Myths about /dev/urandom (2014)
4 hours ago
- #cryptography
- #randomness
- #linux
- Myth: /dev/urandom is insecure and /dev/random is better for cryptographic purposes. Fact: /dev/urandom is the preferred source of cryptographic randomness on UNIX-like systems.
- Both /dev/urandom and /dev/random use the same CSPRNG, differing only in that /dev/random blocks when the entropy estimate is low, while /dev/urandom does not.
- /dev/random's blocking behavior can harm availability and encourage insecure workarounds, making /dev/urandom a more practical and equally secure choice.
- Cryptographic algorithms rely on computational security, not information-theoretic security, and CSPRNG outputs are indistinguishable from true randomness for practical purposes.
- Entropy estimates in the kernel are conservative but imprecise; a small amount (e.g., 256 bits) is sufficient for long-term security, and constant re-seeding helps recover from state compromise.
- The man page for /dev/urandom is misleading, but experts like Daniel Bernstein and Thomas Pornin advocate for using /dev/urandom in most cryptographic contexts.
- Linux's /dev/urandom may output before gathering entropy at boot, but seed files mitigate this; virtual machines require proper seeding after cloning or checkpoint restores.