Re: low entropy on linux systems

Thu, 18 Aug 2011 09:36:03 -0700
Apache HTTPD Server, OpenSSL, and GPG support using EGD as an alternative for Unix systems which do not support the /dev/random device. 

EGD is written in perl (Entropy Gathering Daemon - http://egd.sourceforge.net/).

PRNGD is written in C (Pseudo Random Number Generator Daemon - 
http://prngd.sourceforge.net/).



The java.security.SecureRandom bundled with the JDK can use PRNG.
http://download.oracle.com/javase/6/docs/api/java/security/SecureRandom.html


See: 
http://stackoverflow.com/questions/137212/how-to-solve-performance-problem-with-java-securerandom




There is a ColdFusion blog about using EGD in the java environment. That is 
using /dev/./urandom instead of /dev/random. See middle section of blog post. 
See a little further down for a production resolution.


ColdFusion hangs or slow on startup due to MessageBrokerServlet
http://www.ghidinelli.com/2011/01/11/cold-fusion-slow-start-messagebrokerservlet


This blog post recommends "-Djava.security.egd=file:/dev/./urandom", but then it 
goes on to suggest how to tune the EGD on your linux system for production.



-RG



On 08/18/2011 10:47 AM, Kevan Miller wrote:


On Aug 18, 2011, at 1:06 AM, Shawn Jiang wrote:


This could increase the linux start up speed significantly.   Does anyone know is it safe 
to add "-Djava.security.egd=file:/dev/./urandom"  to our startup script 
directly.

Don't know if it will break something on other linux/unix platforms.


IIRC, some unix variants don't have a /dev/urandom. I don't think these 
environments are very popular. I would expect these environments would have 
fairly obvious failures and could be diagnosed, fairly easily.

I suppose that there is some possibility that urandom will generate a less 
secure seed for the SSL server socket. I've never heard of any concerns about 
this, but that doesn't mean it doesn't exist.

This is a long standing problem. And Java has not chosen to do anything about 
it. I know some servers have used a similar approach. Others, e.g. Tomcat, have 
left it up to users/admins.

Given the number of times we bump into this issue, I'd say that setting 
"-Djava.security.egd=file:/dev/./urandom" is likely to do more good than harm.

--kevan






















					Reply via email to