11.22. Gathering Entropy from Thread Timings
Problem
You want to collect some entropy without user intervention, hoping that there is some inherent, measurable entropy in the environment.
Solution
In practice, timing how long it takes to start up and stop a particular number of threads can provide a bit of entropy. For example, many Java virtual machines exclusively use such a technique to gather entropy.
Because the thread timing data is only indirectly related to actual user input, it is good to be extremely conservative about the quality of this entropy source. We recommend the following methodology:
Launch and join on some fixed number of threads (at least 100).
Mix in a timestamp when all threads have returned successfully.
Estimate entropy based on the considerations discussed in Recipe 11.19.
Wait at least a second before trying again, in hopes that there is additional entropy affecting the system later.
The following code spawns a particular number of threads that you can time, in the hope of getting some entropy. This code works on Unix implementations that have the pthreads library (the POSIX standard for threads). Linking is different depending on platform; check your local pthreads documentation.
#include <pthread.h>
static void *thread_stub(void *arg) {
return 0;
}
void spc_time_threads(unsigned int numiters) {
pthread_t tid;
while (numiters--)
if (!pthread_create(&tid, 0, thread_stub, 0))
pthread_join(tid, 0);
}On Windows, the idea is the same, and the structure of the code ...
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
