructions. If the NSA were to backdoor the RNGs, they wouldn't do it by making the RNGs produce bad output on command... that would be too easy to detect. Instead, they'd just reduce the entropy of the output, all the time, but not so much that it's detectable. For example, perhaps for every 128-bit output, the RNG generates one of 2^40 128-bit blocks. Now, if you use that RNG's output as an AES key, say, then your key is easily brute-forceable by someone who knows which 2^40 keys it might be.

Of course, this sort of back door is easy to defeat; just make a conservative estimate of the entropy you think you get from the RNG, make it low enough that if it really were that low it would be easily detectable and then apply an entropy-preserving compression function to enough output to get as many bits as you need. This is why I think it's unlikely that the NSA bothered.

Re:Oblig

[heldal]

I don't know how it's related to this article except the word "entropy", but that was a great read, thanks.

why is there no hardware entropy generation ?!

[cats-paw]

Adding entropy generation hardware on a motherboard or even in the CPU would be trivial.

Would it be cryptographically sound ? Probably not, but it's a hell of a lot better than the ad hoc system now in place.

Is there some sort of patent issue preventing this from happening or something ?

Re:why is there no hardware entropy generation ?!

But this has been done. Linux kernel gathers entropy from hardware random number generators and mixes it to the pools.

Re:why is there no hardware entropy generation ?!

You mean this?

https://en.wikipedia.org/wiki/RdRand

No one trusts it. :p

Re:why is there no hardware entropy generation ?!

[cats-paw]

no i'm specifically talking about a generator which is hardware, i.e. voltage noise based.

https://en.wikipedia.org/wiki/...

Re:why is there no hardware entropy generation ?!

[cats-paw]

yeah- that's pretty much exactly what i was talking about.

fuckin-A that's depressing.

i, for one, do not welcome our backdoor-inserting overlords.

That sounds counter-intuitive

[bytesex]

Servers process enormous amounts of data that could increase the entropy pool. Although they can be manipulated to some extent, the timing and content of network packets that reach them can hardly be predicted.

Re:That sounds counter-intuitive

Networking was once an entropy source but was removed because of easy manipulation.

Re:That sounds counter-intuitive

[mysidia]

Networking was once an entropy source but was removed because of easy manipulation.

It doesn't matter if an entropy source is subject to manipulation, so long as you are gathering from the source and XOR'ing, then entropy is never lost, even by adding inputs from a source subject to manipulation.

They should also add Entropy from invoking Intel RNG periodically.

Re:That sounds counter-intuitive

I don't disagree, especially when you consider that it's only one manipulated source out of many. I'm just stating the fact: it was used, then it was removed.

Sadly, because of this choice, those of us who admin servers with high-cryptographic environments have to look elsewhere. I've not wanted to, but had to distribute HAVEGED as well as a custom built network based entropy service as extra entropy sources (before Pollen and Pollinate were things). It started out as solving the performance impact on VM's, but it wound up easier to just have it everywhere.

Getting entropy from hardware into a VM isn't straightforward, especially if you don't have virtio-rng (KVM only).

Why...

[JustAnotherOldGuy]

Why don't they just use the RNG built into systemd??

Re:Why...

[U2xhc2hkb3QgU3Vja3M]

What does a RNG have to do with random numbers generation?

VIA is better than Intel and AMD for this

[U2xhc2hkb3QgU3Vja3M]

http://www.via.com.tw/en/initi...

Re:VIA is better than Intel and AMD for this

You don't know RdRand?

really?

apt-get install haveged

This is FUD

[sinij]

I do this for living. This presentation is FUD and not applicable for 99% of all configurations. Sure, some headless system with a solid state drive will encounter 'at rest' issues if they idle long enough. This why /dev/random design blocks. For that 1% cases you can always mix Intel RdRand, or Freescale SEC sources.

The real issue with Entropy is that developers keep using /dev/urandom, then all bets are off, as you need to guarantee that system always has sufficient entropy.

Re:This is FUD

Actually, after you have gotten about 200 bits of entropy into /dev/urandom, it is fine to use for almost any crypto and certainly for everything usual. Some understanding of the subject at hand is required to see that though. The only possible problem is on start-up, before you have a reasonable amount of entropy in there. /dev/urandom cannot "run dry" in practice, it can only still be dry from start-up.

Re:This is FUD

[swillden]

I do this for living. This presentation is FUD and not applicable for 99% of all configurations. Sure, some headless system with a solid state drive will encounter 'at rest' issues if they idle long enough. This why /dev/random design blocks. For that 1% cases you can always mix Intel RdRand, or Freescale SEC sources. The real issue with Entropy is that developers keep using /dev/urandom, then all bets are off, as you need to guarantee that system always has sufficient entropy.

Your comment inadvertently highlights the problem.

Developers don't use /dev/random because it blocks, and there's almost never any point to waiting. Once the pool has accumulated a few hundred bits of entropy, there's no reason not to use /dev/urandom.

But blindly using /dev/urandom is dangerous because in some (fairly rare) cases the system will not have any entropy.

The solution is to use /dev/urandom, but only after verifying that the pool has some entropy. Ideally, it would be nice to have an API that allows you to find out how many total bits of entropy have been gathered by the system, regardless of how many remain in the pool at any given point in time. If the system has managed to accumulate a few hundred bits, just use /dev/urandom and get on with life. If it hasn't, use /dev/random and block.

Hmm, it occurs to me that maybe we should just add a third character device, maybe /dev/gerandom (for Good Enough random), which provides exactly this behavior. Then we could just tell developers to use that. /dev/random would be for the particularly paranoid. /dev/urandom would be deprecated. The reason not to just change the behavior of /dev/urandom rather than adding a new device is because software assumes that it will never block, where /dev/gerandom will just hardly ever block.

Re:This is FUD

[sinij]

/dev/urnadom CAN run dry, it is that "dry" is much "wetter" than most people expect. What happens when it runs dry is that output become predictable if you know its state. That is, if you somehow could derive previous state (hard task), then consequent output during low-entropy will be highly correlated to that previous state.

You are correct, aside from initial boot, for non-cryptographic tasks /dev/urandom is good enough. Now, if you have VPN and intend for it to resist state-level actors, then /dev/urandom is not good enough for seeing your crypto.

Re:This is FUD

[Sits]

The solution is to use /dev/urandom, but only after verifying that the pool has some entropy. Ideally, it would be nice to have an API that allows you to find out how many total bits of entropy have been gathered by the system, regardless of how many remain in the pool at any given point in time. If the system has managed to accumulate a few hundred bits, just use /dev/urandom and get on with life. If it hasn't, use /dev/random and block.

The solution is to use /dev/urandom, but only after verifying that the pool has some entropy. Ideally, it would be nice to have an API that allows you to find out how many total bits of entropy have been gathered by the system, regardless of how many remain in the pool at any given point in time. If the system has managed to accumulate a few hundred bits, just use /dev/urandom and get on with life. If it hasn't, use /dev/random and block.

You could build what you are asking for by using the new (since v3.17 kernel) getrandom() syscall. See the part about emulating getentropy for determining if you've ever had up to 256 bits entropy in its man page for implementing your API suggestion...

Re:This is FUD

[swillden]

Not really. getrandom() doesn't tell you how much entropy is in the pool, or if you've ever had a certain amount of entropy. It does allow you to wait until the pool has been "initialized", which is good, and maybe good enough, but it's not the same.

Re:This is FUD

[Sits]

Doesn't it let you essentially let you find out if you've had (since this boot?) up to 256 bits of entropy? You can ask it whether it has had an amount so long as it's less than 256 bits and you can force it to return failure if you ask for an amount it hasn't yet reached. It's not as generic as what you're asking ("tell me how much you've ever had") but it does still sound close to what you're asking for (albeit in a limited 256 bit form).

Re:This is FUD

[swillden]

Doesn't it let you essentially let you find out if you've had (since this boot?) up to 256 bits of entropy?

No, not in any way I can see.

You can ask it whether it has had an amount so long as it's less than 256 bits and you can force it to return failure if you ask for an amount it hasn't yet reached.

That's not what it says. It says:

By default, getrandom() draws entropy from the /dev/urandom pool. [...] If the /dev/urandom pool has been initialized, reads of up to 256 bytes will always return as many bytes as requested and will not be interrupted by signals

So, it's good that if the call will block unless the pool has been initialized (unless you give it the GRND_NONBLOCK) flag. But "pool has been initialized" doesn't tell you anything about how much entropy has been gathered except that it's non-zero. The bit about 256 byte (note: byte, not bit) reads always returning has nothing to do with entropy available, it's just an assurance that reads up to that size will be fast and atomic with respect to signals.

Re:This is FUD

[Sits]

You're absolutely right - it only lets you tell whether the pool has been initialised and GRND_NONBLOCK on tells you how much /dev/random could return if it were blocking and nothing about the total amount of entropy gathered.

Cheap hardware random number generator?

What about an high speed ADC sampling white noise?

Re:Cheap hardware random number generator?

There are a few usb key based options available, the most recent one being this: http://onerng.info/

Re: Windows? BSD?

OpenBSD did some work on this a while ago. As usual they're ahead of things: http://undeadly.org/cgi?action=article&sid=20131230165736

Why can't we have true hardware random generators

[halfdan+the+black]

It's not hard, all you need is a few thermal diodes and read from them.

I seriously can't believe modern hardware does not have hardware RNGs

Stuff that matters!

Why not put a positive spin on it:

"Linux servers mostly process low entropy data - Stuff That Matters!"

Re:Why can't we have true hardware random generato

[Blaskowicz]

There is one in some x86 CPUs, see there : https://en.wikipedia.org/wiki/...

Re:Why can't we have true hardware random generato

Server CPUs most definitely have it. But you need _trusted_ hardware random number generators. And so far it all falls flat on the "trusted" part, at least for the CPU-included ones.

Save at shutdown, and occasionally grab web data?

[Keybounce]

So what ever happened to "save the random state at shutdown, and restore the random state at startup"? That, I thought, was standard behavior as of about a decade ago.

If that wasn't enough, then every so often (no more than once a day or so), grab 1K of random bytes from random.org, and add it to the pool at a slow and steady rate (when /dev/random would block, for example); refill that buffer when empty if enough time has passed.

Yes, that basically means 1K bytes, or 8K bits, of entropy only for /dev/random, that would not be visible to /dev/urandom. People using urandom are basically saying that they don't need the really good numbers, right?

Been thinking this for some time

[skeld0y]

Imagine a hypervisor spinning up 120 identical Linux instances - they all generate ssh-keys at the same time during boot/install (+- ms'). How can that be "good"? It will probably survive statistical testing but so a LCG. I have serious doubt that there is enough entropy in ze clouds. Btw: coolest way to harvest entropy is to feed your PRNG with SDR-input.

Re:Been thinking this for some time

Btw: coolest way to harvest entropy is to feed your PRNG with SDR-input.

Let's think of the opportunity for an attacker to compromise that for a millisecond or so. And then consign the idea where it belongs.