[email protected] (David Wagner) said:
> Javier Villavicencio wrote:
> >it's encouraged to use /dev/urandom instead of /dev/random?
> Yes, for almost all purposes, applications should use /dev/urandom,
> not /dev/random. (The names for these devices are unfortunate.)
To seed a random number generator, never directly.
> Sadly, many applications fail to follow these rules, and consequently
> /dev/random's entropy pool often ends up getting depleted much faster
> than it has to be.
Reading /dev/urandom depletes exactly the same pool, it just doesn't block
when the pool is empty. As said pool has other uses, indiscriminate reading
of either can DoS other parts of the system.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
Horst von Brand wrote:
> [email protected] (David Wagner) said:
>
>>Javier Villavicencio wrote:
>>
>>>it's encouraged to use /dev/urandom instead of /dev/random?
>
>
>>Yes, for almost all purposes, applications should use /dev/urandom,
>>not /dev/random. (The names for these devices are unfortunate.)
>
>
> To seed a random number generator, never directly.
>
>
>>Sadly, many applications fail to follow these rules, and consequently
>>/dev/random's entropy pool often ends up getting depleted much faster
>>than it has to be.
>
>
> Reading /dev/urandom depletes exactly the same pool, it just doesn't block
> when the pool is empty. As said pool has other uses, indiscriminate reading
> of either can DoS other parts of the system.
But why if /dev/random depletes and you don't have any source of entropy
? As you may have seen in my setup I had no mouse/keyboard attached to
that server, and the only "things" capable of generate entropy where the
two nics and the DAC960.
So I've enabled entropy only for the local nic and the DAC960 (at least
"I think", for the dac :+) and now I'm plenty of entropy, but for a
setup like this, the server may have been running without entropy at all
for weeks (I've forgot to check the uptime :+P).
About this, think about php generating session_id()s without entropy
(o_O), and stuff like that....
Salu2.
Javier Villavicencio.
On Tuesday 30 November 2004 18:48, Javier Villavicencio wrote:
> > Reading /dev/urandom depletes exactly the same pool, it just doesn't block
> > when the pool is empty. As said pool has other uses, indiscriminate reading
> > of either can DoS other parts of the system.
>
> But why if /dev/random depletes and you don't have any source of entropy
> ? As you may have seen in my setup I had no mouse/keyboard attached to
> that server, and the only "things" capable of generate entropy where the
> two nics and the DAC960.
> So I've enabled entropy only for the local nic and the DAC960 (at least
> "I think", for the dac :+) and now I'm plenty of entropy, but for a
> setup like this, the server may have been running without entropy at all
> for weeks (I've forgot to check the uptime :+P).
> About this, think about php generating session_id()s without entropy
> (o_O), and stuff like that....
BTW why your php developer can't use /dev/urandom?
--
vda