Hosting a /dev/random dependent service

Jack asked:

I have developed a game that requires shuffled decks of cards to run.

Since it uses /dev/random to generate shuffled decks, I was wondering what sort of concerns should I take into account before publishing it online ?

Don’t know if it is possible but probably I need to protect it from malicious attempts to interfere with /dev/random results.. Is a Dedicated Server safe enough ?

My answer:

Using /dev/random is meant to be reserved for things which truly need to be cryptographically secure, such as private key material, because it relies on an entropy pool which can be depleted rapidly if the RNG is overused.

Unless for some reason you think the NSA might want to influence the results of your card games?

So /dev/urandom, a PRNG which never blocks, may be sufficient.

Note well, however, that many serious online card games, especially those which allow gambling, use external physical hardware random number generators for this purpose. In some jurisdictions, using such a device for your online card game is required by law.

As for security, I would expect someone who broke into the server to not bother messing with the RNG and just take your money, or sabotage your application so that he always wins.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.