httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [users@httpd] HTTPD asking for password after power failure
Date Fri, 12 Aug 2016 22:35:49 GMT
On Fri, Aug 12, 2016 at 9:31 PM, Christopher Schultz
<chris@christopherschultz.net> wrote:
>
> On 8/11/16 11:10 PM, Marat Khalili wrote:
>> From what I saw, this behavior of /dev/random is totally normal on
>> an idle Linux system.
>
> There seems to be some confusion about /dev/random on Linux systems.
> Yes, the behavior described here is normal: when the system comes up,
> there is very little entropy available on /dev/random. /dev/random
> needs random events to occur in order to provide that entropy, and
> those events are things like I/O interrupt timings, etc.

There is quickly not enough entropy when using /dev/random, and very
few (if any) interest in using it.

>
> IIRC, Linux relies on the keyboard to generate lots of those events
> and, on a server, the keyboard by definition doesn't get used. So
> other events are required to fill that entropy pool. So, after a
> reboot, the entropy pool is "shallow".

This is true after booting, but also each time /dev/random is (ab)used.

On the other hand, there is /dev/urandom, requiring 128bits of entropy
to be initialized (which are always there after the boot, except maybe
for specific embedded devices with no disk, hardly servers), plus a
few more entroy from time to (long) time, and is just as secure as
/dev/random (often the same implementation, certainly on Linux), while
never waiting/blocking for entropy...

>
> /dev/random is supposed to be a source of high-quality randomness
> /dev/urandom is supposed to be a source of low-quality randomness

This isn't true.

>
>> Just do not ever use /dev/random.

+1

>
> The choice of which to use is up to you, but remember that low-quality
> randomness gets you low-quality crypto keys. But to say that one
> should "not ever use /dev/random" is really bad advice.

If you really want to block and exhaust all entropy for the (few)
needs of /dev/urandom users, well you can use it, otherwise don't.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message