LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-23-2007, 02:34 AM   #1
NoobieDoobieDo
Member
 
Registered: Oct 2004
Distribution: Debian 4.0
Posts: 65

Rep: Reputation: 15
/dev/urandom not that random


I've been playing with a project that uses /dev/urandom and have noticed some very unrandom strings

Here are some examples I generated just now using
cat /dev/urandom | tr -cd [:alnum:] | fold -w10 | head -n 1

I'm surprised that out of all the numbers and letters [:alnum:] that you'd get repeating charactors out of the 62 chars available.

bN4BwpGBH7
gPv18HzyaY
WCBWDKnX3R
MCbBCDACSJ
GWWFif54cW

As you can see the randomness factor here is very disappointing.

2.6.17-10-generic
 
Old 02-23-2007, 03:06 AM   #2
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 361Reputation: 361Reputation: 361Reputation: 361
I am not familiar with the test you are running there or how accurate that is, but it is well known that the kernel's "random" device node is a fairly poor source of entropy. It only has a limited amount of systems it can base it's random data on.

If you are seriously concerned with getting good random data, you should look into seeding it with audio or video input. Ideally you would be using a hardware RNG connected to the computer, but those are prohibitively expensive (at least the ones I have seen).
 
Old 02-23-2007, 04:29 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I am not familiar with the test you are running there or how accurate that is
Me neither. But I'll see your method and raise you a "I doubt what you do is valid". If you "cat -v /dev/urandom|head -1" you'll see what's going on better. So, if you "cat /dev/urandom | head -n 10 | sha1sum | awk '{print $1}'" you'll get a whole different idea.
 
Old 02-23-2007, 05:05 AM   #4
NoobieDoobieDo
Member
 
Registered: Oct 2004
Distribution: Debian 4.0
Posts: 65

Original Poster
Rep: Reputation: 15
I'm trying to generate random passwords, so having charactors repeat is bad.

~$ cat /proc/sys/kernel/random/entropy_avail
3607
~$ cat /dev/urandom | tr -cd [:alnum:][unct:] | fold -w10 | head -n 1
JWXszMrg[+
~$ cat /proc/sys/kernel/random/entropy_avail
263

Is that much of a drop for one call normal ?
 
Old 02-23-2007, 06:40 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'm trying to generate random passwords
No, you're trying to reinvent the wheel.
Better search for tried 'n tested tools that do this already.
I know there are.
 
Old 02-23-2007, 11:30 AM   #6
NoobieDoobieDo
Member
 
Registered: Oct 2004
Distribution: Debian 4.0
Posts: 65

Original Poster
Rep: Reputation: 15
Next time I'll take the favor with rudeness not included.

Using /dev/urandom to get *random* data to create a *random* password is hardly reinventing the wheel.

I tested a few other "random" password generators and they had a lower level of entropy.

Last edited by NoobieDoobieDo; 02-23-2007 at 11:46 AM.
 
Old 02-25-2007, 01:00 AM   #7
bl0tt0
Member
 
Registered: Aug 2005
Location: The Glorious People's Republic of Austin
Posts: 178

Rep: Reputation: 62
I'm kind of confused. If all you need is a random password, why use /dev/urandom at all? Doesn't /dev/random provide a higher level of entropy anyways? That only comes at the cost of extra time for generating random characters.
 
Old 02-25-2007, 02:58 AM   #8
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
"I'm surprised that out of all the numbers and letters [:alnum:] that you'd get repeating charactors out of the 62 chars available."

Random data HAS REPEATING CHARACTERS. The chances of repeating characters in a random sample is usually actually more than you would think (humans are notoriously bad at judging two things - randomness and probability). Ask a human to "randomise" a deck of cards and you'll hardly ever find consecutive numbers, pairs of numbers, lots of the same suit. However, a truly random sample will almost always contain several examples of such "patterns" by sheer chance.

Just because it doesn't "look" random to you doesn't mean it isn't (however, I echo the reply above concerning the "real" random device, hardware RNG's, adding entropy via sound/video etc. if you're serious about getting random data... I'd just like to point out that that's TOTAL overkill for anything that isn't, e.g. SSH keys, military applications, drive encryption etc... using such "true" randomness for just a password is ridiculous).

To say that the data isn't random enough is ludicrous unless you spend months collecting data and analysing it statistically. The whole point of the matter is... could you guess those passwords? The answer is no.

Add on the randomness/probability front, next time you do the lottery, try to estimate the chances of two consecutive numbers coming up. Then see how many draws there have been where two consecutive numbers appear. Or look up something like the Monty Hall Problem. Those two examples should teach you just how bad you or any human is at judging randomness or simple probability.
 
Old 02-25-2007, 03:24 AM   #9
Electro
LQ Guru
 
Registered: Jan 2002
Posts: 6,042

Rep: Reputation: Disabled
In addition to what ledow is explaining, watch an episode of Mr. Wizard.
 
Old 02-26-2007, 01:39 AM   #10
nmh+linuxquestions.o
Member
 
Registered: Feb 2007
Posts: 135

Rep: Reputation: 15
Quote:
Originally Posted by NoobieDoobieDo
I'm trying to generate random passwords, so having charactors repeat is bad.

~$ cat /proc/sys/kernel/random/entropy_avail
3607
~$ cat /dev/urandom | tr -cd [:alnum:][unct:] | fold -w10 | head -n 1
JWXszMrg[+
~$ cat /proc/sys/kernel/random/entropy_avail
263

Is that much of a drop for one call normal ?
if you want to generate passwords, I suggest you look at apg: www.adel.nursat.kz/apg.

Last edited by nmh+linuxquestions.o; 02-26-2007 at 06:07 AM.
 
Old 02-26-2007, 07:18 AM   #11
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
http://imgs.xkcd.com/comics/random_number.png
 
  


Reply

Tags
random


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
dd if=/dev/urandom of=/dev/hda2 bs=1M doesn't work Melsync Linux - General 16 05-19-2014 07:36 PM
/dev/random and /dev/urandom pool(s)? kpeirce Linux - Software 2 01-31-2006 07:54 AM
reading from /dev/urandom in c djgerbavore Programming 5 10-04-2005 01:54 PM
Problem when using /dev/urandom maga_lm Programming 2 03-23-2004 12:25 AM
/dev/urandom Moszer Slackware 3 09-09-2003 10:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration