What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Veldkornet

Senior Member
Hey guys,

I was wondering what everyone's thoughts were around the routers default entropy levels?
While I understand that my home router is not exactly an enterprise web server or anything, would it not be better to have better entropy on the router? Even if it's just for the SSH keys etc?

Out of interest, I was watching the entropy with the below:
Code:
watch -n 1 cat /proc/sys/kernel/random/entropy_avail

I noticed that it constantly hovered around 130-180. Usually it's advised to keep this above 200, although personally I think that even that's a bit low and usually keep my devices in the high 1000's at minimum.

For those who don't know, entropy is s like a pool of random numbers (/dev/random) that are mainly used in cryptography. A lack of entropy can have a negative impact on performance and security.

I'm not sure if there is a hardware module available on the router for this, but usually an easy way is to just use something like haveged or rng-tools (i.e. rngd), to keep the pool in healthy levels by just setting the service to read from /dev/urandom and writing to /dev/random.

I've done something similar to the above to fix the entropy on my RaspberryPi's as well:
Screen Shot 2016-10-01 at 11.03.40.png


*Edit, I see rng-tools is already available in OpenWRT and entware, so I've put in a request at entware-ng. On my OpenWRT router the entropy is now close to 4000 constantly with the below config (which was default), much better :)

Code:
#!/bin/sh /etc/rc.common
# Copyright (C) 2011-2014 OpenWrt.org

START=98

RNGD_INTERVAL=30
RNGD_AMOUNT=4000
RNGD_DEVICE="/dev/urandom"

start() {
        service_start /sbin/rngd -r $RNGD_DEVICE -W $RNGD_AMOUNT
}

stop() {
        service_stop /sbin/rngd
}
 
Last edited:
@Veldkornet,

Did you ever get the Entware-NG version of rng-tools working on Asuswrt-Merlin ?

How do you script it to start ?​
 
Well, I requested that it be added to entware-ng, which eventually did happen.

But before it was added, I moved from Asuswrt to pfSense; so I never tested it.

I would imagine that the service script works the same as all the others though?


Sent from my iPhone using Tapatalk
 
For those who don't know, entropy is s like a pool of random numbers (/dev/random) that are mainly used in cryptography. A lack of entropy can have a negative impact on performance and security.

The depth of the entropy pool can impact performance, as code that drinks from the pool may be blocked if this pool is drained... has no impact on security in and of itself, as the kernel's RNG is very good at what it does...

There's some concern amongst crypto folks that haveged and rng-tools, while they keep the pool full, may be generating numbers that are not random enough... conversely, these do pass certain tests to ensure that they're random enough for government tests...

The rng-tools package - as long as it's configured correctly, I think it's more than good enough - and with a chipset that has hardware RNG blocks, that's good.

Haveged - same here, except it doesn't have dependency on a dedicated hw RNG, so it can be very helpful.

The key thing here - is configure them properly - the ArchLinux WiKi has some good tips here...

But for code that uses the /dev/random and /dev/urandom - as long as the pool is full enough - exim, which is a secure mail transport agent, similar to sendmail, had a real problem with entropy...

Believe it or not, the pool is more than just encryption/authentication - certain versions of linux (like pretty much every current version/distro) use that pool to randomize memory space, so the pool running out (or low) can impact performance, like I mentioned above.
 
From the command-line ...
Code:
/opt/sbin/rngd --no-tpm=1 -o /dev/random
... results in ...
Code:
can't open any entropy source
Maybe RNG device modules are not loaded
According to "https://wiki.archlinux.org/index.php/Rng-tools", there is supposed to be a /etc/conf.d/rngd configuration file. Using the Entware-NG package on Asuswrt-Merlin, does this file exist ? Or is RNGD supposed to be started from the command-line ?

What should the "-r" syntax be ?​
 
According to "https://wiki.archlinux.org/index.php/Rng-tools", there is supposed to be a /etc/conf.d/rngd configuration file. Using the Entware-NG package on Asuswrt-Merlin, does this file exist ? Or is RNGD supposed to be started from the command-line ?

Sounds like a mapping issue with Optware... linux kernel is going to put some kind of output to some place...

On most linux boxes - cat /dev/random
 
But for code that uses the /dev/random and /dev/urandom - as long as the pool is full enough ...

Believe it or not, the pool is more than just encryption/authentication - certain versions of linux (like pretty much every current version/distro) use that pool to randomize memory space...

Old ones support some incarnation of this sort too. Even the kernel in ASUSWRT does.

Anyway, I think it's pointless to use rng-tool to source from /dev/urandom and feed into /dev/random. As I mentioned in another thread before, applications will make use of /dev/urandom automatically in almost all situations.
 
Thanks for links, I hope those ones can ship it to Russia.
Believe it or not, the pool is more than just encryption/authentication - certain versions of linux (like pretty much every current version/distro) use that pool to randomize memory space, so the pool running out (or low) can impact performance, like I mentioned above.
There was a funny story with one of famous vendor last year, which wasn't uncovered by mass media. f/w devs made an application for routers where /dev/urandom was used to make access tokens. Some users complained they can control other devices in rare cases. There reason was a lack of true RNG and real time clock on home routers: when it boots, you can catch the same (predictable) numbers from /dev/random as long as it's still calculated from current time.
 
PS Just wonder: Is there any open online sources of true RNG sequences which I can trust or it's a bad idea?
 
I can see the difference.
Test was too slow without rng, so canceled it.
Is it good for what ?
 

Attachments

  • No rng.png
    No rng.png
    135.7 KB · Views: 692
  • rng.png
    rng.png
    151.6 KB · Views: 1,050
There was a funny story with one of famous vendor last year, which wasn't uncovered by mass media. f/w devs made an application for routers where /dev/urandom was used to make access tokens. Some users complained they can control other devices in rare cases. There reason was a lack of true RNG and real time clock on home routers: when it boots, you can catch the same (predictable) numbers from /dev/random as long as it's still calculated from current time.

Remember the Debian SSL bug from 2008? - https://www.debian.org/security/2008/dsa-1571
 
/dev/urandom

Check my first post where I had an example of the service script. Doesn't it work the same in asuswrt?



Sent from my iPhone using Tapatalk
@Veldkornet,

From the ArchLinux wiki at "https://wiki.archlinux.org/index.php/Rng-tools".
Code:
Warning: Some tutorials available in the Internet, and even early versions of rng-tools package, recommend the following line for systems without TRNG:
RNGD_OPTS="-o /dev/random -r /dev/urandom"
Of course, this is a really bad idea, since you are simple filling the kernel entropy pool with entropy coming from the kernel itself!
 
Last edited:
Similar threads
Thread starter Title Forum Replies Date
H DHCP server change Pool Starting Address Asuswrt-Merlin 4

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top