1

Recently I have been working on setting up secure random non-blocking setup as default in CentOS-7 with Java 8 and Java 11. So non-blocking config is to use securerandom.source=/dev/./urandom or -Djava.security.egd=file:/dev/./urandom. However I found that using /dev/./urandom and /dev/urandom shows different algorithm in use.

I wrote my first java program myConfigOut to spit this out at runtime and have used this to do the following test:

import java.security.*;
import java.util.*;

public class myConfigOut {
    public static void main(String[] argv) {

        try {
            // Trying to see which secureRandom provider we are using
            System.out.println("Trying to output RNG source");
            SecureRandom secureRandom = new SecureRandom();
            System.out.println("Secure random source: " + Security.getProperty("securerandom.source"));
            System.out.println("java.security.egd: " + System.getProperty("java.security.egd"));
            System.out.println("Algorithm: " + secureRandom.getAlgorithm());
        } finally {
            System.out.println("I'm done here");
        }
    }
}

CentOS 7 + Java 11:

# java -version
openjdk version "11.0.13" 2021-10-19 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.13+8-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.13+8-LTS, mixed mode, sharing)

# java -Djava.security.egd=file:/dev/./urandom myConfigOut
Trying to output RNG source
Secure random source: file:/dev/random
java.security.egd: file:/dev/./urandom
Algorithm: DRBG
I'm done here

# java -Djava.security.egd=file:/dev/urandom myConfigOut
Trying to output RNG source
Secure random source: file:/dev/random
java.security.egd: file:/dev/urandom
Algorithm: NativePRNG
I'm done here

Above results switches Algorithm from DRBG to NativePRNG. Note: DRBG is default algorithm from JDK9+

CentOS 7 + Java 8

# java -version
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-b07)
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)

# java -Djava.security.egd=file:/dev/./urandom myConfigOut
Trying to output RNG source
Secure random source: file:/dev/random
java.security.egd: file:/dev/./urandom
Algorithm: SHA1PRNG
I'm done here

# java -Djava.security.egd=file:/dev/urandom myConfigOut
Trying to output RNG source
Secure random source: file:/dev/random
java.security.egd: file:/dev/urandom
Algorithm: NativePRNG
I'm done here

in the above test algorithm switches from SHA1PRNG to NativePRNG

So my question is why there is a difference in switching from /dev/./urandom and /dev/urandom in CentOS 7and which file to be configured to have Non-Blocking randomness.

MT0
  • 143,790
  • 11
  • 59
  • 117
SAGAR BHOOSHAN
  • 309
  • 2
  • 11

1 Answers1

4

/dev/random is blocking and used to be considered as more secure than urandom.

Until Java 8 /dev/random was default and /dev/urandom was hardcoded as blacklisted.

So -Djava.security.egd=file:/dev/urandom was intentionally ignored and had no effect.

/dev/./urandom is kinda hack to overcome this backlist.

Since Java 11 a new internal random algorithm is used and /dev/urandom is used by default.

PS: it is also explained here:

https://stackoverflow.com/a/59097932/836215

https://stackoverflow.com/a/20315239/836215

ibre5041
  • 4,903
  • 1
  • 20
  • 35
  • For most use cases [`urandom` is the correct choice](https://unix.stackexchange.com/questions/324209/when-to-use-dev-random-vs-dev-urandom) which makes the old hack in the JDK doubly problematic. – Generous Badger Dec 01 '21 at 09:27
  • @GenerousBadger you're right. Since very last version of Java8 and since Java11 this old hack should not be necessary. – ibre5041 Dec 01 '21 at 09:43