How secure is haveged?

harvie · 2015-01-20 14:33:59

There have been general reccomendation to use haveged:
https://www.archlinux.org/news/gnupg-21 … n-keyring/

I just wonder how secure it is. Can we tell that it's really good idea to use haveged on servers where we need to consider security? It's good that keys are generated faster, so we can get better latency on TLS, etc... But what are the security risks of using haveged? Is quality (and security) of entropy generated by haveged dependent on used HW? Is haveged secure when used inside various virtual machine or container technologies?

http://www.issihosts.com/haveged/

karol · 2015-01-20 16:22:47

Older, but probably related: https://bbs.archlinux.org/viewtopic.php?id=138504

Leonid.I · 2015-01-20 22:37:20

Another link: http://security.stackexchange.com/quest … l-machines .

The bottom line is that answering your question unambiguously is quite difficult. If you are so worried about the quality of your crypto, run several entropy harvesting daemons.

harvie · 2015-01-23 10:24:05

Leonid.I wrote:

If you are so worried about the quality of your crypto, run several entropy harvesting daemons.

I don't think it works this way :-) If you can lower quality of entropy by adding one daemon i can't see how two daemons will make things better. You can't do crypto like that. Rather we should be confident about inner workings.

Lone_Wolf · 2015-01-23 12:01:46

Harvie, the way i understand it is that more different sources equals better entropy .

let's say i have 2 sources :

A counts up every millisec from 0 to 9 , then starts at 0 again .
B starts at 9 , counts downs every millisec, once it reaches 0, it starts with 9 again.

If i only use A or B as source, my entropy will be very low.
However, if i combine A & B by outputting A+B every milisec, the resulting entropy gets higher.

Last edited by Lone_Wolf (2015-01-23 12:03:04)

clfarron4 · 2015-01-23 12:23:15

harvie wrote:

Leonid.I wrote:
If you are so worried about the quality of your crypto, run several entropy harvesting daemons.
If you can lower quality of entropy by adding one daemon i can't see how two daemons will make things better. You can't do crypto like that. Rather we should be confident about inner workings.

You can certainly lower the "quality of entropy" you can use for crypto when throwing several source of entropy together (even though you're increasing the rate a which you're generating overall entropy)...

So, (if I'm not mistaken) we're looking whether havaged produces entropy of a comparable "quality" to other methods of generating entropy and what circumstances it does under, right?

frostschutz · 2015-01-23 12:53:25

It only mixes in to whatever entropy the kernel itself provides.

If you find a way to predict /dev/(u)random let me know, until then I'm not worried.

harvie · 2015-01-25 09:55:51

Lone_Wolf wrote:

Harvie, the way i understand it is that more different sources equals better entropy .
...
if i combine A & B by outputting A+B every milisec, the resulting entropy gets higher.

It is very dependent on how you "combine" the entropy. When you have two sources of entropy then you get increase in quality if you (eg.) XOR both together and increase in quantity if you contencate the bits of together. As haveged increases the quantity it is not sure what effect it has on quality.

Metaphor: Think of it as of RAID0 vs RAID1. RAID0 increases quantity of diskspace, but effect on overall reliability (quality) of array depends on reliability of added disk. However when you add disk to RAID1 you always get better reliability, but you don't increase space.

clfarron4 wrote:

So, (if I'm not mistaken) we're looking whether havaged produces entropy of a comparable "quality" to other methods of generating entropy and what circumstances it does under, right?

Exactly.

Last edited by harvie (2015-01-25 09:57:51)

clfarron4 · 2015-01-25 12:34:30

harvie wrote:

clfarron4 wrote:
So, (if I'm not mistaken) we're looking whether havaged produces entropy of a comparable "quality" to other methods of generating entropy and what circumstances it does under, right?
Exactly.

Up for studying a PhD with the main topic being analysing the methods generating randomness within Linux and the quality of the randomness generated?

Put me on an intensive programming course for a year (with the main focus being C) and I should be able to start this in September 2016.

EDIT: This discussion reminded me of the RDRAND thing which happened way back in 2013.

Last edited by clfarron4 (2015-01-25 15:12:34)

\hbar · 2015-01-25 13:57:54

I was a little confused when I read this, then I learned that the entropy you're talking about is not Shannon entropy, but the amount of random bits that are generated. For the sake of being provocative, let me ask the following question: wouldn't a good way of quantifying the quality of your entropy be to compute its entropy?

In other words, you could generate a lot of random numbers (say +1, -1) very quickly using haveged and repeat the experiment without haveged, or with some other entropy generating algorithm; and then perform a statistical analysis (e.g. compute average, 2-point correlation, 3-point, etc) of these sequences and compare.

This is a very naive approach, and it would certainly not be enough to show that haveged produces "good" entropy, but if your randomly generated sequences were correlated, it would certainly mean the entropy is "bad".

Head_on_a_Stick · 2015-01-25 14:04:28

\hbar wrote:

and then perform a statistical analysis (e.g. compute average, 2-point correlation, 3-point, etc) of these sequences and compare.

Or just see if you can compress the output using gzip or similar -- if you can compress it with a lossless algorithm, then it is not random.

\hbar · 2015-01-25 14:12:06

As expected, the creators of haveged seem to have perfomed a bunch of tests on their entropy (including a rough estimate of the Shannon entropy of their entropy): found here http://www.issihosts.com/haveged/ais31.html .

harvie · 2015-01-26 10:57:42

\hbar wrote:

As expected, the creators of haveged seem to have perfomed a bunch of tests on their entropy

Actually it seems that latest version of haveged have option to enable online checking of generated entropy using various alghoritms. However some of those seem to be CPU intensive. May be interesting to play with various test for a while. This probably solves my worries as long as we trust authors of haveged. On the other hand we can run independent entropy checks at /dev/random using some 3rd party package (i don't know any of such programs).

Another point is haveged in openvz, xen, kvm, docker, vserver, uml. yes or not? and what should one concern when implemeting haveged inside such environments. At least we can try to run haveged selftests inside these containers to see what happens...

Leonid.I · 2015-01-26 19:13:22

harvie wrote:

\hbar wrote:
As expected, the creators of haveged seem to have perfomed a bunch of tests on their entropy
Actually it seems that latest version of haveged have option to enable online checking of generated entropy using various alghoritms. However some of those seem to be CPU intensive. May be interesting to play with various test for a while. This probably solves my worries as long as we trust authors of haveged. On the other hand we can run independent entropy checks at /dev/random using some 3rd party package (i don't know any of such programs).
Another point is haveged in openvz, xen, kvm, docker, vserver, uml. yes or not? and what should one concern when implemeting haveged inside such environments. At least we can try to run haveged selftests inside these containers to see what happens...

Haveged does run tests by default. From tha haveged(8) manpage:

-o <spec>, --onlinetest=<spec>
              Specify  online tests to run.
              [...]
              The defaults ("ta8bcb" if run  as  a  daemon  and "ta8b" otherwise) are suitable for most circumstances.

Arch Linux

#1 2015-01-20 14:33:59

How secure is haveged?

#2 2015-01-20 16:22:47

Re: How secure is haveged?

#3 2015-01-20 22:37:20

Re: How secure is haveged?

#4 2015-01-23 10:24:05

Re: How secure is haveged?

#5 2015-01-23 12:01:46

Re: How secure is haveged?

#6 2015-01-23 12:23:15

Re: How secure is haveged?

#7 2015-01-23 12:53:25

Re: How secure is haveged?

#8 2015-01-25 09:55:51

Re: How secure is haveged?

#9 2015-01-25 12:34:30

Re: How secure is haveged?

#10 2015-01-25 13:57:54

Re: How secure is haveged?

#11 2015-01-25 14:04:28

Re: How secure is haveged?

#12 2015-01-25 14:12:06

Re: How secure is haveged?

#13 2015-01-26 10:57:42

Re: How secure is haveged?

#14 2015-01-26 19:13:22

Re: How secure is haveged?

Board footer