Difference in output streams.

[Rob Kendrick]

On Sat, Nov 12, 2011 at 04:07:48PM -0800, Bryan Duffy wrote:
> Have the Entropy Key installed and working on Ubuntu 11.10 with no apparent problems.  Question about the
> output from the various data streams available on the device sockets.
> 
> In Linux without an entropy key /dev/random is "blocked" and released in chunks from the entropy pool as entropy is available and /dev/urandom is not blocked and is a basically a PRNG that is rekeyed (not sure how often) from the entropy pool.
> 
> With the Entropy Key I notice there are 4 data streams:
> 1. The new /dev/tty???? has encrypted/armoured data from the key to the entropyd,
> 2. /dev/random seems to function the same as before, but much faster due to the Entropy Key,
> 3. /dev/urandom seems to function from a PRNG as before, but I would assume it is getting rekeyed much more frequently, so the data should be of a better quality (is that a fair assumption?).
> 4.  /dev/hwrng which is producing data at about 4 times as fast as /dev/random.

The TTY is simply the communications channel; a lot more goes over it
than just entropy: has authentication and status information, etc.

Both /dev/random and /dev/urandom share the same "pool".  The difference
is that /random blocks when that pool reaches a low watermark, and
/urandom remixes what it already has when the pool reaches that
watermark.  This means that if the pool has enough data in it, both
device node provide real, true entropy.  With an entropy key, this means
that /urandom almost always provides this.

/hwrng is a hang-over from kernel-based RNG hardware drivers that don't
inject into the pool that /random and /urandom use.  Its performance
varies depending on what hardware you have, and the quality of the
output will be unknown due to none of the careful mixing and management
that the pools for /random and /urandom perhaps not taking place.

> What are the entropy qualities of these devices with Entropy Key installed?

/random and /urandom are very high quality regardless of the source of
entropy that are fed to them.  The Entropy Key simply makes sure they're
constantly fed with good data to start with, which helps /random not to
block and /urandom to be a real RNG most of the time.

> Which ones are truly random and which are rapidly keyed PRNGs?

/urandom is the only "PRNG", and it is only a PRNG when the pool is low
on entropy (see the contents of /proc/sys/kernel/random/entropy_avail; I
believe the default low watermark for when urandom becomes a PRNG is
128.).  Otherwise, both /random and /urandom produce real random
numbers.  I don't believe any rekeying happens there as such: my
understanding of its inner workings is that it essentially becomes a
stream cipher using the data already passed through it as the key.

> Is /dev/hwrng direct output from the entropy key (after decrypting) or does it get modified by the kernel in some other way (mixed/rehashed)?

/dev/hwrng has nothing to do with the Entropy Key.  If you want direct
output from the Entropy Key, you can configure ekeyd to dump the output
to file or configure it to run in EGD server mode and write a small
client to request data from it.  See the configuration file in
/etc/entropykey/

> Lastly, why (maybe it's just my machine) does the /dev/hwrng output data about 4 times as fast as /dev/random if they are both being supplied by the same source of purely random data?  Shouldn't they be similar is rate.

As I said above, it's probably that they're not related at all; they're
two totally different systems.  /hwrng may be being provided by a system
(such as a TPM, or other on-board device) that is not being as thorough
in their paranoia or security as the Entropy Key or /random.  It's also
possible that the hardware that is feeding /dev/hwrng is faster: the
Entropy Key is engineered with absolute performance as a concern that
comes after security/correctness and price point.

> I was hoping that someone could comment on these questions, and whether or not  /dev/hwrng is suitable for cryptographic keys or should I stick with /dev/random?

I would stick with /random, as it is a known quantity and very difficult
to get bad results out of it, even if you wrote a program that
constantly shoved zeros into it.  If it is not fast enough for your
needs and you have no idea what is feeding /hwrng or its quality, then
use /random to frequently rekey a good crytographic PRNG.

-- 
Rob Kendrick, Support Team Lead                      Simtec Electronics
Telephone: +44 (0)1772 978013                  Avondale Drive, Tarleton
Fax: +44 (0)1772 816426                     Preston, Lancs, PR4 6AX, UK
http://www.simtec.co.uk/                       mailto:rjek at simtec.co.uk