Jump to: navigation, search

Dev/Entropy

< Dev

Introduction[edit]

Whonix 0.5.5 and above have haveged installed by default. (see below)

The Linux Kernel man page says: "[...] /dev/random should be suitable for uses that need very high quality randomness [...]".

Quoted from the riseup.net page about entropy: "[...] entropy-estimation is a black-art and not very well understood [...]".

While it would be good to be cautions, i.e. learning about the entropy quality in Virtual Machines and if required learning about methods to improve it, it's not a critical problem. Successful entropy estimation attacks have never been reported for any software.

Information resources[edit]

Resources[edit]

VirtualBox Bug Reports[edit]

Software Packages[edit]

Introduction[edit]

It has to be researched if they do work well inside Virtual Machines (VirtualBox). Simply installing all of them may not be wise.

  • entropy broker: Not in Debian.
  • rng-tools: In Debian.
  • timer_entropyd: Not in Debian.
  • audio-entropyd: Not in Debian.
  • video-entropyd: Not in Debian.
  • clrngd: In Debian.
  • ekeyd: In Debian.
  • HAVEGE: In Debian. See below.

haveged[edit]

Haveged is an entropy gathering daemon.

Quoted from the haveged testing page: "[...] will behave similarly in a virtual environment is a more risky proposition [...] there have been reports of VM that implement the processor time stamp counter as a constant and there are known differences in cpuid operation in others. [...]"

Will haveged create sufficient entropy in VirtualBox? Luckily, haveged comes with tools to check the if the entropy it creates.

The README in the haveged source folder and the haveged website contains instructions for testing haveged.

Makes sense to test entropy while haveged is disabled.

sudo service haveged stop

Get haveged sources and test.

apt-get source haveged
cd haveged-*
./configure --enable-nistest
make check

## perhaps repeat
#make clean
#make check

Should say something like

0 failed individual tests
PASS: nist/test.sh
==================
All 2 tests passed
==================
  • This was successfully tested in VirtualBox without haveged running.
  • This was successfully tested in VirtualBox with haveged running.
  • This was successfully tested in kvm without rng device and without haveged running.
  • This was successfully tested in kvm without rng device and with haveged running.
  • This was successfully tested in Qubes without haveged running. [1]
  • This was successfully tested in Qubes with haveged running.

Hardware Entropy Keys[edit]

Entropy Key[edit]

Entropy Key; Hardware not fully open source. Some resources say, it's okay as an additional source of entropy. Where to add it? Since Whonix depends on a host operating system, the Whonix-Gateway and the Whonix-Workstation, where it does make most sense to add it? Perhaps adding it to the host and using a entropy broker could be the most effective method. Better than buying three entropy keys.

OneRNG[edit]

OneRNG; Hardware and Firmware fully open source. Firmware is cryptographically signed to ensure it hasn't been tampered with. Board has a removable tin RF Shield so you can verify the circuits match the diagrams provided by the manufacturer. Fully reprogrammable with manufacturer provided software+cable (must be bought separately). Where to add it? Since Whonix depends on a host operating system, the Whonix-Gateway and the Whonix-Workstation, where it does make most sense to add it? Perhaps adding it to the host and using a entropy broker could be the most effective method.

List[edit]

Resources[edit]


Random News:

Interested in becoming author for Whonix blog? Writing about anonymity/privacy/security? Get in touch!


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.
  1. https://phabricator.whonix.org/T32