Randomness is far more important on a computer than most people realize. Randomness is used in numerous apps and is also key to encryption such as found in SSL and TLS. Without randomness, encryption would be an impossible undertaking.
SEE: Encryption Policy (Tech Pro Research)
On the Linux platform, there are two devices that produce randomness: /dev/random and /dev/urandom. Of the two systems, /dev/random offers the best randomness, as it will wait until it has received sufficient entropy before providing output because it is a blocking device. (Entropy is the randomness collected by either an operating system or an application for use in cryptography.) However, /dev/urandom/ is not a blocking device, so when there isn’t sufficient entropy, it will continue to produce random data even though the data it will produce at that point isn’t truly random. Because /dev/random is a blocking device, it will hold off until there is sufficient entropy to produce truly random data.
Unfortunately, the entropy pool on a computer is finite. When the entropy pool runs out, bad things can happen, especially on machines that depend upon encryption. If you have an encryption-dependent service on a machine that temporarily runs out of entropy, the service could be placed on hold until enough entropy is generated.
If you’ve ever generated a GPG key, you know where much of the randomness comes from: the keyboard and the mouse. You move the mouse and use your keyboard and the system will generate enough entropy to perform the task. But what happens when you’re on a headless machine? How do you generate entropy?
Fortunately, there’s a way to help that along, thanks to software called haveged. The haveged service seeds a system’s random source by executing a loop repeatedly and using the differences in the processor’s time stamp counter—this gains entropy without having to use a mouse or a keyboard. On systems that include a mouse/keyboard, it will add even more to the entropy pool. The haveged software also ensures entropy never drops below 1000 on a system to help make sure there is always enough.
With that said, let’s install and set up haveged.
SEE: Major Linux security hole gapes open (ZDNet)
The installation of haveged is quite simple. To install on Debian-based platforms, do the following.
- Open a terminal window.
- Issue the command sudo apt-get install haveged.
- Allow the installation to complete.
- Set haveged up to start at boot with the command sudo update-rc.d haveged defaults.
To install haveged on RHEL/Fedora/CentOS machines, do the following.
- Open a terminal window.
- Change to the root account by issuing the su command.
- Install the software with the command yum install haveged.
- Set haveged to start at boot with the command chkconfig haveged on.
We can use the rng-test tool to run a test on the haveged-enabled entropy system. First you must install rng-tools with the command sudo apt-get install rng-tools (on the yum systems that would be yum install rng-tools). Once that is installed, issue a command like:
cat /dev/random | rngtest -c 1000
You should see output similar to that shown in Figure A.
The important bit of information is the success. I ran the same test 10 times and never received less than 998 success. On a similar machine, without haveged installed, not only did the test run significantly slower (1.091 seconds with haveged vs. 67.636 seconds without), the successes dipped to a low of 996. Although the success rate is still within a nominal range, it is the time in which the test runs that should be of concern.
With haveged, entropy and randomness is generated exponentially faster; this means your servers that depend upon entropy and randomness will greatly benefit from having this software on board.
If you manage servers that require SSL/TLS or other services that depend upon encryption, you owe it to yourself to add haveged. It’s free, easy to install, and once it’s up and running it will ensure your headless server always has enough entropy to function as expected.
Source: SANS ISC SecNewsFeed @ November 28, 2016 at 02:03PM