Tech insights and news. Best served hot.

2020

March
9

Entropy and Random Numbers

Even if it does not seem intuitively logical, "randomness" plays a central role in today's IT, especially in the area of security. The major strength of computers, however, lies in the complete opposite, namely in exact and reproducible calculations. There are, however, a number of special techniques available to generate good randomness – also at cloudscale.ch.

Why randomness?

The appeal of many computer games lies in the fact that the computer's next move is not predictable but apparently random. Apart from this entertaining aspect of "randomness", the security of your data and systems also depends on it: data encryption – e.g. with HTTPS or SSH – is based on mathematical methods that rely on the fact that a potential attacker cannot guess the key or derive it from other data.

Using special algorithms, a so-called "pseudo random number generator" (PRNG) calculates the necessary random values/numbers from input values that are as unpredictable as possible. The PRNG in the Linux kernel obtains this entropy ("disorder") from various sources such as mouse movements and network traffic. The random numbers are output, for example, via /dev/urandom and /dev/random.

Additional entropy sources

A number of possible entropy sources (such as mouse movements) are obviously not available in virtualized cloud servers. Especially during the initial boot it can take a while to collect enough entropy from the few available sources to initialize the PRNG. For this reason, servers at cloudscale.ch can now also use the rdrand command, which is a feature of many modern CPUs to generate random numbers. Also newly available is the virtio device /dev/hwrng, which provides random numbers generated on our physical compute hosts.

Both of these new entropy sources are independent of your server's ability to collect enough entropy on its own, and can help to initialize the server's PRNG more quickly. However, whether the server actually detects and uses rdrand and /dev/hwrng depends on the Linux distribution and kernel you are using; if necessary, check the CONFIG_RANDOM_TRUST_CPU and CONFIG_HW_RANDOM_VIRTIO options of your kernel, e.g. in the /boot/config-* file (depending on the distribution).

Benefit automatically from more entropy

An increasing number of Linux distributions contain software that uses the getrandom() system call. This call, and services such as SSH that depend on it, wait after system startup until the server's PRNG is initialized, which in some cases can lead to long delays. Servers at cloudscale.ch are not affected by such delays: thanks to rdrand and /dev/hwrng, the necessary entropy is available in no time, so that services requiring random numbers can be started right away.

You can also tap into the new entropy sources with existing servers at cloudscale.ch. Simply switch off your server completely and then restart it. After restarting, the rdrand feature of the CPU will be available to you, and you can verify it using the following command:

$ grep rdrand /proc/cpuinfo
flags		: [...] rdrand [...]

If your specific operating system also supports the hwrng virtio device, it will be displayed with the following command:

$ cat /sys/devices/virtual/misc/hw_random/rng_available
virtio_rng.0

 

Although it is hardly ever talked about in everyday IT life, "randomness" is an indispensable ingredient for countless processes, especially in the context of security. At cloudscale.ch we ensure that your servers can generate enough randomness right from the start.

Not just random servers!
Your cloudscale.ch team

More news. Further insights.

Try it yourself and launch a Swiss Linux server today!