On 07/29/2010 12:47 PM, Richard Salz wrote: > At shutdown, a process copies /dev/random to /var/random-seed which is > used on reboots. [1]
Actually it typically copies from /dev/urandom not /dev/random, but we agree, the basic idea is to save a seed for use at the next boot-up. > Is this a good, bad, or "shrug, whatever" idea? Before we can answer that, we must have a brief "what's your threat model" discussion. As always, I define "random" to mean "random enough for the application". The demands vary wildly from application to application. Interesting use cases include: a) low-grade randomness: For non-adversarial applications such as Monte Carlo integration of a physics problem, almost any RNG will do. b) high-grade randomness: For high-stakes adversarial applications, including crypto and gaming, I wouldn't trust /dev/urandom at all, and details of how it gets seeded are just re-arranging the deck chairs on the Titanic. Discussion: A) For low-grade applications, procedure [1] is well suited. It is clearly better than nothing, although it could be improved. A conspicuous weakness of procedure [1] is that gets skipped if the machine goes down due to a software fault, or power failure, or really anything other than an orderly shutdown. Rather than writing the file at the last possible opportunity, it would make at least as much sense to write it much earlier, perhaps immediately after boot-up. B) At the other extreme, for high-grade applications, /dev/random is not (by itself) good enough, and asking how it gets seeded is just re-arranging deck chairs on the Titanic. Tangential remark: It would be nice if the random-seed file could be written in a way that did not deplete the amount of entropy stored in /dev/random ... but given the existing linkage between /dev/random and /dev/urandom it cannot. On the other hand, if you have reason to worry about this issue, you shouldn't be using /dev/urandom at all anyway. Remember what von Neuman said about living in sin. Tangential remark: You could worry about how carefully we need to read-protect the random-seed file (and all backups thereof). But again, if you are worried at that level of detail, you shouldn't be using a PRNG anyway. If it needs a seed, you are living in sin. Constructive suggestion: Use something like Turbid: http://www.av8n.com/turbid/ i.e. something that generates a steady stream of honest-to- goodness entropy. If you are not sure whether you need Turbid, you ought to use it. It's cheap insurance. The cost of implementing Turbid is very small compared to the cost of proving you don't need it. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com