Make a unique filesystem path, without creating the file

Steven D'Aprano steve+comp.lang.python at pearwood.info
Thu Feb 25 00:38:19 EST 2016 

On Wednesday 24 February 2016 18:20, Marko Rauhamaa wrote:

> Steven D'Aprano <steve at pearwood.info>:
> 
>> On Tue, 23 Feb 2016 05:54 pm, Marko Rauhamaa wrote:
>>> However, when you are generating signing or encryption keys, you
>>> should use /dev/random.
>>
>> And that is where you repeat something which is rank superstition.
> 
> Can you find info to back that up. 

The links already provided go through the evidence. For example, they 
explain that /dev/random and /dev/urandom both use the exact same CSPRNG. If 
you don't believe that, you can actually read the source to Linux, FreeBSD, 
OpenBSD and NetBSD. (But not OS X, sorry.)

Put aside the known bug in Linux, where urandom will provide predictable 
values in the period following a fresh install before the OS has collected 
enough entropy. We all agree that's a problem, and that the right solution 
is to block. The question is, outside of that narrow set of circumstances, 
when it is appropriate to block?

As I mentioned, most Unixes don't block. urandom and random behave exactly 
the same way in three of the most popular Unixes (FreeBSD, OpenBSD, OS X):

https://en.wikipedia.org/wiki//dev/random

so let's consider just those that do block (Linux, and NetBSD). They both 
use the same CSPRNG. Do you dispute that? Then read the source. For one to 
be "better" than the other, there would need to be a detectable difference 
between the two. Nobody has ever found one, and nor will they, because 
they're both coming from the same CSPRNG (AES in the case of NetBSD, I'm not 
sure what in the case of Linux).

If you don't trust the CSPRNG, then you shouldn't trust it whether it comes 
from /dev/random or /dev/urandom. If you do trust it, then why would you 
want it to block? Blocking doesn't make it more random. That's not how it 
works. It just makes you vulnerable to a Denial Of Service attack.

There really doesn't seem to be any valid reason for random blocking. It's 
like warnings and timers on fans in South Korea to prevent fan death:

http://www.snopes.com/medical/freakish/fandeath.asp

(My favourite explanation is that the blades of the fan chop the oxygen 
molecules in two.)

I'm not surprised that there is so much misinformation about random/urandom. 
Here's a blog post by somebody wanting to port arc4 to Linux, so he clearly 
knows a few things about crypto. I can't judge whether arc4 is better or 
worse than what Linux already uses, but look at this quote:

http://insanecoding.blogspot.com.au/2014/05/a-good-idea-with-bad-usage-
devurandom.html

Quote:

    Linux is well known for inventing and supplying two default files,
    /dev/random and /dev/urandom (unlimited random). The former is 
    pretty much raw entropy, while the latter is the output of a CSPRNG
    function like OpenBSD's arc4random family. The former can be seen 
    as more random, and the latter as less random, but the differences
    are extremely hard to measure, which is why CSPRNGs work in the 
    first place. Since the former is only entropy, it is limited as to
    how much it can output, and one needing a lot of random data can be
    stuck waiting a while for it to fill up the random buffer. Since the
    latter is a CSPRNG, it can keep outputting data indefinitely, 
    without any significant waiting periods."

There's that myth about urandom being "less random" than random again, but 
even this guy admits that the difference is "extremely hard" (actually: 
impossible) to measure, and that CSPRNG's "work". Which is precisely why 
OpenBSD uses arc4random for their /dev/random and /dev/urandom, and 
presumably why he wants to bring it to Linux.

This author is *completely wrong* to say that /dev/random is "pretty much 
raw entropy". If it were, it would be biased, and easily manipulated by an 
attacker. Entropy is collected from (among other things) network traffic, 
which would allow an attacker to control at least one source of entropy and 
hence (in theory) make it easier to predict the output of /dev/random.

But fortunately it is not true. Linux's random system works like this:

- entropy is collected from various sources and fed into a pool;

- entropy from that pool is fed through a CSPRNG into two separate pools, 
  one each for /dev/random and /dev/urandom;

- when you read from /dev/random or urandom, they both collect entropy
  from their own pool, and again pass it through a CSPRNG;

- /dev/random has a throttle (it blocks if you take out too much);

- /dev/urandom doesn't have a throttle.

https://events.linuxfoundation.org/images/stories/pdf/lceu2012_anvin.pdf


Somebody criticized the author for spreading this misapprehension that 
/dev/random is "raw entropy" and here is his response:

    I tried giving an explanation which should be simple for a 
    layman to follow of what goes on. I wouldn't take it as precise 
    fact, especially when there's a washing machine involved in the
    explanation ;)


Or, in other words, "When I said the moon was made of green cheese, I was 
simplifying it for the layman. I didn't mean it was precisely green cheese. 
It's just like green cheese."

Sure. But it is *more like* rock and dust than green cheese. In fact, apart 
from both being made of atoms, it's hard to see any similarity between the 
moon and green cheese at all, just as there is no real similarity between 
what /dev/random actually does, and what this guy says it does.

The bottom line is, nobody can distinguish the output of urandom and random 
(apart from the blocking behaviour). Nobody has demonstrated any way to 
distinguish the output of either random or urandom from "actual randomness". 
There are theoretical attacks on urandom that random might be immune to, but 
if so, I haven't heard what they are.

Apart from pointing you at the source code, I don't know what else I can say 
to prove this. I can't prove that there's no known attack on Linux's CSPRNG, 
just as I can't prove that there's no tea cup in orbit around Jupiter, or 
that there wasn't a nuclear war between China and the USSR in 1985 and both 
countries covered it up. Maybe there was. But I wouldn't bet on it.


> All I've seen so far is forceful
> claims that's superstition ("These are not the droids you're looking
> for"). 
>
> Even the ssh-keygen man page has:
> 
>     The reseeding of the OpenSSL random generator is usually done from
>     /dev/urandom. If the SSH_USE_STRONG_RNG environment vari‐ able is
>     set to value other than 0 the OpenSSL random generator is reseeded
>     from /dev/random.

If they had called the environment variable SSH_MAKE_MONEY_FAST would you 
believe it?

What evidence do they give that /dev/urandom is weak? If it is weak, why are 
they using it as the default?



-- 
Steve

More information about the Python-list mailing list