random — overview of interfaces for obtaining randomness
The kernel random-number generator relies on entropy gathered from device drivers and other sources of environmental noise to seed a cryptographically secure pseudorandom number generator (CSPRNG). It is designed for security, rather than speed.
The following interfaces provide access to output from the kernel CSPRNG:
The /dev/urandom and
/dev/random devices, both
described in random(4). These
devices have been present on Linux since early times,
and are also available on many other systems.
The Linux-specific getrandom(2) system
call, available since Linux 3.17. This system call
provides access either to the same source as
/dev/urandom (called the
urandom
source in this page) or to the same source as
/dev/random (called the
random source
in this page). The default is the urandom source; the
random source
is selected by specifying the GRND_RANDOM flag to the system call.
(The getentropy(3)
function provides a slightly more portable interface on
top of getrandom(2).)
The kernel collects bits of entropy from the environment. When a sufficient number of random bits has been collected, the entropy pool is considered to be initialized.
Unless you are doing long-term key generation (and most
likely not even then), you probably shouldn't be reading
from the /dev/random device
or employing getrandom(2) with the
GRND_RANDOM flag. Instead,
either read from the /dev/urandom device or employ getrandom(2) without the
GRND_RANDOM flag. The
cryptographic algorithms used for the urandom source are quite
conservative, and so should be sufficient for all
purposes.
The disadvantage of GRND_RANDOM and reads from /dev/random is that the operation can
block for an indefinite period of time. Furthermore,
dealing with the partially fulfilled requests that can
occur when using GRND_RANDOM
or when reading from /dev/random increases code
complexity.
Using these interfaces to provide large quantities of data for Monte Carlo simulations or other programs/algorithms which are doing probabilistic sampling will be slow. Furthermore, it is unnecessary, because such applications do not need cryptographically secure random numbers. Instead, use the interfaces described in this page to obtain a small amount of data to seed a user-space pseudorandom number generator for use by such applications.
The following table summarizes the behavior of the
various interfaces that can be used to obtain randomness.
GRND_NONBLOCK is a flag that
can be used to control the blocking behavior of getrandom(2). The final
column of the table considers the case that can occur in
early boot time when the entropy pool is not yet
initialized.
| Interface | Pool | Blocking behavior | Behavior when pool is not yet ready |
| .I /dev/random | Blocking pool | If entropy too low, blocks until there is enough entropy again | Blocks until enough entropy gathered |
| .I /dev/urandom | CSPRNG output | Never blocks | Returns output from uninitialized CSPRNG (may be low entropy and unsuitable for cryptography) |
getrandom() |
Same as .I /dev/urandom | Does not block once is pool ready | Blocks until pool ready |
getrandom() GRND_RANDOM |
Same as .I /dev/random | If entropy too low, blocks until there is enough entropy again | Blocks until pool ready |
getrandom() GRND_NONBLOCK |
Same as .I /dev/urandom | Does not block once is pool ready | EAGAIN |
getrandom() GRND_RANDOM + GRND_NONBLOCK |
Same as .I /dev/random | EAGAIN if not enough entropy
available |
EAGAIN |
The amount of seed material required to generate a
cryptographic key equals the effective key size of the key.
For example, a 3072-bit RSA or Diffie-Hellman private key
has an effective key size of 128 bits (it requires about
2^128 operations to break) so a key generator needs only
128 bits (16 bytes) of seed material from /dev/random.
While some safety margin above that minimum is
reasonable, as a guard against flaws in the CSPRNG
algorithm, no cryptographic primitive available today can
hope to promise more than 256 bits of security, so if any
program reads more than 256 bits (32 bytes) from the kernel
random pool per invocation, or per reasonable reseed
interval (not less than one minute), that should be taken
as a sign that its cryptography is not skillfully
implemented.
This page is part of release 4.16 of the Linux man-pages project. A
description of the project, information about reporting bugs,
and the latest version of this page, can be found at
https://www.kernel.org/doc/man−pages/.
|
Copyright (C) 2008, George Spelvin <linuxhorizon.com>, and Copyright (C) 2008, Matt Mackall <mpmselenic.com> and Copyright (C) 2016, Laurent Georget <laurent.georgetsupelec.fr> and Copyright (C) 2016, Nikos Mavrogiannopoulos <nmavredhat.com> %%%LICENSE_START(VERBATIM) Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Since the Linux kernel and libraries are constantly changing, this manual page may be incorrect or out-of-date. The author(s) assume. no responsibility for errors or omissions, or for damages resulting. from the use of the information contained herein. The author(s) may. not have taken the same level of care in the production of this. manual, which is licensed free of charge, as they might when working. professionally. Formatted or processed versions of this manual, if unaccompanied by the source, must acknowledge the copyright and authors of this work. %%%LICENSE_END The following web page is quite informative: http://www.2uo.de/myths-about-urandom/ |