java slow : entropy related issue

Question

I am running into an issue where java is slow when used over SSL. The solution is to add

-Djava.security.egd=file:/dev/./urandom

to java at the command line. Since I have multiple JVM's, I dont want to modify every single JVM to contain this string and hence would like to add it to the file

$JAVA_HOME/jre/lib/security/java.security

Now, the java.security file already contains

securerandom.source=file:/dev/urandom

Two questions on this :

Why and how is "/dev/urandom" different from "/dev/./urandom". Why doesnt java accept "/dev/urandom"
For the JVM's that I have running, how can I tell whether they are using the correct urandmon device (vs random)

`/dev/./urandom` and `/dev/urandom` are the same path, there's no difference. — Mat, Dec 01 '13 at 17:31
Yup, just arrived at the same conclusion ! Bug 6202721 explains it. — souser, Dec 01 '13 at 17:47

score 11 · Accepted Answer · edited Oct 13 '21 at 15:34

This is actually a hack introduced into the JVM back in 1.3 or 1.4 days

http://bugs.sun.com/view_bug.do?bug_id=4705093

http://bugs.sun.com/view_bug.do?bug_id=6202721

The basic issue is that in the native JVM code they hardcoded /dev/urandom to actually use /dev/random to attempt to ensure sufficient entropy. Since /dev/urandom is supposed to be guaranteed not to block, this has the unintended consequence of blocking if not enough entropy is available.

The hardcoding looks specifically for the string /dev/urandom, so providing something that resolves to the same thing but doesn't match that causes the desired behavior. If you code /dev/./urandom you bypass the hardcoded aliasing and get to the intended urandom entropy source.

this reminds me that unix uses the dot method for recursive folder search. technically it could look like this: file:/dev/... — DeerSpotter, Aug 11 '22 at 21:06

revau.lt · Answer 2 · 2021-06-09T11:19:49.920

Using /dev/urandom (non blocking) is fine for most cases. Personally I would make sure to have some HW random number generator configured to be positive to have enough entropy (see below).

If you have to use /dev/random (blocking) and you cannot block then you should make sure to always have enough entropy. A solution to this is to configure a HW random number generator.

Assuming your on Linux you can check the available entropy with:

cat /proc/sys/kernel/random/entropy_avail

If you are on a machine that has a hw random number generator you most probably want to install rngd. You can check if your cpu has one by issuing the command:

cat /proc/cpuinfo

Look for flags called rand. You can also check if the file /dev/hwrng is present. You might have/want to load the corresponding module:

ls /lib/modules/*/kernel/drivers/char/hw_random

For me this is:

sudo modprobe tpm-rng

To make it permanent:

echo tpm-rng | sudo tee -a /etc/modules

If you happen to be on Ubuntu/Debian just install the package rng-tools.

sudo aptitude install rng-tools

If you check your entropy before and after installing rng-tools you should see a significant increase.

The following command should show you available entropy sources:

sudo rngd -f -r /dev/hwrng -v

Note that if you need better security you want to mix multiple entropy sources. Not sure rng-tools supports this.

java slow : entropy related issue

2 Answers2

Linked

Related