|
Packit |
7cfc04 |
.\" Copyright (C) 2008, George Spelvin <linux@horizon.com>,
|
|
Packit |
7cfc04 |
.\" and Copyright (C) 2008, Matt Mackall <mpm@selenic.com>
|
|
Packit |
7cfc04 |
.\" and Copyright (C) 2016, Laurent Georget <laurent.georget@supelec.fr>
|
|
Packit |
7cfc04 |
.\" and Copyright (C) 2016, Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" %%%LICENSE_START(VERBATIM)
|
|
Packit |
7cfc04 |
.\" Permission is granted to make and distribute verbatim copies of this
|
|
Packit |
7cfc04 |
.\" manual provided the copyright notice and this permission notice are
|
|
Packit |
7cfc04 |
.\" preserved on all copies.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" Permission is granted to copy and distribute modified versions of
|
|
Packit |
7cfc04 |
.\" this manual under the conditions for verbatim copying, provided that
|
|
Packit |
7cfc04 |
.\" the entire resulting derived work is distributed under the terms of
|
|
Packit |
7cfc04 |
.\" a permission notice identical to this one.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" Since the Linux kernel and libraries are constantly changing, this
|
|
Packit |
7cfc04 |
.\" manual page may be incorrect or out-of-date. The author(s) assume.
|
|
Packit |
7cfc04 |
.\" no responsibility for errors or omissions, or for damages resulting.
|
|
Packit |
7cfc04 |
.\" from the use of the information contained herein. The author(s) may.
|
|
Packit |
7cfc04 |
.\" not have taken the same level of care in the production of this.
|
|
Packit |
7cfc04 |
.\" manual, which is licensed free of charge, as they might when working.
|
|
Packit |
7cfc04 |
.\" professionally.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" Formatted or processed versions of this manual, if unaccompanied by
|
|
Packit |
7cfc04 |
.\" the source, must acknowledge the copyright and authors of this work.
|
|
Packit |
7cfc04 |
.\" %%%LICENSE_END
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" The following web page is quite informative:
|
|
Packit |
7cfc04 |
.\" http://www.2uo.de/myths-about-urandom/
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.TH RANDOM 7 2017-03-13 "Linux" "Linux Programmer's Manual"
|
|
Packit |
7cfc04 |
.SH NAME
|
|
Packit |
7cfc04 |
random \- overview of interfaces for obtaining randomness
|
|
Packit |
7cfc04 |
.SH DESCRIPTION
|
|
Packit |
7cfc04 |
The kernel random-number generator relies on entropy gathered from
|
|
Packit |
7cfc04 |
device drivers and other sources of environmental noise to seed
|
|
Packit |
7cfc04 |
a cryptographically secure pseudorandom number generator (CSPRNG).
|
|
Packit |
7cfc04 |
It is designed for security, rather than speed.
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
The following interfaces provide access to output from the kernel CSPRNG:
|
|
Packit |
7cfc04 |
.IP * 3
|
|
Packit |
7cfc04 |
The
|
|
Packit |
7cfc04 |
.I /dev/urandom
|
|
Packit |
7cfc04 |
and
|
|
Packit |
7cfc04 |
.I /dev/random
|
|
Packit |
7cfc04 |
devices, both described in
|
|
Packit |
7cfc04 |
.BR random (4).
|
|
Packit |
7cfc04 |
These devices have been present on Linux since early times,
|
|
Packit |
7cfc04 |
and are also available on many other systems.
|
|
Packit |
7cfc04 |
.IP *
|
|
Packit |
7cfc04 |
The Linux-specific
|
|
Packit |
7cfc04 |
.BR getrandom (2)
|
|
Packit |
7cfc04 |
system call, available since Linux 3.17.
|
|
Packit |
7cfc04 |
This system call provides access either to the same source as
|
|
Packit |
7cfc04 |
.I /dev/urandom
|
|
Packit |
7cfc04 |
(called the
|
|
Packit |
7cfc04 |
.I urandom
|
|
Packit |
7cfc04 |
source in this page)
|
|
Packit |
7cfc04 |
or to the same source as
|
|
Packit |
7cfc04 |
.I /dev/random
|
|
Packit |
7cfc04 |
(called the
|
|
Packit |
7cfc04 |
.I random
|
|
Packit |
7cfc04 |
source in this page).
|
|
Packit |
7cfc04 |
The default is the
|
|
Packit |
7cfc04 |
.I urandom
|
|
Packit |
7cfc04 |
source; the
|
|
Packit |
7cfc04 |
.I random
|
|
Packit |
7cfc04 |
source is selected by specifying the
|
|
Packit |
7cfc04 |
.BR GRND_RANDOM
|
|
Packit |
7cfc04 |
flag to the system call.
|
|
Packit |
7cfc04 |
(The
|
|
Packit |
7cfc04 |
.BR getentropy (3)
|
|
Packit |
7cfc04 |
function provides a slightly more portable interface on top of
|
|
Packit |
7cfc04 |
.BR getrandom (2).)
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.SS Initialization of the entropy pool
|
|
Packit |
7cfc04 |
The kernel collects bits of entropy from the environment.
|
|
Packit |
7cfc04 |
When a sufficient number of random bits has been collected, the
|
|
Packit |
7cfc04 |
entropy pool is considered to be initialized.
|
|
Packit |
7cfc04 |
.SS Choice of random source
|
|
Packit |
7cfc04 |
Unless you are doing long-term key generation (and most likely not even
|
|
Packit |
7cfc04 |
then), you probably shouldn't be reading from the
|
|
Packit |
7cfc04 |
.IR /dev/random
|
|
Packit |
7cfc04 |
device or employing
|
|
Packit |
7cfc04 |
.BR getrandom (2)
|
|
Packit |
7cfc04 |
with the
|
|
Packit |
7cfc04 |
.BR GRND_RANDOM
|
|
Packit |
7cfc04 |
flag.
|
|
Packit |
7cfc04 |
Instead, either read from the
|
|
Packit |
7cfc04 |
.IR /dev/urandom
|
|
Packit |
7cfc04 |
device or employ
|
|
Packit |
7cfc04 |
.BR getrandom (2)
|
|
Packit |
7cfc04 |
without the
|
|
Packit |
7cfc04 |
.B GRND_RANDOM
|
|
Packit |
7cfc04 |
flag.
|
|
Packit |
7cfc04 |
The cryptographic algorithms used for the
|
|
Packit |
7cfc04 |
.IR urandom
|
|
Packit |
7cfc04 |
source are quite conservative, and so should be sufficient for all purposes.
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
The disadvantage of
|
|
Packit |
7cfc04 |
.B GRND_RANDOM
|
|
Packit |
7cfc04 |
and reads from
|
|
Packit |
7cfc04 |
.I /dev/random
|
|
Packit |
7cfc04 |
is that the operation can block for an indefinite period of time.
|
|
Packit |
7cfc04 |
Furthermore, dealing with the partially fulfilled
|
|
Packit |
7cfc04 |
requests that can occur when using
|
|
Packit |
7cfc04 |
.B GRND_RANDOM
|
|
Packit |
7cfc04 |
or when reading from
|
|
Packit |
7cfc04 |
.I /dev/random
|
|
Packit |
7cfc04 |
increases code complexity.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.SS Monte Carlo and other probabilistic sampling applications
|
|
Packit |
7cfc04 |
Using these interfaces to provide large quantities of data for
|
|
Packit |
7cfc04 |
Monte Carlo simulations or other programs/algorithms which are
|
|
Packit |
7cfc04 |
doing probabilistic sampling will be slow.
|
|
Packit |
7cfc04 |
Furthermore, it is unnecessary, because such applications do not
|
|
Packit |
7cfc04 |
need cryptographically secure random numbers.
|
|
Packit |
7cfc04 |
Instead, use the interfaces described in this page to obtain
|
|
Packit |
7cfc04 |
a small amount of data to seed a user-space pseudorandom
|
|
Packit |
7cfc04 |
number generator for use by such applications.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.SS Comparison between getrandom, /dev/urandom, and /dev/random
|
|
Packit |
7cfc04 |
The following table summarizes the behavior of the various
|
|
Packit |
7cfc04 |
interfaces that can be used to obtain randomness.
|
|
Packit |
7cfc04 |
.B GRND_NONBLOCK
|
|
Packit |
7cfc04 |
is a flag that can be used to control the blocking behavior of
|
|
Packit |
7cfc04 |
.BR getrandom (2).
|
|
Packit |
7cfc04 |
The final column of the table considers the case that can occur
|
|
Packit |
7cfc04 |
in early boot time when the entropy pool is not yet initialized.
|
|
Packit |
7cfc04 |
.ad l
|
|
Packit |
7cfc04 |
.TS
|
|
Packit |
7cfc04 |
allbox;
|
|
Packit |
7cfc04 |
lbw13 lbw12 lbw14 lbw18
|
|
Packit |
7cfc04 |
l l l l.
|
|
Packit |
7cfc04 |
Interface Pool T{
|
|
Packit |
7cfc04 |
Blocking
|
|
Packit |
7cfc04 |
\%behavior
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Behavior when pool is not yet ready
|
|
Packit |
7cfc04 |
T}
|
|
Packit |
7cfc04 |
T{
|
|
Packit |
7cfc04 |
.I /dev/random
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Blocking pool
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
If entropy too low, blocks until there is enough entropy again
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Blocks until enough entropy gathered
|
|
Packit |
7cfc04 |
T}
|
|
Packit |
7cfc04 |
T{
|
|
Packit |
7cfc04 |
.I /dev/urandom
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
CSPRNG output
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Never blocks
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Returns output from uninitialized CSPRNG (may be low entropy and unsuitable for cryptography)
|
|
Packit |
7cfc04 |
T}
|
|
Packit |
7cfc04 |
T{
|
|
Packit |
7cfc04 |
.BR getrandom ()
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Same as
|
|
Packit |
7cfc04 |
.I /dev/urandom
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Does not block once is pool ready
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Blocks until pool ready
|
|
Packit |
7cfc04 |
T}
|
|
Packit |
7cfc04 |
T{
|
|
Packit |
7cfc04 |
.BR getrandom ()
|
|
Packit |
7cfc04 |
.B GRND_RANDOM
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Same as
|
|
Packit |
7cfc04 |
.I /dev/random
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
If entropy too low, blocks until there is enough entropy again
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Blocks until pool ready
|
|
Packit |
7cfc04 |
T}
|
|
Packit |
7cfc04 |
T{
|
|
Packit |
7cfc04 |
.BR getrandom ()
|
|
Packit |
7cfc04 |
.B GRND_NONBLOCK
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Same as
|
|
Packit |
7cfc04 |
.I /dev/urandom
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Does not block once is pool ready
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
.B EAGAIN
|
|
Packit |
7cfc04 |
T}
|
|
Packit |
7cfc04 |
T{
|
|
Packit |
7cfc04 |
.BR getrandom ()
|
|
Packit |
7cfc04 |
.B GRND_RANDOM
|
|
Packit |
7cfc04 |
+
|
|
Packit |
7cfc04 |
.B GRND_NONBLOCK
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
Same as
|
|
Packit |
7cfc04 |
.I /dev/random
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
.B EAGAIN
|
|
Packit |
7cfc04 |
if not enough entropy available
|
|
Packit |
7cfc04 |
T} T{
|
|
Packit |
7cfc04 |
.B EAGAIN
|
|
Packit |
7cfc04 |
T}
|
|
Packit |
7cfc04 |
.TE
|
|
Packit |
7cfc04 |
.ad
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.SS Generating cryptographic keys
|
|
Packit |
7cfc04 |
The amount of seed material required to generate a cryptographic key
|
|
Packit |
7cfc04 |
equals the effective key size of the key.
|
|
Packit |
7cfc04 |
For example, a 3072-bit RSA
|
|
Packit |
7cfc04 |
or Diffie-Hellman private key has an effective key size of 128 bits
|
|
Packit |
7cfc04 |
(it requires about 2^128 operations to break) so a key generator
|
|
Packit |
7cfc04 |
needs only 128 bits (16 bytes) of seed material from
|
|
Packit |
7cfc04 |
.IR /dev/random .
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
While some safety margin above that minimum is reasonable, as a guard
|
|
Packit |
7cfc04 |
against flaws in the CSPRNG algorithm, no cryptographic primitive
|
|
Packit |
7cfc04 |
available today can hope to promise more than 256 bits of security,
|
|
Packit |
7cfc04 |
so if any program reads more than 256 bits (32 bytes) from the kernel
|
|
Packit |
7cfc04 |
random pool per invocation, or per reasonable reseed interval (not less
|
|
Packit |
7cfc04 |
than one minute), that should be taken as a sign that its cryptography is
|
|
Packit |
7cfc04 |
.I not
|
|
Packit |
7cfc04 |
skillfully implemented.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.SH SEE ALSO
|
|
Packit |
7cfc04 |
.BR getrandom (2),
|
|
Packit |
7cfc04 |
.BR getauxval (3),
|
|
Packit |
7cfc04 |
.BR getentropy (3),
|
|
Packit |
7cfc04 |
.BR random (4),
|
|
Packit |
7cfc04 |
.BR urandom (4),
|
|
Packit |
7cfc04 |
.BR signal (7)
|
|
Packit |
7cfc04 |
.SH COLOPHON
|
|
Packit |
7cfc04 |
This page is part of release 4.15 of the Linux
|
|
Packit |
7cfc04 |
.I man-pages
|
|
Packit |
7cfc04 |
project.
|
|
Packit |
7cfc04 |
A description of the project,
|
|
Packit |
7cfc04 |
information about reporting bugs,
|
|
Packit |
7cfc04 |
and the latest version of this page,
|
|
Packit |
7cfc04 |
can be found at
|
|
Packit |
7cfc04 |
\%https://www.kernel.org/doc/man\-pages/.
|