* urandom is too slow @ 2012-10-30 14:55 Lasse Kärkkäinen 2012-10-30 18:54 ` Theodore Ts'o 0 siblings, 1 reply; 6+ messages in thread From: Lasse Kärkkäinen @ 2012-10-30 14:55 UTC (permalink / raw) To: linux-kernel Apparently there has been little or no development on urandom even though the device is in widespread use for disk shredding and such use. The device emits data at rather slow rate of 19 MB/s even on modern hardware where other software-based PRNGs could do far better. An even better option seems to be utilizing AES for encrypting zeroes, using a random key, allowing for rates up to 500 MB/s with hardware that has AES-NI instructions. Why is urandom so slow and why isn't AES hardware acceleration utilized? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: urandom is too slow 2012-10-30 14:55 urandom is too slow Lasse Kärkkäinen @ 2012-10-30 18:54 ` Theodore Ts'o 2012-10-30 20:56 ` Pádraig Brady 2012-10-30 21:38 ` Alan Cox 0 siblings, 2 replies; 6+ messages in thread From: Theodore Ts'o @ 2012-10-30 18:54 UTC (permalink / raw) To: Lasse Kärkkäinen; +Cc: linux-kernel On Tue, Oct 30, 2012 at 04:55:22PM +0200, Lasse Kärkkäinen wrote: > Apparently there has been little or no development on urandom even > though the device is in widespread use for disk shredding and such > use. The device emits data at rather slow rate of 19 MB/s even on > modern hardware where other software-based PRNGs could do far > better. An even better option seems to be utilizing AES for > encrypting zeroes, using a random key, allowing for rates up to 500 > MB/s with hardware that has AES-NI instructions. > > Why is urandom so slow and why isn't AES hardware acceleration utilized? If you can use a software-based PRNG, you should use one in userspace. The intended use of urandom is for cryptographic purposes (i.e., generating random session keys, long-term public keys, etc.). If you just want to wipe a disk, you shouldn't be using /dev/urandom for that purpose. Regards, - Ted ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: urandom is too slow 2012-10-30 18:54 ` Theodore Ts'o @ 2012-10-30 20:56 ` Pádraig Brady 2012-10-30 21:38 ` Alan Cox 1 sibling, 0 replies; 6+ messages in thread From: Pádraig Brady @ 2012-10-30 20:56 UTC (permalink / raw) To: Theodore Ts'o, Lasse Kärkkäinen, linux-kernel On 10/30/2012 06:54 PM, Theodore Ts'o wrote: > On Tue, Oct 30, 2012 at 04:55:22PM +0200, Lasse Kärkkäinen wrote: >> Apparently there has been little or no development on urandom even >> though the device is in widespread use for disk shredding and such >> use. The device emits data at rather slow rate of 19 MB/s even on >> modern hardware where other software-based PRNGs could do far >> better. An even better option seems to be utilizing AES for >> encrypting zeroes, using a random key, allowing for rates up to 500 >> MB/s with hardware that has AES-NI instructions. >> >> Why is urandom so slow and why isn't AES hardware acceleration utilized? > > If you can use a software-based PRNG, you should use one in userspace. > The intended use of urandom is for cryptographic purposes (i.e., > generating random session keys, long-term public keys, etc.). If you > just want to wipe a disk, you shouldn't be using /dev/urandom for that > purpose. For the record, shred uses a user space PRNG for speed for the last 3 years or so, rather than using /dev/urandom: http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commit;h=af5723c7 $ shred-old -v -n3 t shred-old: t: pass 1/3 (random)... shred-old: t: pass 1/3 (random)...8.3MiB/1000MiB 0% shred-old: t: pass 1/3 (random)...17MiB/1000MiB 1% shred-old: t: pass 1/3 (random)...32MiB/1000MiB 3% ... $ time shred-new -v t shred-new: t: pass 1/3 (random)... shred-new: t: pass 1/3 (random)...116MiB/1000MiB 11% shred-new: t: pass 1/3 (random)...216MiB/1000MiB 21% shred-new: t: pass 1/3 (random)...340MiB/1000MiB 34% ... cheers, Pádraig. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: urandom is too slow 2012-10-30 18:54 ` Theodore Ts'o 2012-10-30 20:56 ` Pádraig Brady @ 2012-10-30 21:38 ` Alan Cox 2012-11-02 1:10 ` Lasse Kärkkäinen 1 sibling, 1 reply; 6+ messages in thread From: Alan Cox @ 2012-10-30 21:38 UTC (permalink / raw) To: Theodore Ts'o; +Cc: Lasse Kärkkäinen, linux-kernel > If you just want to wipe a disk, you shouldn't be using /dev/urandom for that > purpose. If you want to wipe a disk issue a security erase command via hdparm. There is no guarantee that simply writing crap all over it will re-use the same sectors of physical media, and for a flash drive it causes massive wear and takes forever while a security erase is normally near immediate. Alan ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: urandom is too slow 2012-10-30 21:38 ` Alan Cox @ 2012-11-02 1:10 ` Lasse Kärkkäinen 2012-11-02 19:56 ` Theodore Ts'o 0 siblings, 1 reply; 6+ messages in thread From: Lasse Kärkkäinen @ 2012-11-02 1:10 UTC (permalink / raw) To: linux-kernel On 30.10.2012 23:38, Alan Cox wrote: > If you want to wipe a disk issue a security erase command via hdparm. > There is no guarantee that simply writing crap all over it will re-use > the same sectors of physical media, and for a flash drive it causes > massive wear and takes forever while a security erase is normally near > immediate. Alan Thank you for your answers, they should be very helpful for someone who is actually blanking or shredding their disks. However, I am just genuinely interested on why is no better CSPRNG algorithm used in the kernel (is it simply because no-one sent a patch or am I missing something?). ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: urandom is too slow 2012-11-02 1:10 ` Lasse Kärkkäinen @ 2012-11-02 19:56 ` Theodore Ts'o 0 siblings, 0 replies; 6+ messages in thread From: Theodore Ts'o @ 2012-11-02 19:56 UTC (permalink / raw) To: Lasse Kärkkäinen; +Cc: linux-kernel On Fri, Nov 02, 2012 at 03:10:05AM +0200, Lasse Kärkkäinen wrote: > Thank you for your answers, they should be very helpful for someone > who is actually blanking or shredding their disks. However, I am > just genuinely interested on why is no better CSPRNG algorithm used > in the kernel (is it simply because no-one sent a patch or am I > missing something?). The answer is that the goal of /dev/urandom is not to be a cryptographic random number generator (CRNG); a CRNG relies on the security of the cryptographic primitive for its strength. For example, a CRNG which is based on DES or AES encrypting an incrementing counter using a secret key, is fundamentally reliant on the strength of DES or AES. If DES were to be broken, for example, an attacker would be able to determine secret key and thus predict all future outputs of a DES-based CRNG. The design of the /dev/random and /dev/urandom is to take advantage of the kernel's access to unpredictability from the hardware, and to avoid being "brittle" even in the face of a discovery of a weakness of its cryptographic primitives. Regards, - Ted ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-11-02 19:56 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-10-30 14:55 urandom is too slow Lasse Kärkkäinen 2012-10-30 18:54 ` Theodore Ts'o 2012-10-30 20:56 ` Pádraig Brady 2012-10-30 21:38 ` Alan Cox 2012-11-02 1:10 ` Lasse Kärkkäinen 2012-11-02 19:56 ` Theodore Ts'o
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox