random - Man Page

overview of interfaces for obtaining randomness

Description

The kernel random-number generator relies on entropy gathered from device drivers and other sources of environmental noise to seed a cryptographically secure pseudorandom number generator (CSPRNG). It is designed for security, rather than speed.

The following interfaces provide access to output from the kernel CSPRNG:

Initialization of the entropy pool

The kernel collects bits of entropy from the environment. When a sufficient number of random bits has been collected, the entropy pool is considered to be initialized.

Choice of random source

Unless you are doing long-term key generation (and most likely not even then), you probably shouldn't be reading from the /dev/random device or employing getrandom(2) with the GRND_RANDOM flag. Instead, either read from the /dev/urandom device or employ getrandom(2) without the GRND_RANDOM flag. The cryptographic algorithms used for the urandom source are quite conservative, and so should be sufficient for all purposes.

The disadvantage of GRND_RANDOM and reads from /dev/random is that the operation can block for an indefinite period of time. Furthermore, dealing with the partially fulfilled requests that can occur when using GRND_RANDOM or when reading from /dev/random increases code complexity.

Monte Carlo and other probabilistic sampling applications

Using these interfaces to provide large quantities of data for Monte Carlo simulations or other programs/algorithms which are doing probabilistic sampling will be slow. Furthermore, it is unnecessary, because such applications do not need cryptographically secure random numbers. Instead, use the interfaces described in this page to obtain a small amount of data to seed a user-space pseudorandom number generator for use by such applications.

Comparison between getrandom, /dev/urandom, and /dev/random

The following table summarizes the behavior of the various interfaces that can be used to obtain randomness. GRND_NONBLOCK is a flag that can be used to control the blocking behavior of getrandom(2). The final column of the table considers the case that can occur in early boot time when the entropy pool is not yet initialized.

InterfacePoolBlocking behaviorBehavior when pool is not yet ready
/dev/randomBlocking poolIf entropy too low, blocks until there is enough entropy againBlocks until enough entropy gathered
/dev/urandomCSPRNG outputNever blocksReturns output from uninitialized CSPRNG (may be low entropy and unsuitable for cryptography)
getrandom()Same as /dev/urandomDoes not block once is pool readyBlocks until pool ready
getrandom() GRND_RANDOMSame as /dev/randomIf entropy too low, blocks until there is enough entropy againBlocks until pool ready
getrandom() GRND_NONBLOCKSame as /dev/urandomDoes not block once is pool readyEAGAIN
getrandom() GRND_RANDOM + GRND_NONBLOCKSame as /dev/randomEAGAIN if not enough entropy availableEAGAIN

Generating cryptographic keys

The amount of seed material required to generate a cryptographic key equals the effective key size of the key. For example, a 3072-bit RSA or Diffie-Hellman private key has an effective key size of 128 bits (it requires about 2^128 operations to break) so a key generator needs only 128 bits (16 bytes) of seed material from /dev/random.

While some safety margin above that minimum is reasonable, as a guard against flaws in the CSPRNG algorithm, no cryptographic primitive available today can hope to promise more than 256 bits of security, so if any program reads more than 256 bits (32 bytes) from the kernel random pool per invocation, or per reasonable reseed interval (not less than one minute), that should be taken as a sign that its cryptography is not skillfully implemented.

See Also

getrandom(2), getauxval(3), getentropy(3), random(4), urandom(4), signal(7)

Referenced By

arc4random(3), getentropy(3), getrandom(2), random(4).

2024-05-02 Linux man-pages 6.9.1