HP-UX 11i Version 1.6 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

121

122

123

124

125

126

127

128

129

130

Programming

Strong Random Number Generator

Chapter 7

126

Strong Random Number Generator

/dev/random, /dev/urandom, rng

Summary of Change

This feature is installable from http://software.hp.com, and detailed installation

instructions are found at this site as well. This feature is not included with the HP-UX

11i v1.6, and must be installed separately

The strong random number generator for HP-UX 11i v1.6 extracts informational entropy

from sub-microsecond timing data associated with external interrupts. This provides a

secure, non-reproducible source of binary sequences for applications that generate

encryption keys and other cryptographic quantities.

The HP-UX 11i v1.6 strong random number generator design follows the Dynamically

Loadable Kernel Module (DLKM) architecture on HP-UX. This permits kernel software

to be configured into or removed from the HP-UX kernel domain without rebooting the

system. This feature only requires that the /dev/random and /dev/urandom devices are

not in use for removal or upgrade. Installation, upgrade, and removal can be completed

without system downtime.

Details of Change

This feature produces random data at a high rate in the absence of local input devices

such as keyboard and mouse. The National Institute of Standards and Technology

(NIST) test suite for randomness was used to confirm cryptographic strength. Even

during extended periods of minimal network and disk activity, small sub-microsecond

variations in system activity are tapped to produce true random sequences at a

sustained rate of 100 bytes/second or more.

A deskewing algorithm by Dr. Yuval Perez, University of California, is used to remove bit

skew as the random data is collected.

The /dev/random device interface provides random, unpredictable binary sequences

through the standard read (2) system call. This read () blocks temporarily if the

kernel-resident device buffer is too low to guarantee the highest level of entropy.

The /dev/urandom device has the advantage of a non-blocking read () call, but the

entropy may be much more dilute than that provided by /dev/random. This device

interface also provides non-reproducible random data, but relies on cryptographic

hashing to guarantee a non-blocking source of random numbers.

The cryptographic hashing employs an encryption algorithm, that meets the Advanced

Encryption Standard (AES), which was developed and provided by Dr. Brian Gladman,

United Kingdom.

In contrast to pseudo-random number generators such as random (3M), this feature does

not depend on computationally deriving random sequences from seed values, and is truly

unpredictable. The /dev/random and /dev/urandom devices provide a higher degree of

security for cryptographic applications.