[ad_1]
乙ntropy 只不过是比特序列中“随机性”的度量。 PRNG(伪随机数生成器)是一种特殊的设备(例如 Linux 上的 /dev/random),用于从服务器硬件活动中创建随机性。 它使用由键盘、硬盘、鼠标、网络和其他来源产生的中断。 随机数生成器将来自设备驱动程序和其他来源的环境噪声收集到一个熵池中。 通常用于安全目的(例如创建 TLS/SSL 密钥)的随机性和随机位的质量来源至关重要。 例如,OpenSSL API 可以使用质量随机性来确保您的程序在加密方面是安全的。 但是,随机性较差的来源可能会导致安全性损失。 在这篇文章中,我将介绍 hasged 和 rng-utils/rng-tools 来生成随机数并为您的虚拟或专用 Linux 服务器提供 Linux 随机设备。
服务器或虚拟机上的熵耗尽很常见
要查看 Linux 上的可用熵,请输入:$ cat /proc/sys/kernel/random/entropy_avail
示例输出:
378
它相当低(任何低于 =
查看更多
有谁知道怎么加速?
openssl dhparam -out dhparams.pem 4096
— nixCraft # (@nixcraft) 2016 年 9 月 2 日
我被建议调查haged项目。 hasged 软件提供了一个易于使用、不可预测的随机数生成器,它基于 HAVEGE 算法的改编。 另一个建议的选项是使用 rng-tools/rng-utils 来加速熵。
找出您当前的熵可用性和随机性质量
您需要使用 rngtest 命令,如下所示。 从 rng-tools 安装它,而无需在后台启动 rng:$ sudo RUNLEVEL=1 apt-get install rng-tools
$ cat /dev/random | rngtest -c 1000
由于低质量的随机性,运行最后一个命令将花费很长时间。 让我们看看如何安装 hasged 或 rng-tools。
选项 #1:安装 hasged
Linux熵源使用HAVEGE算法,可以如下安装:
Debian/Ubuntu Linux
键入以下 apt-get 命令:$ sudo apt-get install haveged
示例输出:
Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libhavege1 The following NEW packages will be installed: haveged libhavege1 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 49.8 kB of archives. After this operation, 196 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 https://01.archive.ubuntu.com/ubuntu xenial/universe amd64 libhavege1 amd64 1.9.1-3 [21.8 kB] Get:2 https://01.archive.ubuntu.com/ubuntu xenial/universe amd64 haveged amd64 1.9.1-3 [28.0 kB] Fetched 49.8 kB in 0s (58.6 kB/s) Selecting previously unselected package libhavege1:amd64. (Reading database ... 233574 files and directories currently installed.) Preparing to unpack .../libhavege1_1.9.1-3_amd64.deb ... Unpacking libhavege1:amd64 (1.9.1-3) ... Selecting previously unselected package haveged. Preparing to unpack .../haveged_1.9.1-3_amd64.deb ... Unpacking haveged (1.9.1-3) ... Processing triggers for libc-bin (2.23-0ubuntu4) ... Processing triggers for man-db (2.7.5-1) ... Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ... ureadahead will be reprofiled on next reboot Setting up libhavege1:amd64 (1.9.1-3) ... Setting up haveged (1.9.1-3) ... Processing triggers for libc-bin (2.23-0ubuntu4) ... Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ...
RHEL/CentOS Linux
首先,打开 EPEL repo 并输入:$ sudo yum install epel-release
$ sudo yum install haveged
示例输出:
Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.excellmedia.net * epel: epel.mirror.angkasa.id * extras: centos.excellmedia.net * updates: centos.excellmedia.net Resolving Dependencies --> Running transaction check ---> Package haveged.x86_64 0:1.9.1-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================= Package Arch Version Repository Size ================================================================================= Installing: haveged x86_64 1.9.1-1.el7 epel 61 k Transaction Summary ================================================================================= Install 1 Package Total download size: 61 k Installed size: 181 k Is this ok [y/d/N]: y Downloading packages: warning: /var/cache/yum/x86_64/7/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Public key for haveged-1.9.1-1.el7.x86_64.rpm is not installed haveged-1.9.1-1.el7.x86_64.rpm | 61 kB 00:00:00 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <[email protected]>" Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5 Package : epel-release-7-6.noarch (@extras) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Is this ok [y/N]: y Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : haveged-1.9.1-1.el7.x86_64 1/1 Verifying : haveged-1.9.1-1.el7.x86_64 1/1 Installed: haveged.x86_64 0:1.9.1-1.el7 Complete!
就这些。 测试一下:$ cat /proc/sys/kernel/random/entropy_avail
$ cat /dev/random | rngtest -c 1000
$ haveged -n 2g -f - | dd of=/dev/null
选项#2:安装 rng-utils/rng-tools
rngd 是硬件 RNG 熵收集器守护进程。 在基于 CentOS/RHEL 的系统上键入以下 yum 命令:$ sudo yum install -y rng-utils
示例输出:
Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.excellmedia.net * epel: epel.mirror.angkasa.id * extras: centos.excellmedia.net * updates: centos.excellmedia.net Resolving Dependencies --> Running transaction check ---> Package rng-tools.x86_64 0:5-7.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================= Package Arch Version Repository Size ========================================================================= Installing: rng-tools x86_64 5-7.el7 base 34 k Transaction Summary ========================================================================= Install 1 Package Total download size: 34 k Installed size: 68 k Is this ok [y/d/N]: y Downloading packages: rng-tools-5-7.el7.x86_64.rpm | 34 kB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : rng-tools-5-7.el7.x86_64 1/1 Verifying : rng-tools-5-7.el7.x86_64 1/1 Installed: rng-tools.x86_64 0:5-7.el7 Complete!
Debian / Ubuntu Linux 用户键入以下 apt-get 命令:$ sudo apt-get install rng-tools
示例输出:
[sudo] password for vivek: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: rng-tools 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 21.9 kB of archives. After this operation, 139 kB of additional disk space will be used. Get:1 https://01.archive.ubuntu.com/ubuntu xenial/universe amd64 rng-tools amd64 5-0ubuntu3 [21.9 kB] Fetched 21.9 kB in 0s (34.3 kB/s) Selecting previously unselected package rng-tools. (Reading database ... 233574 files and directories currently installed.) Preparing to unpack .../rng-tools_5-0ubuntu3_amd64.deb ... Unpacking rng-tools (5-0ubuntu3) ... Processing triggers for man-db (2.7.5-1) ... Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ... ureadahead will be reprofiled on next reboot Setting up rng-tools (5-0ubuntu3) ... Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ...
就这些。 测试一下:$ cat /proc/sys/kernel/random/entropy_avail
$ cat /dev/random | rngtest -c 1000
例子
现在,您应该会在使用以下命令时看到加速。 要使用完美的前向保密密码套件,您必须在服务器端设置 Diffie-Hellman 参数。 要使用 CLI 生成强大的 DH 组或 GPG 密钥,请运行:$ openssl dhparam -out dhparams.pem 2048
或者$ openssl dhparam -out dhparams.pem 4096
或者$ openssl dhparam -out dhparams.pem -dsaparam 4096
键入以下命令以生成由公钥和私钥组成的密钥对,执行:$ gpg2 --gen-key
要使用 LUKS 生成用于磁盘加密的 /root/keyfile,请输入:$ sudo haveged -n 2048 -f /root/keyfile
要生成长度为 16 个字符的随机 ASCII 密码,请运行:$ (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head -1
使用 dieharder 测试套件测试生成数据的随机性(在 Debian/Ubuntu Linux 上使用“apt-get install dieharder”来使用 dieharder):$ haveged -n 0 | dieharder -g 200 -a
示例输出:
Writing unlimited bytes to stdout #=============================================================================# # dieharder version 3.31.1 Copyright 2003 Robert G. Brown # #=============================================================================# rng_name |rands/second| Seed | stdin_input_raw| 2.22e+07 |2467094284| #=============================================================================# test_name |ntup| tsamples |psamples| p-value |Assessment #=============================================================================# diehard_birthdays| 0| 100| 100|0.57766651| PASSED diehard_operm5| 0| 1000000| 100|0.18806468| PASSED diehard_rank_32x32| 0| 40000| 100|0.94961511| PASSED diehard_rank_6x8| 0| 100000| 100|0.89699673| PASSED diehard_bitstream| 0| 2097152| 100|0.01373793| PASSED diehard_opso| 0| 2097152| 100|0.33382051| PASSED diehard_oqso| 0| 2097152| 100|0.59662327| PASSED diehard_dna| 0| 2097152| 100|0.18392060| PASSED diehard_count_1s_str| 0| 256000| 100|0.35838284| PASSED diehard_count_1s_byt| 0| 256000| 100|0.93169702| PASSED diehard_parking_lot| 0| 12000| 100|0.25432384| PASSED diehard_2dsphere| 2| 8000| 100|0.19976795| PASSED diehard_3dsphere| 3| 4000| 100|0.72109364| PASSED diehard_squeeze| 0| 100000| 100|0.70961203| PASSED ... .. ....
关于 ChaosKey 的说明
有一个基于硬件的 通过 USB 连接的真随机数发生器:
参考:
- 随机数
- Diffie-Hellman 参数
- 使用命令行创建 GPG 密钥
- 伪随机数生成器 (PRNG)
- 手册页——顽固的人(1)
[ad_2]