Proposed replacement for /dev/random promises to double performance and add flexibility
A modern alternative to the core encryption technology bundled with Linux distributions is ready for testing after five years of development.
The Linux Random Number Generator (LRNG), which relies on several computing functions to act as a source of entropy, is designed to be a drop-in replacement for the long-established /dev/random function.
The technology is designed to offer both API (application programming interface) and ABI (application binary interface) compatibility with its /dev/random predecessor, while offering several performance and utility advantages.
LRNG offers a better doubling (130%) performance improvement on the /dev/random function.
Only cryptographic primitives are used for data processing within the LRNG, which features a more modern and configurable design. The technology is built around an architecture that supports the testing of multiple facets of its operation by security researchers and others.
Foundations showing their age
The /dev/random is the “very foundation” of cryptography on Linux, developer Stephan Müller told The Daily Swig. “If /dev/random breaks, the entire cryptography on Linux is broken,” Müller said.
Keeping with the existing approach is no longer sustainable, according to Müller.
“Due to the new requirements vendors want to adhere to, every vendor is ‘cooking’ up his own patches to bypass or enhance the existing /dev/random. In my honest opinion, this is a very challenging situation.”
Müller’s response to this has been to chart the development of next generation technology he recognizes will need comprehensive testing “a careful testing and assessment of new implementations is always required”.
The current maintainer of the existing /dev/random is dead silent since beginning of my work. Other Linux developers including core developers have commented and those comments have been incorporated.
That said, it is totally unclear whether or when the code will go into the mainline. By now publishing the LRNG news to other channels like the cryptography mailing list, I hope to bring the maintainer to react.
Linux RNG: Sources of entropy
According to Müller, LPRG incorporates four entropy sources that operate completely independent of each other including execution timing jitter and the timing of the arrival of interrupts.
“Each entropy source operates with its own entropy rate and measurement,” Müller explained.
Müller added: “The LRNG only uses cryptographic operations for data processing: either a DRNG [digital random number generator] or hash for data compression. The LRNG allows updating of the cryptographic algorithms.
“The available cryptographic algorithms are all contemporary: SHA256 or SHA512 for conditioning, ChaCha20-DRNG, or SP800-90A DRBG. Yet, the LRNG offers a well-defined API allowing other cryptographic implementations to be defined.”
A talk on LRNG was presented by Müller at the Linux Security Summit 2021 last month. The presentation is available on YouTube.
The new technology will better support vendors in the world of open source development and beyond.
“Lately, vendors using Linux have severe challenges to use the existing /dev/random implementation as it is not meeting contemporary requirements,” Müller said. “The LRNG will meet all these requirements including giving the vendors flexibility to address their particular scenarios.”
Müller went on to explain the origins of his work in developing the Linux Random Number Generator.
“The idea for the LRNG design occurred during a study that I wrote for the German BSI analyzing the behavior of entropy and the operation of entropy collection in virtual environments,” he said.
“In addition, another study [PDF] I wrote for BSI pushed me even more to developing the LRNG and bring it to production state.”
The Linux Random Number Generator is actually a pseudo-random number generator derived from computing functions. Outputs from the generator are used to seed cryptographic algorithms and functions.
Windows already takes a similar approach towards seeding and the sources of entropy.
“MS entropy is derived from the likes of interrupt timing, TPM random string provided at boot, [and} Intel randomness function so it looks very much like the LRNG is following similar path,” Professor Alan Woodward, a computer scientist at the University of Surrey, told The Daily Swig.
Issues with PRNGs are something of an Achilles’ heel in crypto system design.
Professor Woodward explained: “There is much debate about what is truly random and how much it matters but the problem really comes about when the ‘random’ number is either predictable and/or reproducible.”
ATMs, for example, use date stamp as a source of randomness – an input better described as unique rather than random.
All this has spurred the development of hardware-based sources of randomness or (better yet) sources that derive their randomness from measurements of operations governed by quantum physics, such as Oxford University spin-out Quantum Dice.
“One of the reasons hardware RNG haven’t really taken hold is because people have assumed what is there is good enough,” Prof Woodward concluded.