coldtobi's blog

• Main
• Archives
• Albums
• Links
• Admin

• Blog and Website [93]
• DSL RAM [2]
• Electronics and Atmel AVR [11]
• fanctrl [3]
• General [8]
• German [1]
• La Fonera [22]
• Lifetype [17]
• Linux / Debian [33]
• Monetizing A Blog [8]
• my 2 cents [15]
• Netzfunde [18]
• Nice Links [1]
• solarpowerlog [2]
• Thecus N2100 [16]
• Tips and Tricks [18]

• N2M: parallel build dpkg-buildpackage and pdebuild
• Windows CE: Assertion failed in wincore.cpp line 1034
• CakePHP: Baking a Application in Minutes
• Enabling InnoDB support in debian (MySQL)
• Flattr.
• Pollin Net-IO PHP Library
• Link to safe

• RSS 0.90
• RSS 1.0
• RSS 2.0
• Atom

• Privacy Policy
• Disclosure Policy

Linux: Really using hardware random number generators.

A HW Random Number generator (HW RNG) helps programms a lot which needs some good entrophy, something especially on server systems is rare. Syntoms are slow key generation (ssl, ssh ... ) and poor performance when reading from /dev/random. 

However, soley having a HW RNG won't improve much -- this is what I learned today: I have a hifn 7955 based crypto accelerator in my NAS, but still poor /dev/random read rates. 

By coincident I learned that I looked at the wrong device -- the randoms by the hardware are available through /dev/hwrng. But how does other programms know that they should use this device instead of /dev/random? 

Well, after some googling I found that there is a tool dedicated to feeding the new entrophy bits into the kernel to make it available through /dev/random: rngd.

Just install the rng-tools package (in debian) and the daemon will take care. It even runs tests again the rng, ensuring some level of quality on your randomness. 

tobi@thecus:~$ dd if=/dev/random of=/tmp/rnd bs=1 count=16
16+0 records in
16+0 records out
16 bytes (16 B) copied, 22.3214 s, 0.0 kB/s

<starting rngd>

tobi@thecus:~$ dd if=/dev/random of=/tmp/rnd bs=1 count=16
16+0 records in
16+0 records out
16 bytes (16 B) copied, 0.005777 s, 2.8 kB/s

tobi@thecus:~$ dd if=/dev/random of=/tmp/rnd bs=10 count=1023
1003+20 records in
1003+20 records out
10191 bytes (10 kB) copied, 0.608163 s, 16.8 kB/s

... or using rngtest:

rngtest: starting FIPS tests...
rngtest: bits received from input: 10860032
rngtest: FIPS 140-2 successes: 542
rngtest: FIPS 140-2 failures: 1
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 1
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=17.372; avg=184.180; max=260416.667)Kibits/s
rngtest: FIPS tests speed: (min=397.728; avg=4329.710; max=19337.871)Kibits/s
rngtest: Program run time: 60041473 microseconds

tobi@thecus:~$  su -c /etc/init.d/rng-tools stop
Stopping Hardware RNG entropy gatherer daemon: rngd.

tobi@thecus:~$ cat /dev/random | rngtest -t 60
rngtest 2-unofficial-mt.13
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
^Crngtest: bits received from input: 424
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: FIPS tests speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 160971086 microseconds