Why use EGD instead of /dev/urandom in tls_random_source?

Wed, 22 Dec 2010 22:03:40 -0800 

Obviously it is well understood that the security of cryptographic
software, such as TLS, depends on good random numbers. Postfix's
tlsmgr(8) maintains a PRNG pool, which is fed from an external source,
configured via tls_random_source, typically /dev/urandom (default on
Linux systems). Presumably, the tlsmgr's PRNG takes the data from the
tls_random_source and mixes it around in its own pool.

The TLS_README[0] talks about the possibility of specifying EGD as a
random source, but I'm not sure why you would specify EGD directly as a
random source because EGD keeps the kernel pool topped off. Data
collected from whatever external hardware random source (eg. Simtec's
Entropy Key[1]) is fed to EGD and mixed into /dev/urandom with entropy
gathered by other sources by your computer. This is a /feature/ because
if someone were able to know ahead of time the random bits the hardware
device was emitting, it would be mixed with bits that they cannot
know. If you specify EGD directly, you no longer get this mixing. 

So why would you change the tls_random_source to use EGD instead of
/dev/urandom? Could it be because postfix's tls_daemon_random_bytes is
set to 32bytes by default, but when EGD is specified tlsmgr is able to
read up to 255bytes? This is what TLS_README says under the
tlsmgr_controls[2] section:

         By default, tlsmgr(8) reads 32 bytes from the external entropy
         source at each seeding event. This amount (256bits) is more
         than sufficient for generating a 128bit symmetric key. With EGD
         and device entropy sources, the tlsmgr(8) limits the amount of
         data read at each step to 255 bytes. If you specify a regular
         file as entropy source, a larger amount of data can be read.

If this is the reason, it seems like an unnecessary and arbitrary
restriction on the number of bytes that tlsmgr will read, especially
when the system's random pool is kept topped up by EGD and /dev/urandom
would be able to handle a larger tls_daemon_random_bytes when EGD is
being used. Having to use EGD directly to get a larger number of bytes
means that you lose the benefit of having the EGD data mixed in with the
system's random pool.

micah

0. http://www.postfix.org/TLS_README.html
1. http://www.entropykey.co.uk/
2. http://www.postfix.org/TLS_README.html#tlsmgr_controls

--

Attachment: pgpAUGJchemwT.pgp
Description: PGP signature

Reply via email to