Tests on /dev/urandom entropy can be considered useful or not?

Question

i want to test the entropy of my seed generator: in my case is /dev/urandom. I've read that this operation is non useful because it is the result of CSPRNG (normally not accessible).

But what i obtain from urandom is the seed for my RBG algorithm and than it is the real seed for me.

Do you think the test can be useful or not? Do you have any suggestion on how it should be performed?

Just a couple of questions. 1 - what do you want to convince yourself of by testing urandom? It's pure SHA1 output so there is no question of non randomness. 2 - why are you seeding a PRNG from a PRNG? Is this just to operate your own PRNG? — Paul Uszak, Mar 21 '17 at 22:49
There is no way to test for entropy. You can test the random properties of urandom, but since this is a CSPRNG the tests statistic tests (like eng-test tool) will succeed. — eckes, May 11 '17 at 20:21
Related to (and potentially a duplicate of) *What tests can I do to ensure my random number generator is working correctly?* — e-sushi, May 13 '17 at 01:45

Neil Slater · Answer 1 · 2017-03-01T14:08:46.317

Bear in mind that entropy is measured against a source using a model. It is unlikely you will find any model or attack against /dev/urandom that worked purely by analysing its output - from that perspective it will have "perfect" entropy by any realistic measure. However, so would Mersenne Twister unless you knew how to build a model that extracted its state . . . in which case you could reduce that to zero entropy after 624 measurements.

In short, measuring "entropy" of any RNG with a generic model is unlikely to show you anything. If you don't take care, even very bad RNGs will pass tests such as compressibility or naive checks for patterns.

There are tools that allow you to check that a source is statistically random in various ways. I could suggest Dieharder as it provides a command-line interface which is easy to connect via a *nix pipe. This will run a variety of simulations and pattern-detection algorithms against a source of alleged random bytes.

A test against /dev/urandom should look like this:

cat /dev/urandom | dieharder -g 200 -a

. . . and may take a few hours to complete, since the tests consume large amounts of source data.

Caveats:

Proving something is "random" is not easy. At best you get a probability of getting the same result from a theoretical truly random source. If you run hundreds of tests (like Dieharder does), then some will probably end up reporting a low $p$ value - e.g. 0.01 or less. This is not necessarily bad. RNGs that really fail Dieharder tend to do so very dramatically with $p < 0.000001$ in multiple related tests.
If you find that a source is statistically random, that does not mean it is secure, just that it has demonstrated one desirable property of a secure system.

score 3 · Answer 2 · answered May 11 '17 at 21:15

Testing the output of /dev/urandom is of little use, because it can only catch gross errors in the implementation of its CSPRNG part (and then only a fraction of these). Such test will fail to catch implementation mistakes in the generator's seeding, which matters, is much more likely to be faulty, and has historically been a major source of problems (like insufficient entropy in the generation of a machine's key at setup).

Tests on /dev/urandom entropy can be considered useful or not?

2 Answers2