]>
Commit | Line | Data |
---|---|---|
fea681da MK |
1 | .\" Copyright (c) 1997 John S. Kallal (kallal@voicenet.com) |
2 | .\" | |
3 | .\" This is free documentation; you can redistribute it and/or | |
4 | .\" modify it under the terms of the GNU General Public License as | |
5 | .\" published by the Free Software Foundation; either version 2 of | |
6 | .\" the License, or (at your option) any later version. | |
7 | .\" | |
8 | .\" Some changes by tytso and aeb. | |
9 | .\" | |
8deb0f0d | 10 | .\" 2004-12-16, John V. Belmonte/mtk, Updated init and quit scripts |
704a18f0 | 11 | .\" 2004-04-08, AEB, Improved description of read from /dev/urandom |
9ed0f081 MK |
12 | .\" 2008-06-20, George Spelvin <linux@horizon.com>, |
13 | .\" Matt Mackall <mpm@selenic.com> | |
14 | .\" Add a Usage subsection that recommends most users to use | |
15 | .\" /dev/urandom, and emphasizes parsimonious usage of /dev/random. | |
8deb0f0d | 16 | .\" |
cfd8e328 | 17 | .TH RANDOM 4 2008-06-19 "Linux" "Linux Programmer's Manual" |
fea681da MK |
18 | .SH NAME |
19 | random, urandom \- kernel random number source devices | |
20 | .SH DESCRIPTION | |
c13182ef | 21 | The character special files \fI/dev/random\fP and |
8478ee02 | 22 | \fI/dev/urandom\fP (present since Linux 1.3.30) |
c13182ef MK |
23 | provide an interface to the kernel's random number generator. |
24 | File \fI/dev/random\fP has major device number 1 | |
25 | and minor device number 8. | |
26 | File \fI/dev/urandom\fP has major device number 1 and minor device number 9. | |
fea681da | 27 | .LP |
c13182ef MK |
28 | The random number generator gathers environmental noise |
29 | from device drivers and other sources into an entropy pool. | |
30 | The generator also keeps an estimate of the | |
fea681da MK |
31 | number of bits of noise in the entropy pool. |
32 | From this entropy pool random numbers are created. | |
c13182ef MK |
33 | .LP |
34 | When read, the \fI/dev/random\fP device will only return random bytes | |
35 | within the estimated number of bits of noise in the entropy | |
be7fff26 MK |
36 | pool. |
37 | \fI/dev/random\fP should be suitable for uses that need very | |
c13182ef MK |
38 | high quality randomness such as one-time pad or key generation. |
39 | When the entropy pool is empty, reads from \fI/dev/random\fP will block | |
fea681da | 40 | until additional environmental noise is gathered. |
c13182ef | 41 | .LP |
8478ee02 | 42 | A read from the \fI/dev/urandom\fP device will not block |
c892f4ca MK |
43 | waiting for more entropy. |
44 | As a result, if there is not sufficient entropy in the | |
fea681da | 45 | entropy pool, the returned values are theoretically vulnerable to a |
c13182ef MK |
46 | cryptographic attack on the algorithms used by the driver. |
47 | Knowledge of how to do this is not available in the current non-classified | |
fea681da | 48 | literature, but it is theoretically possible that such an attack may |
c13182ef MK |
49 | exist. |
50 | If this is a concern in your application, use \fI/dev/random\fP | |
fea681da | 51 | instead. |
9ed0f081 MK |
52 | .SS Usage |
53 | If you are unsure about whether you should use | |
54 | .IR /dev/random | |
55 | or | |
56 | .IR /dev/urandom , | |
57 | then probably you want to use the latter. | |
58 | As a general rule, | |
59 | .IR /dev/urandom | |
60 | should be used for everything except long-lived GPG/SSL/SSH keys. | |
61 | ||
62 | If a seed file is saved across reboots as recommended above (all major | |
63 | Linux distributions have done this since 2000 at least), the output is | |
64 | cryptographically secure against attackers without local root access as | |
65 | soon as it is reloaded in the boot sequence, and perfectly adequate for | |
66 | network encryption session keys. | |
67 | Users of | |
68 | .I /dev/random | |
69 | will usually want to open it in non-blocking mode | |
70 | and provide some sort of timeout or user notification if the desired | |
71 | entropy is not immediately available. | |
72 | ||
73 | The kernel random-number generator is designed to produce a small | |
74 | amount of high-quality seed material to seed a | |
75 | cryptographic pseudo-random number generator (CPRNG). | |
76 | It is designed for security, not speed, and is poorly | |
77 | suited to generating large amounts of random data. | |
78 | Users should be very economical in the amount of seed | |
79 | material that they read from | |
cfd8e328 MK |
80 | .IR /dev/urandom |
81 | (and | |
82 | .IR /dev/random ); | |
9ed0f081 MK |
83 | unnecessarily reading large quantities of data from this device will have |
84 | a negative impact on other users of the device. | |
85 | ||
86 | The amount of seed material required to generate a cryptographic key | |
87 | equals the effective key size of the key. | |
88 | For example, a 3072-bit RSA | |
89 | or Diffie-Hellman private key has an effective key size of 128 bits | |
90 | (it requires about 2^128 operations to break) so a key generator only | |
91 | needs 128 bits (16 bytes) of seed material from | |
92 | .IR /dev/random . | |
93 | ||
94 | While some fudge factor above that minimum is reasonable, as a guard | |
95 | against flaws in the CPRNG algorithm, no cryptographic primitive | |
96 | available today can hope to promise more than 256 bits of security, | |
97 | so if any program reads more than 256 bits (32 bytes) from the kernel | |
98 | random pool per invocation, or per reasonable re-seed interval (not less | |
99 | than one minute), that should be taken as a sign that its cryptography is | |
100 | .I not | |
101 | skilfuly implemented. | |
8eb40c9c | 102 | .SS Configuration |
fea681da | 103 | If your system does not have |
c13182ef | 104 | \fI/dev/random\fP and \fI/dev/urandom\fP created already, they |
fea681da MK |
105 | can be created with the following commands: |
106 | ||
107 | .nf | |
7295b7ed MK |
108 | mknod \-m 644 /dev/random c 1 8 |
109 | mknod \-m 644 /dev/urandom c 1 9 | |
110 | chown root:root /dev/random /dev/urandom | |
fea681da | 111 | .fi |
c13182ef MK |
112 | |
113 | When a Linux system starts up without much operator interaction, | |
fea681da | 114 | the entropy pool may be in a fairly predictable state. |
c13182ef MK |
115 | This reduces the actual amount of noise in the entropy pool |
116 | below the estimate. | |
117 | In order to counteract this effect, it helps to carry | |
118 | entropy pool information across shut-downs and start-ups. | |
119 | To do this, add the following lines to an appropriate script | |
120 | which is run during the Linux system start-up sequence: | |
fea681da MK |
121 | |
122 | .nf | |
7295b7ed MK |
123 | echo "Initializing random number generator..." |
124 | random_seed=/var/run/random-seed | |
125 | # Carry a random seed from start-up to start-up | |
126 | # Load and then save the whole entropy pool | |
127 | if [ \-f $random_seed ]; then | |
128 | cat $random_seed >/dev/urandom | |
129 | else | |
130 | touch $random_seed | |
131 | fi | |
132 | chmod 600 $random_seed | |
133 | poolfile=/proc/sys/kernel/random/poolsize | |
26868e5b | 134 | [ \-r $poolfile ] && bytes=\`cat $poolfile\` || bytes=512 |
7295b7ed | 135 | dd if=/dev/urandom of=$random_seed count=1 bs=$bytes |
fea681da MK |
136 | .fi |
137 | ||
c13182ef | 138 | Also, add the following lines in an appropriate script which is |
fea681da | 139 | run during the Linux system shutdown: |
c13182ef | 140 | |
fea681da | 141 | .nf |
7295b7ed MK |
142 | # Carry a random seed from shut-down to start-up |
143 | # Save the whole entropy pool | |
144 | echo "Saving random seed..." | |
145 | random_seed=/var/run/random-seed | |
146 | touch $random_seed | |
147 | chmod 600 $random_seed | |
148 | poolfile=/proc/sys/kernel/random/poolsize | |
26868e5b | 149 | [ \-r $poolfile ] && bytes=\`cat $poolfile\` || bytes=512 |
7295b7ed | 150 | dd if=/dev/urandom of=$random_seed count=1 bs=$bytes |
fea681da | 151 | .fi |
8eb40c9c | 152 | .SS "/proc Interface" |
fea681da MK |
153 | The files in the directory |
154 | .I /proc/sys/kernel/random | |
155 | (present since 2.3.16) provide an additional interface to the | |
8478ee02 | 156 | .I /dev/random |
fea681da MK |
157 | device. |
158 | .LP | |
159 | The read-only file | |
160 | .I entropy_avail | |
c13182ef MK |
161 | gives the available entropy. |
162 | Normally, this will be 4096 (bits), | |
fea681da MK |
163 | a full entropy pool. |
164 | .LP | |
165 | The file | |
166 | .I poolsize | |
c13182ef | 167 | gives the size of the entropy pool. |
da84883c MK |
168 | The semantics of this file vary across kernel versions: |
169 | .RS | |
170 | .TP 12 | |
171 | Linux 2.4: | |
172 | This file gives the size of the entropy pool in | |
173 | .IR bytes . | |
174 | Normally, this file will have the value 512, but it is writable, | |
175 | and can be changed to any value for which an algorithm is available. | |
176 | The choices are 32, 64, 128, 256, 512, 1024, or 2048. | |
177 | .TP | |
178 | Linux 2.6: | |
179 | This file is read-only, and gives the size of the entropy pool in | |
180 | .IR bits . | |
181 | It contains the value 4096. | |
182 | .RE | |
fea681da MK |
183 | .LP |
184 | The file | |
185 | .I read_wakeup_threshold | |
186 | contains the number of bits of entropy required for waking up processes | |
187 | that sleep waiting for entropy from | |
31e9a9ec | 188 | .IR /dev/random . |
fea681da MK |
189 | The default is 64. |
190 | The file | |
191 | .I write_wakeup_threshold | |
192 | contains the number of bits of entropy below which we wake up | |
193 | processes that do a | |
5e21af3a | 194 | .BR select (2) |
fea681da | 195 | or |
5e21af3a | 196 | .BR poll (2) |
fea681da | 197 | for write access to |
31e9a9ec | 198 | .IR /dev/random . |
fea681da MK |
199 | These values can be changed by writing to the files. |
200 | .LP | |
201 | The read-only files | |
202 | .I uuid | |
203 | and | |
204 | .I boot_id | |
205 | contain random strings like 6fd5a44b-35f4-4ad4-a9b9-6b9be13e1fe9. | |
206 | The former is generated afresh for each read, the latter was | |
207 | generated once. | |
208 | .SH FILES | |
209 | /dev/random | |
210 | .br | |
211 | /dev/urandom | |
dc919d09 MK |
212 | .\" .SH AUTHOR |
213 | .\" The kernel's random number generator was written by | |
214 | .\" Theodore Ts'o (tytso@athena.mit.edu). | |
fea681da MK |
215 | .SH "SEE ALSO" |
216 | mknod (1) | |
217 | .br | |
331da7c3 | 218 | RFC\ 1750, "Randomness Recommendations for Security" |