πŸ’Ύ Archived View for gmi.noulin.net β€Ί man β€Ί man7 β€Ί random.7.gmi captured on 2024-08-25 at 02:00:08. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-06-12)

-=-=-=-=-=-=-

RANDOM(7)                                                               Linux Programmer's Manual                                                              RANDOM(7)

NAME
       random - overview of interfaces for obtaining randomness

DESCRIPTION
       The  kernel  random-number  generator  relies on entropy gathered from device drivers and other sources of environmental noise to seed a cryptographically secure
       pseudorandom number generator (CSPRNG).  It is designed for security, rather than speed.

       The following interfaces provide access to output from the kernel CSPRNG:

       *  The /dev/urandom and /dev/random devices, both described in random(4).  These devices have been present on Linux since early times, and are also available  on
          many other systems.

       *  The  Linux-specific  getrandom(2) system call, available since Linux 3.17.  This system call provides access either to the same source as /dev/urandom (called
          the urandom source in this page) or to the same source as /dev/random (called the random source in this page).  The default is the urandom source; the  random
          source  is  selected by specifying the GRND_RANDOM flag to the system call.  (The getentropy(3) function provides a slightly more portable interface on top of
          getrandom(2).)

   Initialization of the entropy pool
       The kernel collects bits of entropy from the environment.  When a sufficient number of random bits has been collected, the entropy pool is considered to be  ini‐
       tialized.

   Choice of random source
       Unless you are doing long-term key generation (and most likely not even then), you probably shouldn't be reading from the /dev/random device or employing getran‐
       dom(2) with the GRND_RANDOM flag.  Instead, either read from the /dev/urandom device or employ getrandom(2) without the GRND_RANDOM flag.  The cryptographic  al‐
       gorithms used for the urandom source are quite conservative, and so should be sufficient for all purposes.

       The  disadvantage of GRND_RANDOM and reads from /dev/random is that the operation can block for an indefinite period of time.  Furthermore, dealing with the par‐
       tially fulfilled requests that can occur when using GRND_RANDOM or when reading from /dev/random increases code complexity.

   Monte Carlo and other probabilistic sampling applications
       Using these interfaces to provide large quantities of data for Monte Carlo simulations or other programs/algorithms which are doing probabilistic  sampling  will
       be  slow.   Furthermore, it is unnecessary, because such applications do not need cryptographically secure random numbers.  Instead, use the interfaces described
       in this page to obtain a small amount of data to seed a user-space pseudorandom number generator for use by such applications.

   Comparison between getrandom, /dev/urandom, and /dev/random
       The following table summarizes the behavior of the various interfaces that can be used to obtain randomness.  GRND_NONBLOCK is a flag that can be used to control
       the  blocking behavior of getrandom(2).  The final column of the table considers the case that can occur in early boot time when the entropy pool is not yet ini‐
       tialized.

       β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
       β”‚Interface     β”‚ Pool         β”‚ Blocking       β”‚ Behavior when pool β”‚
       β”‚              β”‚              β”‚ behavior       β”‚ is not yet ready   β”‚
       β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
       β”‚/dev/random   β”‚ Blocking     β”‚ If entropy too β”‚ Blocks until       β”‚
       β”‚              β”‚ pool         β”‚ low, blocks    β”‚ enough entropy     β”‚
       β”‚              β”‚              β”‚ until there is β”‚ gathered           β”‚
       β”‚              β”‚              β”‚ enough entropy β”‚                    β”‚
       β”‚              β”‚              β”‚ again          β”‚                    β”‚
       β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
       β”‚/dev/urandom  β”‚ CSPRNG out‐  β”‚ Never blocks   β”‚ Returns output     β”‚
       β”‚              β”‚ put          β”‚                β”‚ from uninitialized β”‚
       β”‚              β”‚              β”‚                β”‚ CSPRNG (may be low β”‚
       β”‚              β”‚              β”‚                β”‚ entropy and un‐    β”‚
       β”‚              β”‚              β”‚                β”‚ suitable for cryp‐ β”‚
       β”‚              β”‚              β”‚                β”‚ tography)          β”‚
       β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
       β”‚getrandom()   β”‚ Same as      β”‚ Does not block β”‚ Blocks until pool  β”‚
       β”‚              β”‚ /dev/urandom β”‚ once is pool   β”‚ ready              β”‚
       β”‚              β”‚              β”‚ ready          β”‚                    β”‚
       β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
       β”‚getrandom()   β”‚ Same as      β”‚ If entropy too β”‚ Blocks until pool  β”‚
       β”‚GRND_RANDOM   β”‚ /dev/random  β”‚ low, blocks    β”‚ ready              β”‚
       β”‚              β”‚              β”‚ until there is β”‚                    β”‚
       β”‚              β”‚              β”‚ enough entropy β”‚                    β”‚
       β”‚              β”‚              β”‚ again          β”‚                    β”‚
       β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
       β”‚getrandom()   β”‚ Same as      β”‚ Does not block β”‚ EAGAIN             β”‚
       β”‚GRND_NONBLOCK β”‚ /dev/urandom β”‚ once is pool   β”‚                    β”‚
       β”‚              β”‚              β”‚ ready          β”‚                    β”‚
       β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
       β”‚getrandom()   β”‚ Same as      β”‚ EAGAIN if not  β”‚ EAGAIN             β”‚
       β”‚GRND_RANDOM + β”‚ /dev/random  β”‚ enough entropy β”‚                    β”‚
       β”‚GRND_NONBLOCK β”‚              β”‚ available      β”‚                    β”‚
       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
   Generating cryptographic keys
       The  amount  of  seed  material required to generate a cryptographic key equals the effective key size of the key.  For example, a 3072-bit RSA or Diffie-Hellman
       private key has an effective key size of 128 bits (it requires about 2^128 operations to break) so a key generator needs only 128 bits (16 bytes) of  seed  mate‐
       rial from /dev/random.

       While  some safety margin above that minimum is reasonable, as a guard against flaws in the CSPRNG algorithm, no cryptographic primitive available today can hope
       to promise more than 256 bits of security, so if any program reads more than 256 bits (32 bytes) from the kernel random pool per invocation,  or  per  reasonable
       reseed interval (not less than one minute), that should be taken as a sign that its cryptography is not skillfully implemented.

SEE ALSO
       getrandom(2), getauxval(3), getentropy(3), random(4), urandom(4), signal(7)

Linux                                                                          2017-03-13                                                                      RANDOM(7)