Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-23-2007, 02:34 AM
|
#1
|
Member
Registered: Oct 2004
Distribution: Debian 4.0
Posts: 65
Rep:
|
/dev/urandom not that random
I've been playing with a project that uses /dev/urandom and have noticed some very unrandom strings
Here are some examples I generated just now using
cat /dev/urandom | tr -cd [:alnum:] | fold -w10 | head -n 1
I'm surprised that out of all the numbers and letters [:alnum:] that you'd get repeating charactors out of the 62 chars available.
bN4BwpGBH7
gPv18HzyaY
WCBWDKnX3R
MCbBCDACSJ
GWWFif54cW
As you can see the randomness factor here is very disappointing.
2.6.17-10-generic
|
|
|
02-23-2007, 03:06 AM
|
#2
|
LQ Guru
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852
|
I am not familiar with the test you are running there or how accurate that is, but it is well known that the kernel's "random" device node is a fairly poor source of entropy. It only has a limited amount of systems it can base it's random data on.
If you are seriously concerned with getting good random data, you should look into seeding it with audio or video input. Ideally you would be using a hardware RNG connected to the computer, but those are prohibitively expensive (at least the ones I have seen).
|
|
|
02-23-2007, 04:29 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
I am not familiar with the test you are running there or how accurate that is
Me neither. But I'll see your method and raise you a "I doubt what you do is valid". If you "cat -v /dev/urandom|head -1" you'll see what's going on better. So, if you "cat /dev/urandom | head -n 10 | sha1sum | awk '{print $1}'" you'll get a whole different idea.
|
|
|
02-23-2007, 05:05 AM
|
#4
|
Member
Registered: Oct 2004
Distribution: Debian 4.0
Posts: 65
Original Poster
Rep:
|
I'm trying to generate random passwords, so having charactors repeat is bad.
~$ cat /proc/sys/kernel/random/entropy_avail
3607
~$ cat /dev/urandom | tr -cd [:alnum:][ unct:] | fold -w10 | head -n 1
JWXszMrg[+
~$ cat /proc/sys/kernel/random/entropy_avail
263
Is that much of a drop for one call normal ?
|
|
|
02-23-2007, 06:40 AM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
I'm trying to generate random passwords
No, you're trying to reinvent the wheel.
Better search for tried 'n tested tools that do this already.
I know there are.
|
|
|
02-23-2007, 11:30 AM
|
#6
|
Member
Registered: Oct 2004
Distribution: Debian 4.0
Posts: 65
Original Poster
Rep:
|
Next time I'll take the favor with rudeness not included.
Using /dev/urandom to get *random* data to create a *random* password is hardly reinventing the wheel.
I tested a few other "random" password generators and they had a lower level of entropy.
Last edited by NoobieDoobieDo; 02-23-2007 at 11:46 AM.
|
|
|
02-25-2007, 01:00 AM
|
#7
|
Member
Registered: Aug 2005
Location: The Glorious People's Republic of Austin
Posts: 178
Rep:
|
I'm kind of confused. If all you need is a random password, why use /dev/urandom at all? Doesn't /dev/random provide a higher level of entropy anyways? That only comes at the cost of extra time for generating random characters.
|
|
|
02-25-2007, 02:58 AM
|
#8
|
Member
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241
Rep:
|
"I'm surprised that out of all the numbers and letters [:alnum:] that you'd get repeating charactors out of the 62 chars available."
Random data HAS REPEATING CHARACTERS. The chances of repeating characters in a random sample is usually actually more than you would think (humans are notoriously bad at judging two things - randomness and probability). Ask a human to "randomise" a deck of cards and you'll hardly ever find consecutive numbers, pairs of numbers, lots of the same suit. However, a truly random sample will almost always contain several examples of such "patterns" by sheer chance.
Just because it doesn't "look" random to you doesn't mean it isn't (however, I echo the reply above concerning the "real" random device, hardware RNG's, adding entropy via sound/video etc. if you're serious about getting random data... I'd just like to point out that that's TOTAL overkill for anything that isn't, e.g. SSH keys, military applications, drive encryption etc... using such "true" randomness for just a password is ridiculous).
To say that the data isn't random enough is ludicrous unless you spend months collecting data and analysing it statistically. The whole point of the matter is... could you guess those passwords? The answer is no.
Add on the randomness/probability front, next time you do the lottery, try to estimate the chances of two consecutive numbers coming up. Then see how many draws there have been where two consecutive numbers appear. Or look up something like the Monty Hall Problem. Those two examples should teach you just how bad you or any human is at judging randomness or simple probability.
|
|
|
02-25-2007, 03:24 AM
|
#9
|
LQ Guru
Registered: Jan 2002
Posts: 6,042
Rep:
|
In addition to what ledow is explaining, watch an episode of Mr. Wizard.
|
|
|
02-26-2007, 01:39 AM
|
#10
|
Member
Registered: Feb 2007
Posts: 135
Rep:
|
Quote:
Originally Posted by NoobieDoobieDo
I'm trying to generate random passwords, so having charactors repeat is bad.
~$ cat /proc/sys/kernel/random/entropy_avail
3607
~$ cat /dev/urandom | tr -cd [:alnum:][ unct:] | fold -w10 | head -n 1
JWXszMrg[+
~$ cat /proc/sys/kernel/random/entropy_avail
263
Is that much of a drop for one call normal ?
|
if you want to generate passwords, I suggest you look at apg: www.adel.nursat.kz/apg.
Last edited by nmh+linuxquestions.o; 02-26-2007 at 06:07 AM.
|
|
|
02-26-2007, 07:18 AM
|
#11
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
|
|
|
All times are GMT -5. The time now is 09:55 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|