{"guid":"0c99ddbc-a8e5-44b3-b99e-5528a66b185d","title":"Because \"use urandom\" isn't everything: a deep dive into CSPRNGs in Operating Systems \u0026 Programming Languages","subtitle":"Implementation, hazards and updates on use of RNGs in programming languages and the Linux Kernel (among others)","slug":"SHA2017-199-because_use_urandom_isn_t_everything_a_deep_dive_into_csprngs_in_operating_systems_programming_languages","link":"https://c3voc.de","description":"Over the past year multiple people have been engaging language maintainers and designers to change their use of CSPRNGs (mainly relying on user-land RNGs like the one from OpenSSL, and sometimes suggesting \"adding entropy\" by various means from user-land daemons like haveged). In this short presentation we'll survey the struggle of cryptographers, developers and security engineers to change the path various high-profile languages have taken to provide randomness to their userbase. Affected languages include but are not limited to: Ruby, node.js and Erlang. We outline better approaches for language maintainers and implementers as well as coming changes within the Linux kernel crypto subsystem (i.e. /dev/random and /dev/urandom) w.r.t. security and performance. Recently these changes were merged into mainline Linux (4), problems with languages implementations however remain. We'll also discuss operating system provided randomness testing, attacks/mitigation in embedded and virtualized environments.\n#Software #Security","original_language":"eng","persons":["Aaron Zauner (azet)"],"view_count":281,"promoted":false,"date":"2017-08-06T00:00:00.000+02:00","release_date":"2017-08-06T02:00:00.000+02:00","updated_at":"2026-01-13T15:00:26.864+01:00","tags":["SHA2017","199"],"length":3308,"duration":3308,"thumb_url":"https://static.media.ccc.de/media/events/SHA2017/199-hd.jpg","poster_url":"https://static.media.ccc.de/media/events/SHA2017/199-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/SHA2017/0c99ddbc-a8e5-44b3-b99e-5528a66b185d-timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/SHA2017/0c99ddbc-a8e5-44b3-b99e-5528a66b185d-thumbnails.vtt","frontend_link":"https://media.ccc.de/v/SHA2017-199-because_use_urandom_isn_t_everything_a_deep_dive_into_csprngs_in_operating_systems_programming_languages","url":"https://api.media.ccc.de/public/events/0c99ddbc-a8e5-44b3-b99e-5528a66b185d","conference_title":"SHA2017: Still Hacking Anyway","conference_url":"https://api.media.ccc.de/public/conferences/SHA2017","related":[{"event_id":2904,"event_guid":"8b01d636-d39b-44b8-8d6f-fc03e47eae1b","weight":8},{"event_id":4230,"event_guid":"2764cdfd-49ab-4463-a809-198dec7abdf6","weight":6},{"event_id":4240,"event_guid":"dec63dd2-d66b-419d-863d-c20fd5ce91dd","weight":10},{"event_id":4245,"event_guid":"87f8200b-822a-4536-ba15-443e27860d2e","weight":9},{"event_id":4247,"event_guid":"2dd16bb3-657b-41b6-bdec-987ada3f285c","weight":6},{"event_id":4257,"event_guid":"9f3c556d-5cb0-4b17-a099-3c4626a7e83b","weight":6},{"event_id":4258,"event_guid":"ce7ba341-f44e-4f82-9f67-45e2df6b9c67","weight":8},{"event_id":4261,"event_guid":"3852e448-f6cf-4bfe-8b14-12d590075bd6","weight":17},{"event_id":4270,"event_guid":"c6747c8b-649f-4cad-ae7a-b5bd6138ca3f","weight":6},{"event_id":4288,"event_guid":"6e5a6877-3a72-464f-bf47-4bbd103b41fe","weight":7},{"event_id":4293,"event_guid":"dd774554-e12d-4557-b91c-3f6039cd4aeb","weight":11},{"event_id":4296,"event_guid":"0eff8b32-bd9e-4a69-b704-70171ca0e83e","weight":7},{"event_id":4300,"event_guid":"d48d1713-333b-4515-b56d-bc12fa2d3c44","weight":7},{"event_id":4303,"event_guid":"384839be-beef-4ae4-939f-3c2046199c2b","weight":6},{"event_id":4305,"event_guid":"b2b9237b-d45a-4271-9b63-66573c1de3c7","weight":7},{"event_id":4323,"event_guid":"df804417-58b7-42fa-a626-83ed1663677f","weight":8},{"event_id":4331,"event_guid":"6e4cc66d-2edc-41ab-9d9b-6ec921e0944d","weight":7},{"event_id":4336,"event_guid":"962f467f-8c6b-44cc-98cd-673128a9aef5","weight":6},{"event_id":4344,"event_guid":"e856b1b3-ac67-42a4-ab7a-50a8d58d413e","weight":6},{"event_id":4367,"event_guid":"f284b8f1-f27b-466e-9084-c3de794f8fd3","weight":6},{"event_id":4470,"event_guid":"d5ad9c64-0e65-4ee2-bc2b-feb9c7faa1c6","weight":7}],"recordings":[{"size":1243,"length":3308,"mime_type":"video/mp4","language":"eng","filename":"SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-08-06T21:32:37.002+02:00","recording_url":"https://cdn.media.ccc.de/events/SHA2017/h264-hd/SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages_hd.mp4","url":"https://api.media.ccc.de/public/recordings/17752","event_url":"https://api.media.ccc.de/public/events/0c99ddbc-a8e5-44b3-b99e-5528a66b185d","conference_url":"https://api.media.ccc.de/public/conferences/SHA2017"},{"size":159,"length":3308,"mime_type":"video/mp4","language":"eng","filename":"SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2017-08-06T23:31:38.484+02:00","recording_url":"https://cdn.media.ccc.de/events/SHA2017/h264-sd/SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages_sd.mp4","url":"https://api.media.ccc.de/public/recordings/17799","event_url":"https://api.media.ccc.de/public/events/0c99ddbc-a8e5-44b3-b99e-5528a66b185d","conference_url":"https://api.media.ccc.de/public/conferences/SHA2017"},{"size":220,"length":3308,"mime_type":"video/webm","language":"eng","filename":"SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2017-08-06T23:32:17.704+02:00","recording_url":"https://cdn.media.ccc.de/events/SHA2017/webm-sd/SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/17800","event_url":"https://api.media.ccc.de/public/events/0c99ddbc-a8e5-44b3-b99e-5528a66b185d","conference_url":"https://api.media.ccc.de/public/conferences/SHA2017"},{"size":36,"length":3293,"mime_type":"audio/opus","language":"eng","filename":"SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2017-08-06T23:32:41.976+02:00","recording_url":"https://cdn.media.ccc.de/events/SHA2017/opus/SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages.opus","url":"https://api.media.ccc.de/public/recordings/17801","event_url":"https://api.media.ccc.de/public/events/0c99ddbc-a8e5-44b3-b99e-5528a66b185d","conference_url":"https://api.media.ccc.de/public/conferences/SHA2017"},{"size":50,"length":3293,"mime_type":"audio/mpeg","language":"eng","filename":"SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2017-08-06T23:42:16.585+02:00","recording_url":"https://cdn.media.ccc.de/events/SHA2017/mp3/SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages.mp3","url":"https://api.media.ccc.de/public/recordings/17803","event_url":"https://api.media.ccc.de/public/events/0c99ddbc-a8e5-44b3-b99e-5528a66b185d","conference_url":"https://api.media.ccc.de/public/conferences/SHA2017"},{"size":1011,"length":3308,"mime_type":"video/webm","language":"eng","filename":"SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-08-07T10:38:21.773+02:00","recording_url":"https://cdn.media.ccc.de/events/SHA2017/webm-hd/SHA2017-199-eng-Because_use_urandom_isnt_everything_a_deep_dive_into_CSPRNGs_in_Operating_Systems_Programming_Languages_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/17835","event_url":"https://api.media.ccc.de/public/events/0c99ddbc-a8e5-44b3-b99e-5528a66b185d","conference_url":"https://api.media.ccc.de/public/conferences/SHA2017"}]}