Tutorial: haveged

Encryption is based on two main factors:

  • prime numbers
  • random numbers

On Linux the random numbers are generated by the pseudo random number generator.

It generates randomness from hardware interrupts e.g. by keyboard, mouse, disk or network I/O.

The main difference between /dev/random and /dev/urandom is that first is a blocking device.

So /dev/random waits until the entropy pool is filled to return random data.

/dev/urandom does not wait and therefore gerenates random data in a lower quality.

Lower quality means that previous data is repeated more likely.

So the quality of the entropy pool does have a direct inpact on the quality of SSL/TLS and other block ciphers.

One of my small servers does have a quite low entropy level:

cat /proc/sys/kernel/random/entropy_avail
129

One of my big (and busy) KVM servers does not have that problem:

cat /proc/sys/kernel/random/entropy_avail
4968

A level beyond 1000 is critical if you are using any OpenSSL based encryption.

If your server is handling a lot of SSL traffic (and handshakes) like any webserver or mailserver does, two things can happen:

  • The server waits until /dev/random is ready again
  • The server switches to /dev/urandom or it's own random generator (after a timeout)

There are userland solution like the audio_entropyd or the video_entropyd to feed the entropy pool, but they are not usable for headless servers.

But there are solutions for servers too - one of them is haveged.

It is a daemon that feeds the /dev/random pool on Linux using an adaptation of the HArdware Volatile Entropy Gathering and Expansion algorithm.

Installation is simple:

apt-get install haveged

Afterwards you have to check the default settings to ensure that enough bits are generated:

nano /etc/default/haveged

Content:

# Configuration file for haveged

# Options to pass to haveged:
#   -w sets low entropy watermark (in bits)
DAEMON_ARGS="-w 2048"

After starting the server:

service haveged start

the entropy level is raising:

cat /proc/sys/kernel/random/entropy_avail
142
cat /proc/sys/kernel/random/entropy_avail
153
cat /proc/sys/kernel/random/entropy_avail
170
cat /proc/sys/kernel/random/entropy_avail
188

You should then set the daemon to autostart:

update-rc.d haveged defaults

There are - of course - better tests than cat to check if your entropy is ok:

apt-get install rng-tools

rng-test is using the FIPS-140 method to check the entropy:

cat /dev/random | rngtest -c 1000

Output would be:

rngtest 2-unofficial-mt.14
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
rngtest: bits received from input: 2000032
rngtest: FIPS 140-2 successes: 1000
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=8.557; avg=17.635; max=24.236)Mibits/s
rngtest: FIPS tests speed: (min=68.610; avg=156.648; max=188.846)Mibits/s
rngtest: Program run time: 133849 microseconds

On 1000 runs there should not be more than 1 to 5 failures.

So check the line:

rngtest: FIPS 140-2 failures: