Hi there

I have a strange symptom while using /dev/urandom on different systems with the same os-level being 7200-05-07-2346.

When I issue the following command (for random password generation)

Expected behaviour (15 chars) =>
</dev/urandom tr -dc '\_A-Za-z0-9' | head -c15
QTzFHfP3iWuwmcn

on another system

Strange behaviour (only 2 chars or even nothing) =>
</dev/urandom tr -dc '\_A-Za-z0-9' | head -c15
Ck

I dont see any differences in the devices files

ls -la /dev/*random (good system)
crw-r--r--    1 root     system       35,  0 Sep 26 04:43AM /dev/random
crw-r--r--    1 root     system       35,  1 Sep 26 04:43AM /dev/urandom

ls -la /dev/*random (strange system)
crw-r--r--    1 root     system       35,  0 Sep 05 09:17 /dev/random
crw-r--r--    1 root     system       35,  1 Sep 05 09:17 /dev/urandom

Is there some kind of best practice do re-generate the /dev/*random files ? Reboot didn't change the behaviour at all.

Thanks in advance and kind regards,

Stefano

------------------------------
Stefano Calisto
------------------------------

On Thu, Sep 26, 2024 at 06:41:17AM +0000, Stefano Calisto via IBM TechXchange Community wrote:
> Hi there
>
>
> I have a strange symptom while using /dev/urandom on different systems with the same os-level being 7200-05-07-2346.
>
>
> When I issue the following command (for random password generation)
>
>
> Expected behaviour (15 chars) =>
>
> QTzFHfP3iWuwmcn
>
>
> on another system
>
>
> Strange behaviour (only 2 chars or even nothing) =>
>
> Ck

I wonder if that's indicating an exhaustion of the random pool. I know
in Linux there was a difference between random and urandom, where one
was cryptographically sound random numbers but very slow to generate,
and the other was fast pseudo random numbers. The slow one would block
or not output if there were none available.

Perhaps you might consider:

openssl rand -base64 16 | tr -d \=


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
https://adamssystems.nl/

Hi Russell

Thanks for the input, I will go with this solution as we had problems with /dev/random and /dev/urandom also in the past.

Thanks again and kind regards,

Stefano

------------------------------
Stefano Calisto
------------------------------

Original Message:
Sent: Thu September 26, 2024 05:30 AM
From: Russell Adams
Subject: /dev/random & /dev/urandom behaviour

On Thu, Sep 26, 2024 at 06:41:17AM +0000, Stefano Calisto via IBM TechXchange Community wrote:
> Hi there
>
>
> I have a strange symptom while using /dev/urandom on different systems with the same os-level being 7200-05-07-2346.
>
>
> When I issue the following command (for random password generation)
>
>
> Expected behaviour (15 chars) =>
>
> QTzFHfP3iWuwmcn
>
>
> on another system
>
>
> Strange behaviour (only 2 chars or even nothing) =>
>
> Ck

I wonder if that's indicating an exhaustion of the random pool. I know
in Linux there was a difference between random and urandom, where one
was cryptographically sound random numbers but very slow to generate,
and the other was fast pseudo random numbers. The slow one would block
or not output if there were none available.

Perhaps you might consider:

openssl rand -base64 16 | tr -d \=


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
https://adamssystems.nl/

Some of the details you are after are in the man page for urandom:

       The /dev/urandom device provides a reliable source of random output, however the output will not be generated from an equal amount of random input
       if insufficient input is available. Reads from the /dev/urandom device always return the quantity of output requested without blocking. If
       insufficient random input is available, alternate input will be processed by the random number generator to provide cryptographically secure
       output, the strength of which will reflect the strength of the algorithms used by the random number generator. Output generated without random
       input is theoretically less secure than output generated from random input, so /dev/random should be used for applications for which a high level
       of confidence in the security of the output is required.

The entropy is generated by the kernel random process (seen with 'ps -elk') and we maintain a high water mark. When the pool is 3/4 full, we will begin to regenerate entropy. This may seem early, but is can take time to regenerate it so we start early. 

The output can contain binary data. I was able to read it using:

       dd if=/dev/urandom count=15 bs=1 | od -x

$ dd if=/dev/urandom count=15 bs=1 | od -X
15+0 records in
15+0 records out
15 bytes copied, 0.000100942 s, 149 kB/s
0000000 f26f6d23 f030c05d 7fd82880 2991c500
0000017

Using 'tr' seems to alter it. 

------------------------------
Grover Davidson
------------------------------

Hi Grover

Thanks for the info, it's really appreciated. Maybe it's really because nothing much is going on on the machine but using openssl (from the example above) seems to be the better choice.

Thanks again and kind regards,

Stefano

------------------------------
Stefano Calisto
------------------------------

Original Message:
Sent: Fri September 27, 2024 12:51 PM
From: Grover Davidson
Subject: /dev/random & /dev/urandom behaviour

Some of the details you are after are in the man page for urandom:

       The /dev/urandom device provides a reliable source of random output, however the output will not be generated from an equal amount of random input
       if insufficient input is available. Reads from the /dev/urandom device always return the quantity of output requested without blocking. If
       insufficient random input is available, alternate input will be processed by the random number generator to provide cryptographically secure
       output, the strength of which will reflect the strength of the algorithms used by the random number generator. Output generated without random
       input is theoretically less secure than output generated from random input, so /dev/random should be used for applications for which a high level
       of confidence in the security of the output is required.

The entropy is generated by the kernel random process (seen with 'ps -elk') and we maintain a high water mark. When the pool is 3/4 full, we will begin to regenerate entropy. This may seem early, but is can take time to regenerate it so we start early. 

The output can contain binary data. I was able to read it using:

       dd if=/dev/urandom count=15 bs=1 | od -x

$ dd if=/dev/urandom count=15 bs=1 | od -X
15+0 records in
15+0 records out
15 bytes copied, 0.000100942 s, 149 kB/s
0000000 f26f6d23 f030c05d 7fd82880 2991c500
0000017

Using 'tr' seems to alter it. 

------------------------------
Grover Davidson
------------------------------