Entropy (computing)
In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources(variance in fan noise or HDD), either pre-existing ones such as mouse movements or specially provided randomness generators. A lack of entropy can have a negative impact on performance and security.
Linux kernel
The Linux kernel generates entropy from keyboard timings, mouse movements, and IDE timings and makes the random character data available to other operating system processes through the special files /dev/random and /dev/urandom. This capability was introduced in Linux version 1.3.30.[1]
There are some Linux kernel patches allowing one to use more entropy sources.[2] The audio_entropyd project, which is included in some operating systems such as Fedora, allows audio data to be used as an entropy source.[3] Also available are video_entropyd which calculates random data from a video-source and entropybroker which includes these three and can be used to distribute the entropy data to systems not capable of running any of these (e.g. virtual machines). Furthermore, one can use the HAVEGE algorithm through haveged to pool entropy.[4] In some systems, network interrupts can be used as an entropy source as well.[5]
On systems using the Linux kernel, programs needing significant amounts of random data from /dev/urandom cannot co-exist with programs reading little data from /dev/random, as /dev/urandom depletes /dev/random whenever it is being read.[6]
OpenBSD kernel
OpenBSD has integrated cryptography as one of its main goals and has always worked on increasing its entropy for encryption but also for randomising many parts of the OS, including various internal operations of its kernel. Around 2011, two of the random devices were dropped and linked into a single source as it could produce hundreds of megabytes per second of high quality random data on an average system. This made depletion of random data by userland programs impossible on OpenBSD once enough entropy has initially been gathered. This is due to OpenBSD utilising an arc4random function to maximise the efficiency or minimise the wastage of entropy that the system has gathered.
Hurd kernel
A driver ported from the Linux kernel has been made available for the Hurd kernel.[7]
Solaris
/dev/random and /dev/urandom have been available as Sun packages or patches for Solaris since Solaris 2.6,[8] and have been a standard feature since Solaris 9.[9] As of Solaris 10, administrators can remove existing entropy sources or define new ones via the kernel-level cryptographic framework.
A 3rd-party kernel module implementing /dev/random is also available for releases dating back to Solaris 2.4.[8]
OS/2
There is a software package for OS/2 that allows software processes to retrieve random data.[10]
Windows
Microsoft Windows releases newer than Windows 95 use CryptoAPI to gather entropy in a similar fashion to Linux kernel's /dev/random.[11]
Windows's CryptoAPI uses the binary registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed to store a seeded value from all of its entropy sources.[12]
Because CryptoAPI is closed-source, some free and open source software applications running on the Windows platform use other measures to get randomness. For example, GnuPG, as of version 1.06, uses a variety of sources such as the number of free bytes in memory that combined with a random seed generates desired randomness it needs.[13]
Programmers using CAPI can get entropy by calling CAPI's CryptGenRandom(), after properly initializing it.[14]
Embedded Systems
Embedded Systems have real issues gathering enough entropy as they are often very simple devices with short boot times and keys are often one of the first things a system may do. A simple study demonstrated the widespread use of weak keys by finding many embedded systems such as routers using the same keys. It was thought that the number of weak keys found would have been far higher if simple and often attacker determinable one-time unique identifiers had not been incorporated into the entropy of some of these systems.
Other systems
There are some software packages that allow one to use a userspace process to gather random characters, exactly what /dev/random does, such as EGD, the Entropy Gathering Daemon.[15]
Hardware-originated entropy
Modern CPUs and hardware often feature integrated generators that can provide high-quality and high-speed entropy to operating systems. On systems based on the Linux kernel, one can read the entropy generated from such a device through /dev/hw_random.[16] However, sometimes /dev/hw_random may be slow;[17] usually around 80 KiB/s.[18]
There are some companies manufacturing entropy generation devices, and some of them are shipped with drivers for Linux.[19]
On Debian, one can install the rng-tools package (apt-get install rng-tools) that supports the true random number generators (TRNGs) found in CPUs supporting the RdRand instruction, Trusted Platform Modules and in some Intel, AMD, or VIA chipsets,[20] effectively increasing the entropy collected into /dev/random and potentially improving the cryptographic potential. This is especially useful on headless systems that have no other sources of entropy.
Practical implications
System administrators, especially those supervising Internet servers, have to ensure that the server processes will not halt because of entropy depletion. Entropy on servers utilising the Linux kernel, or any other kernel or userspace process that generates entropy from the console and the storage subsystem, is often less than ideal because of the lack of a mouse and keyboard, thus servers have to generate their entropy from a limited set of resources such as IDE timings.
The entropy pool size in Linux is viewable through the file /proc/sys/kernel/random/entropy_avail and should generally be at least 2000 bits (out of a maximum of 4096).[21][22] Entropy changes frequently.
Administrators responsible for systems that have low or zero entropy should not attempt to use /dev/urandom as a substitute for /dev/random as this may cause SSL/TLS connections to have lower-grade encryption.[23]
Some software systems change their Diffie-Hellman keys often, and this may in some cases help a server to continue functioning normally even with an entropy bottleneck.[24]
On servers with low entropy, a process can appear hung when it is waiting for random characters to appear in /dev/random (on Linux-based systems). For example, there was a known problem in Debian that caused exim4 to hang in some cases because of this.[25]
Security
Entropy sources can be used for keyboard timing attacks. [26]
Entropy can affect the cryptography (TLS/SSL) of a server: If a server fails to use a proper source of randomness, the keys generated by the server will be insecure. In some cases a cracker (malicious attacker) can guess some bits of entropy from the output of a pseudorandom number generator (PRNG), and this happens when not enough entropy is introduced into the PRNG.[27]
Potential sources
Commonly used entropy sources include the mouse, keyboard, and IDE timings, but there are other potential sources. For example, one could collect entropy from the computer's microphone, or by building a sensor to measure the air turbulence inside a disk drive.[28] However, microphones are usually not available in servers. Microphones are not needed, white noise can be collected from empty microphone, or line in jacks. Webcams are another source of entropy, some are noisy, others can be pointed at lava lamps. Generating entropy on servers you do not have control over is a bad idea as it can be influenced one way or another.
For Unix/BSD derivatives there exists a USB based solution that utilizes an ARM Cortex CPU for filtering / securing the bit stream generated by two entropy generator sources in the system.[29]
See also
References
- ↑ random(4) - Linux man page (die.net)
- ↑ Robotic Tendencies » Missing entropy
- ↑ Fedora Package Database - audio-entropyd
- ↑ "haveged - A simple entropy daemon". Retrieved 3 April 2011.
- ↑ Entropy and Random Devices | LinuxLink by TimeSys - Your Embedded Linux Resource
- ↑ High-Entropy Randomness Generator
- ↑ /dev/{,u}random driver for GNU/Hurd (ibofobi.dk)
- 1 2 Solaris /dev/random through emulation
- ↑ Solaris /dev/random
- ↑ Rexx Entropy Gathering Daemon for OS/2
- ↑ GPL command-line shred alternative for Windows
- ↑ Source for entropy on Windows platforms with CryptoAPI installed
- ↑ How does Windows GnuPG generate random numbers on keygen?
- ↑ http://www.cs.berkeley.edu/~daw/rnd/cryptoapi-rand http://archives.seul.org/or/cvs/Mar-2004/msg00078.html
- ↑ Secure Programs HOWTO - Random Numbers
- ↑ 'Re: SSL/TLS entropy problem,' - MARC
- ↑ Re: /dev/hw_random
- ↑ Re: /dev/hw_random
- ↑ http://www.std.com/~reinhold/truenoise.html http://random.com.hr/products/random/hg324.html
- ↑
- ↑ Re: [exim] no reply to STARTTLS
- ↑ random(4) Linux man page, die.net
- ↑ SSL/TLS entropy problem, a.k.a. pops timeouts (was: sasl ldap problem)
- ↑ Josefsson, Simon; [TLS] Re: Short Ephermal Diffie-Hellman keys (ietf.org mailing list)
- ↑ [gnutls-dev] gnutls_rsa_params_init hangs. Is regenerating rsa-params once a day too frequent?, lists.gnupg.org
- ↑ Zalewski, Michal; Unix entropy source can be used for keystroke timing attacks, 2003
- ↑ Re: entropy depletion (was: SSL/TLS passive sniffing), 2005
- ↑ Build your own cryptographically safe server/client protocol - 4.8.3. Collecting entropy
- ↑ http://www.entropykey.co.uk Archived July 22, 2010, at the Wayback Machine.