Feeding /dev/random with random data

When doing cryptographic operations on a system generating random numbers is required. But accessing /dev/random might be slow in case there is not enough random input. Let’s have a look how to provide some additional random data to improve the speed of random number generation.

Why generating random numbers might be slow

In case there shall be generated a random number, there are two options on *nix systems to do this. The first way is to use /dev/random. It is cryptographic secure. The alternative is to use /dev/urandom which performs much better but is not secure concerning cryptography. But it generates great random numbers at all. Both /dev/random and /dev/urandom produce random numbers the same way. But using /dev/random ensures that the random number is pseudo random enough to be secure for all cryptographic operations. So when generating a new private key for example /dev/random is used. It is blocking, this means that the random number is returned in case there was as many random input as required. On the other side, /dev/urandom does not block, so a random number is returned instantly. In case the random number is not required for cryptographic operations /dev/urandom is the better choice.

Security hint

There are many suggestions to use /dev/urandom instead of /dev/random. Furthermore there are many “experts” that say it does not matter. But please don’t believe them. For a normal user or software developer this is random number is not hackable, but for a security expert it’s nothing special. So please don’t use /dev/urandom instead of /dev/random.

Checking the amount of generated random numbers

When executing watch -n 1 cat /proc/sys/kernel/random/entropy_avail the current available amount of entropy in the random number generator is returned. Furthermore the value is updated once a second. Simply skip it with CTRL + C. If random number generation is slow, just have a try with this command. In case there is another system that generates random numbers much faster, simply compare the values of both of the systems. In case the number of the slow system is significantly lower than on the fast system, this is the reason for slow random number generation.

Increasing entropy

In order to increase the entropy it is required to gain values from sources that really produce random values. Different scientific studies identified hardware resources that truly produce values that are as random as possible. In combination with other resources they are random enough to be usable for cryptographic operations.

Increasing entropy with haveged

In my opinion the best way to increase entropy is the usage of haveged. This is a daemon that constantly feeds /dev/random and increases the pool of random numbers. In order to run haveged simply install it. For a debian system by using apt-get install haveged.

On the reference system the entropy pool increased it’s size from about 120-170 to 2500-3500. When massively running cryptographic operations that require new cryptographic keys, it dramatically increases the performance. One use case would be signing software components, another is creating messages that require an own cryptographic key each message.

Registering haveged as service

In case haveged is not yet registered as service, simply do it. In order to register haveged as service please refer to Getting Started with systemd. This is the new way with systemd. For the old init system please refer to the man pages.

Sources

Getting Started with systemd
haveged – a simple entropy daemon
Increase random entropy pool in Debian sid
Feeding /dev/random entropy pool?

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.