Entropy (computing)
In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources (variance in fan noise or HDD), either pre-existing ones such as mouse movements or specially provided randomness generators. A lack of entropy can have a negative impact on performance and security.
Linux kernel
The
There are some Linux kernel patches allowing one to use more entropy sources.
OpenBSD kernel
OpenBSD has integrated cryptography as one of its main goals and has always worked on increasing its entropy for encryption but also for randomising many parts of the OS, including various internal operations of its kernel. Around 2011, two of the random devices were dropped and linked into a single source as it could produce hundreds of megabytes per second of high quality random data on an average system.[clarification needed] This made depletion of random data by userland programs impossible on OpenBSD once enough entropy has initially been gathered.
Hurd kernel
A driver ported from the Linux kernel has been made available for the
Solaris
/dev/random and /dev/urandom have been available as Sun packages or patches for
As of Solaris 10, administrators can remove existing entropy sources or define new ones via the kernel-level cryptographic framework.A 3rd-party kernel module implementing /dev/random is also available for releases dating back to Solaris 2.4.[10]
OS/2
There is a software package for OS/2 that allows software processes to retrieve random data.[12]
Windows
Microsoft Windows releases newer than Windows 95 use CryptoAPI to gather entropy in a similar fashion to Linux kernel's /dev/random.[13]
Windows's CryptoAPI uses the binary registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed to store a seeded value from all of its entropy sources.[14]
Because CryptoAPI is
Programmers using CAPI can get entropy by calling CAPI's CryptGenRandom(), after properly initializing it.[16]
CryptoAPI was deprecated from Windows Vista and higher. New API is called Cryptography API: Next Generation (CNG).[17] Windows's CNG uses the binary registry key HKEY_LOCAL_MACHINE\SYSTEM\RNG\Seed to store a seeded value.
Newer version of Windows are able to use a variety of entropy sources:
- TPM if available and enabled on motherboard
- Entropy from UEFI interface (if booted from UEFI)[18]
- RDRAND CPU instruction if available
- Hardware system clock (RTC)
- OEM0 ACPI table content
- Interrupt timings
- Keyboard timings and Mouse movements[19]
Embedded systems
This section may be confusing or unclear to readers. (January 2016) |
(De)centralized systems
A
Other systems
There are some software packages that allow one to use a userspace process to gather random characters, exactly what /dev/random does, such as EGD, the Entropy Gathering Daemon.[22]
Hardware-originated entropy
Modern
There are some companies manufacturing entropy generation devices, and some of them are shipped with drivers for Linux.[26][27]
On Linux system, one can install the rng-tools package
Practical implications
System administrators, especially those supervising Internet servers, have to ensure that the server processes will not halt because of entropy depletion. Entropy on servers utilising the Linux kernel, or any other kernel or userspace process that generates entropy from the console and the storage subsystem, is often less than ideal because of the lack of a mouse and keyboard, thus servers have to generate their entropy from a limited set of resources such as IDE timings.
The entropy pool size in Linux is viewable through the file /proc/sys/kernel/random/entropy_avail and should generally be at least 2000 bits (out of a maximum of 4096).[30][31] Entropy changes frequently.
Administrators responsible for systems that have low or zero entropy should not attempt to use
Some software systems change their
On servers with low entropy, a process can appear hung when it is waiting for random characters to appear in /dev/random (on Linux-based systems). For example, there was a known problem in
Security
Entropy sources can be used for keyboard timing attacks.[35]
Entropy can affect the cryptography (TLS/SSL) of a server: If a server fails to use a proper source of randomness, the keys generated by the server will be insecure. In some cases a
Potential sources
Commonly used entropy sources include the mouse, keyboard, and IDE timings, but there are other potential sources. For example, one could collect entropy from the computer's
For Unix/BSD derivatives there exists a USB based solution that utilizes an ARM Cortex CPU for filtering / securing the bit stream generated by two entropy generator sources in the system.[38]
See also
References
- ^ random(4) - Linux man page Archived 2007-10-11 at the Wayback Machine (die.net)
- ^ "Robotic Tendencies » Missing entropy". Archived from the original on 2022-12-06. Retrieved 2023-05-23.
- ^ "audio entropy daemon". March 23, 2021. Archived from the original on 2021-03-23.
- ^ "Fedora Package Database – audio-entropyd".[permanent dead link]
- ^ "video_entropyd". March 23, 2021. Archived from the original on 2021-03-23.
- ^ "Entropy Broker". May 29, 2020. Archived from the original on 2020-05-29.
- ^ "haveged – A simple entropy daemon". Archived from the original on 27 October 2012. Retrieved 3 April 2011.
- ^ "Entropy and Random Devices | LinuxLink by TimeSys – Your Embedded Linux Resource". Archived from the original on 2016-04-02. Retrieved 2007-10-15.
- ^ /dev/{,u}random driver for GNU/Hurd Archived 2007-09-18 at the Wayback Machine (ibofobi.dk)
- ^ a b "Solaris /dev/random through emulation". Archived from the original on 2007-11-04. Retrieved 2007-10-15.
- ^ "Solaris /dev/random". Archived from the original on 2008-05-11. Retrieved 2007-10-17.
- ^ "Rexx Entropy Gathering Daemon for OS/2". r6.ca. Archived from the original on 2007-10-31. Retrieved 2007-10-15.
- ^ Malayter, Ryan (November 9, 2001). "GPL command-line shred alternative for Windows". Archived from the original on October 27, 2021. Retrieved May 23, 2023.
- ^ "Source for entropy on Windows platforms with CryptoAPI installed". www.mail-archive.com. Archived from the original on 2018-10-02. Retrieved 2023-05-23.
- ^ Malayter, Ryan (February 15, 2002). "How does Windows GnuPG generate random numbers on keygen?". Archived from the original on December 1, 2021. Retrieved May 23, 2023.
- ^ "[or-cvs] Get entropy in windows". archives.seul.org. Archived from the original on 2013-05-07. Retrieved 2023-05-23.
- ^ "About CNG - Win32 apps". Archived from the original on 2018-05-17. Retrieved 2018-05-17.
- ^ "UEFI entropy gathering protocol - Windows drivers". Archived from the original on 2018-05-17. Retrieved 2018-05-17.
- ^ "CryptGenRandom function (Wincrypt.h) - Win32 apps". Archived from the original on 2020-08-12. Retrieved 2020-08-31.
- ^ Constantin, Lucian. "Millions of embedded devices use the same hard-coded SSH and TLS private keys". Network World. Archived from the original on 2018-11-05. Retrieved 2018-11-05.
- ^ "A solution for scalable randomness". iohk.io. June 6, 2017. Archived from the original on April 17, 2021. Retrieved September 14, 2020.
- ^ "Random Numbers". dwheeler.com. Archived from the original on 2022-12-30. Retrieved 2023-05-23.
- ^ "'Re: SSL/TLS entropy problem,' - MARC". marc.info. Archived from the original on 2018-11-15. Retrieved 2023-05-23.
- ^ "Re: /dev/hw_random". Archived from the original on 2007-10-31. Retrieved 2007-10-15.
- ^ "Re: /dev/hw_random". Archived from the original on 2007-11-12. Retrieved 2007-10-15.
- ^ "Random Noise Sources". Archived from the original on 2007-11-21. Retrieved 2007-10-15.
- ^ http://random.com.hr/products/random/hg324.html Archived 2008-05-13 at the Wayback Machine
- ^ "rng-tools". Archived from the original on 2007-10-21. Retrieved 2007-10-16.
- ^ "Linux support for random number generator in i8xx chipsets — The Linux Kernel documentation". www.kernel.org. 2000. Archived from the original on 31 July 2013.
- ^ "Re: [exim] no reply to STARTTLS". lists.exim.org. Archived from the original on 2012-07-22. Retrieved 2023-05-23.
- ^ random(4) Linux man page Archived 2007-10-11 at the Wayback Machine, die.net
- ^ "'SSL/TLS entropy problem, aka pops timeouts (was: sasl ldap problem)' - MARC". marc.info. Archived from the original on 2018-11-15. Retrieved 2023-05-23.
- ^ Josefsson, Simon; [TLS] Re: Short Ephermal Diffie-Hellman keys Archived 2007-11-11 at the Wayback Machine (ietf.org mailing list)
- ^ "[gnutls-dev] gnutls_rsa_params_init hangs. Is regenerating rsa-params once a day too frequent?". lists.gnupg.org. 14 December 2004. Archived from the original on 2007-01-17.
- ^ Zalewski, Michal; Unix entropy source can be used for keystroke timing attacks Archived 2011-07-19 at the Wayback Machine, 2003
- ^ Re: entropy depletion (was: SSL/TLS passive sniffing) Archived 2011-05-17 at the Wayback Machine, 2005
- ^ "Build your own cryptographically safe server/client protocol - 4.8.3. Collecting entropy". Archived from the original on 2012-07-23. Retrieved 2020-01-08.
{{cite web}}
: CS1 maint: bot: original URL status unknown (link) - ^ "Simtec Electronics Entropy Key: USB True Random Number Generator". www.entropykey.co.uk. Archived from the original on July 22, 2010.
- ^ "Randomness 101: LavaRand in Production". The Cloudflare Blog. November 6, 2017. Archived from the original on May 1, 2023. Retrieved May 23, 2023.