Re: Performance of /dev/urandom and /dev/random

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 27, 2012 at 5:09 PM, Mihir Pandya <mihir.m.pandya@xxxxxxxxx> wrote:
> Hey guys,
>
> I'm interested to know why generating cryptographically secure random
> numbers takes so long, particularly in my case. I have two Java classes that
> are generating a million random numbers. One is generating random numbers
> regularly while the other is using SecureRandom to generate the numbers. The
> SecureRandom method is taking almost double the time and I realised that
> it's because the method reads from /dev/urandom (not sure which) and obtains
> its random numbers from the entropy pool there.
>
> I wanted to know where I can read about the exact mechanism used to generate
> the cryptographically secure random numbers through SecureRandom and if
> there is any way to make it faster.
>
> --
> Mihir Pandya
>

>From 'man urandom'

      When read, the /dev/random device will only return random bytes
within the estimated number of bits of noise in the entropy pool.
/dev/random should be suitable for uses
       that need very high quality randomness such as one-time pad or
key generation.  When the entropy pool is empty, reads from
/dev/random will block until  additional  envi‐
       ronmental noise is gathered.

       A read from the /dev/urandom device will not block waiting for
more entropy.  As a result, if there is not sufficient entropy in the
entropy pool, the returned values are
       theoretically vulnerable to a cryptographic attack on the
algorithms used by the driver.  Knowledge of how to do this is not
available in the current unclassified litera‐
       ture, but it is theoretically possible that such an attack may
exist.  If this is a concern in your application, use /dev/random
instead.

Now I *believe* the entropy pool is filled by IO events - network
activity, disk access, keyboard pounding, etc...  I'm sure there is
more documentation somewhere online as to the specifics.

Hope that helps,
Danny G

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies



[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux