Entropy Issue with BC 1.68

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Entropy Issue with BC 1.68

Syed Mudassir Ahmed
Hi,
  Recently, we have migrated from SUN provider to BouncyCastle 1.68 provider.  Migrating to BC provider solved our issues that we faced with SUN provider.

  However, a new problem started with BC provider.  That is of the entropy issue.

  While using SUN provider, we observed that entropy is healthy by running the following command.  (the entropy stays at a healthy 2000+)
  while true; do cat /proc/sys/kernel/random/entropy_avail; sleep 2; done
  After switching to the BC provider, the same command was executed.  (the entropy drops all the way down to single digits in a couple of minutes)
while true; do cat /proc/sys/kernel/random/entropy_avail; sleep 2; done

  A note from my peer developer:
  While troubleshooting this issue, I discovered that functionality that uses cryptographic functionality (for e.g. creating a random object with SecureRandom) uses the entropy pool. If there isn’t enough entropy (<200), it will cause your process/thread to block until sufficient entropy builds up. I noticed that on test machines, that would sometimes take hours.

Is there any existing fix/workaround to get past this entroy issue while using BC provider?  Would it make sense to raise an issue in GitHub?

Thanks,
Syed.
Reply | Threaded
Open this post in threaded view
|

Re: Entropy Issue with BC 1.68

David Hook-3
BC uses a DRBG chain, so you should not see it actually block, although it will regularly hit the available entropy on the machine.

You can set the security/system property org.bouncycastle.drbg.gather_pause_secs to reduce the amount of seeding that goes on. By default the value is 5 (so entropy is loaded in 5 second intervals until enough for a reseed, with the process starting again).

Regards,

David

On 31/3/21 5:00 pm, Syed Mudassir Ahmed wrote:
Hi,
  Recently, we have migrated from SUN provider to BouncyCastle 1.68 provider.  Migrating to BC provider solved our issues that we faced with SUN provider.

  However, a new problem started with BC provider.  That is of the entropy issue.

  While using SUN provider, we observed that entropy is healthy by running the following command.  (the entropy stays at a healthy 2000+)
  while true; do cat /proc/sys/kernel/random/entropy_avail; sleep 2; done
  After switching to the BC provider, the same command was executed.  (the entropy drops all the way down to single digits in a couple of minutes)
while true; do cat /proc/sys/kernel/random/entropy_avail; sleep 2; done
  A note from my peer developer:
  While troubleshooting this issue, I discovered that functionality that uses cryptographic functionality (for e.g. creating a random object with SecureRandom) uses the entropy pool. If there isn’t enough entropy (<200), it will cause your process/thread to block until sufficient entropy builds up. I noticed that on test machines, that would sometimes take hours.
Is there any existing fix/workaround to get past this entroy issue while using BC provider?  Would it make sense to raise an issue in GitHub?

Thanks,
Syed.