Robert Martin-Legene <[email protected]> wrote: > > Does anyone have experiences using haveged for PRNG? When generating > DNSSEC keys on a virtual server is takes a looong time to get > randomness.
My view is that haveged might be snake-oil, but it is a useful way of fixing braindamage in the Linux implementation of /dev/random. An RNG should block until it has been securely seeded, and after that it should run freely. Linux /dev/urandom fails to block and /dev/random fails to run freely. Sigh. Haveged at least fixes the /dev/random bogus entropy estimation, but you should also check that your distro ensures the RNG is properly initialized e.g. using a random seed file. http://www.metzdowd.com/pipermail/cryptography/2014-February/019920.html http://www.mail-archive.com/[email protected]/msg04763.html http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/ http://www.2uo.de/myths-about-urandom/ https://pthree.org/2014/07/21/the-linux-random-number-generator/ Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Trafalgar: Easterly 5 or 6 in far southeast, otherwise northerly 4 or 5. Moderate or rough. Mainly fair. Good.
