« Previous | Next»

Linux: Really using hardware random number generators.

Posted by coldtobi | 21 Oct, 2010, 23:16

A HW Random Number generator (HW RNG) helps programms a lot which needs some good entrophy, something especially on server systems is rare. Syntoms are slow key generation (ssl, ssh ... ) and poor performance when reading from /dev/random. 

However, soley having a HW RNG won't improve much -- this is what I learned today: I have a hifn 7955 based crypto accelerator in my NAS, but still poor /dev/random read rates. 

By coincident I learned that I looked at the wrong device -- the randoms by the hardware are available through /dev/hwrng. But how does other programms know that they should use this device instead of /dev/random? 

_ASIP_

Well, after some googling I found that there is a tool dedicated to feeding the new entrophy bits into the kernel to make it available through /dev/random: rngd.

Just install the rng-tools package (in debian) and the daemon will take care. It even runs tests again the rng, ensuring some level of quality on your randomness. 

Want to see the difference?  

tobi@thecus:~$ dd if=/dev/random of=/tmp/rnd bs=1 count=16
16+0 records in
16+0 records out
16 bytes (16 B) copied, 22.3214 s, 0.0 kB/s

<starting rngd>

tobi@thecus:~$ dd if=/dev/random of=/tmp/rnd bs=1 count=16
16+0 records in
16+0 records out
16 bytes (16 B) copied, 0.005777 s, 2.8 kB/s

tobi@thecus:~$ dd if=/dev/random of=/tmp/rnd bs=10 count=1023
1003+20 records in
1003+20 records out
10191 bytes (10 kB) copied, 0.608163 s, 16.8 kB/s

... or using rngtest:

rngtest: starting FIPS tests...
rngtest: bits received from input: 10860032
rngtest: FIPS 140-2 successes: 542
rngtest: FIPS 140-2 failures: 1
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 1
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=17.372; avg=184.180; max=260416.667)Kibits/s
rngtest: FIPS tests speed: (min=397.728; avg=4329.710; max=19337.871)Kibits/s
rngtest: Program run time: 60041473 microseconds
tobi@thecus:~$  su -c /etc/init.d/rng-tools stop
Stopping Hardware RNG entropy gatherer daemon: rngd.
tobi@thecus:~$ cat /dev/random | rngtest -t 60
rngtest 2-unofficial-mt.13
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
^Crngtest: bits received from input: 424
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: FIPS tests speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 160971086 microseconds


Linux / Debian | Comments (0) | Trackbacks (0)

Related Articles:

0 Comments | "Linux: Really using hardware random number generators." »

Add comment

 

 This is the ReCaptcha Plugin for Lifetype

Due to German legislation, all comments are moderated. If you get NO error message, your comment is accepted by the system and will be released at the earliest opportunity. Sorry for the inconvenience this might cause.

Inappropiate comments might be edited or not accepted.