I thought I’d share my latest discovery. Linux has two “random number generators” as pseudo-hardware devices (that is, they’re in /dev, but aren’t actual hardware, much like /dev/null.) They’re called /dev/random and /dev/urandom. I never knew, or even thought much about, the difference.
/dev/random will “block” if it runs out of entropy. /dev/urandom is less secure in that it will keep serving data, but it will be from a less-secure pseudo-random series.
The difference is quite useful. For example, when encrypting something, it’s important to have “good” random numbers, hence /dev/random is indicated. On the other hand, the caching resolver I’m running (localish-only) on this server uses /dev/urandom: randomness prevents cache poisoning, but I really don’t want my DNS queries waiting for the “entropy pool” to get refilled.
As an aside, some tools to measure the effective randomness of your nameserver’s ports. Comcast, pretty impressively, ranks “Great” on the tests, as do the various caching nameservers in use on our webserver.
Computer generated random numbers are only good by a loose meaning of good. They are not really random enough for good encryption. They are good enough for when “good enough” is all you need. That is to say you are not trying to hide things from people with serious (read government) resources.
As an aside, the tendency to make so many things into “devices” is one of the things I don’t like so much about UNIX. /dev/null makes lots of sense. /dev/random not so much.
Yeah, software-based RNGs are, as a rule, no good. Linux (and most UNIXs, and maybe Windows, I don’t know?) tries to compensate by looking at stuff like the timing (not content) of keyboard input, or other stuff that’s plausibly random. (There was talk of using network traffic, too, but it was pointed out that an attacker could easily “flood” the network to compromise this.)
That’s yet another thing that I found spiffy about the $200 Walmart machine. (Besides its insanely low power usage.) It has a hardware RNG onboard. I still think one would make a stellar firewall, randomizing ports and other data.
As for it being a device/file… I find it handy to interact with.