[erlang-questions] All possible internal states of Erlang/OTP random module are practically computable

Jesper Louis Andersen jesper.louis.andersen@REDACTED
Thu Jan 8 13:45:26 CET 2015


Note the caveat: "if the underlying primitive is correctly implemented".

FreeBSD dragon.lan 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11
21:02:49 UTC 2014     root@REDACTED:/usr/obj/usr/src/sys/GENERIC
 amd64
[jlouis@REDACTED ~]$ ls -l /dev/*random
crw-rw-rw-  1 root  wheel  0xc Dec 25 17:28 /dev/random
lrwxr-xr-x  1 root  wheel    6 Dec 25 17:28 /dev/urandom -> random

On FreeBSD, the randomness refers to the same source for a reason. Because
there is no way you can "run out of random entropy". As such, there are no
difference between "strong" and "normal" random bytes at all. Both sources
are backed by the Yarrow generator. On Linux, you can, but Linux presents
an appallingly bad interface :)

On OpenBSD, you have an even better option:

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/getentropy.2

which lets you source entropy to use for your own CSPRNG in the user space
of the process (OpenBSD uses a solution based on chacha20 currently). It
has the advantage that you can't attack it with file descriptor exhaustion
and other such shenanigans since it is a syscall.

It was so useful, the Linux guys have added it:

http://lists.openwall.net/linux-kernel/2014/07/17/235

You unfortunately can't get rid of the API semantics in Erlang since some
older systems will definitely fail this. In case of an older system, the
right approach is to crash. And probably never to call strong_rand_bytes
ever on sane systems :)

On Wed Jan 07 2015 at 4:26:43 PM Sverker Eriksson <
sverker.eriksson@REDACTED> wrote:

> On 12/23/2014 03:56 PM, Jesper Louis Andersen wrote:
> > 3. ... The 'strong_rand_bytes/1' function can
> > return 'low_entropy' which is outright wrong and preposterous on modern
> > machines. It never will, if the underlying random primitive is correctly
> > implemented. The whole idea of "running out of entropy" is false.
> >
>
> 'low_entropy' from strong_rand_bytes/1 is a direct mapping to RAND_bytes
> returning error, which OpenSSL docs say can happen "... if the PRNG has not
> been seeded with enough randomness to ensure an unpredictable byte
> sequence."
>
> And the Linux man page for /dev/random and /dev/urandom says things like:
> "When the entropy pool is empty, reads from /dev/random will block
> until additional environmental  noise is gathered.".
>
> So, it seems to me that "running out of entropy" is at least a valid
> concept.
> And doing "cat /dev/random" on my Linux machine sure do block
> after a few hundred bytes of output.
>
>
> /Sverker
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150108/37143ef2/attachment.htm>


More information about the erlang-questions mailing list