Re: ssh, /dev/urandom
On Wed, Dec 18, 2002 at 11:58:52AM +0100, Gaël Le Mignot wrote:
> Werner a écrit :
> > On Tue, 17 Dec 2002 13:36:21 +0100, Gaël Le Mignot said:
> >> And /dev/urandom is not really done for "cryptographic secure" randomness,
> >> it's the goal of /dev/random, not /dev/urandom (and AFAIK ssh only uses
> > That is not really true. The common implementations of /dev/[u]random
> > for *BSD and Linux use only one entropy pool and the only difference
> > between random and urandom ist that urandom never blocks on low
> > entropy but continues to yield random bytes using a pesudo random
> > number generater (i.e. hashing the pool again). So, as long as enough
> > entropy is available both devices can be considered equal.
> This is the current implementation, yes, but /dev/urandom doesn't guarantee
> anything about the "quality" of the random bits. It can be secure, but it
> can be pseudo-random too, and any program that use /dev/urandom as a secure
> source of random bits is flawed, so there is absolutely no problem, IMHO,
> to use the current random translator for /dev/urandom.
It's not flawed to use /dev/urandom for some purposes, like session keys,
which are only needed for a short time (a few hours or days) and then thrown
It's correct that you can not tell much about the quality of urandom if you
read it. However, the urandom translator itself knows more about when it
In anyway, the reason the current translators are incomplete is that they
don't support polling random sources themselves (a kernel device), and
urandom should more actively seek to reseed itself, or be reseeded by
/dev/random. Also, we need to have the oskit random device for /dev/random.
When we have the oskit device, I will happily finish my random translators
and put them in CVS.
`Rhubarb is no Egyptian god.' GNU http://www.gnu.org email@example.com
Marcus Brinkmann The Hurd http://www.gnu.org/software/hurd/