[whatwg] Cryptographically strong random numbers

David Wagner daw at cs.berkeley.edu
Wed Feb 16 11:13:08 PST 2011


Shabsi Walfish wrote (quoting from the urandom(4) man page):
> A read from the */dev/urandom* device will not block waiting for more
> entropy. As a result, if there is not sufficient entropy in the entropy
> pool, the returned values are theoretically vulnerable to a cryptographic
> attack on the algorithms used by the driver. Knowledge of how to do
> this is not available in the current non-classified literature, but it
> is theoretically possible that such an attack may exist. If this is a
> concern in your application, use */dev/random* instead.

This is total FUD.  I've long complained about the fact that this is in
the urandom(4) man page, as it leads to widespread misconceptions, but
it's never been fixed.  I don't want to waste the time of people on this
mailing list deconstructing this statement in detail, so I'll just say:

Please ignore this part of the /dev/urandom man page.  It's bogus and
not a good source for how to think about crypto-quality randomness.

(To share an analogy, the quote above is analogous to saying
"SSL is theoretically vulnerable to a cryptographic attack on the
algorithms it uses.  Knowledge of how to do this is not available in
the non-classified literature, but it is theoretically possible that
such an attack may exist.  If this is a concern in your application,
turn off your computer instead.")


More information about the es-discuss mailing list