/dev/random

In Unix-like operating systems, /dev/random is a special file that serves as a random number generator or as a pseudorandom number generator. It allows access to environmental noise collected from device drivers and other sources.^{[citation needed]} Not all operating systems implement the same semantics for /dev/random. Linux was the first operating system to implement a true random number generator in this way.

Linux

Random number generation from kernel space was implemented for the first time for Linux^[1] in 1994 by Theodore Ts'o.^[2] The implementation uses secure hashes rather than ciphers, as required to avoid legal restrictions that were in place when the generator was originally designed. The implementation was also designed with the assumption that any given hash or cipher might eventually be found to be weak, and so the design is durable in the face of any such weaknesses. Fast recovery from pool compromise is not considered a requirement, because the requirements for pool compromise are sufficient for much easier and more direct attacks on unrelated parts of the operating system.

In this implementation, the generator keeps an estimate of the number of bits of noise in the entropy pool. From this entropy pool random numbers are created. When read, the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool. /dev/random should be suitable for uses that need very high quality randomness such as one-time pad or key generation. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.^[3] The intent is to serve as a cryptographically secure pseudorandom number generator, delivering output with entropy as large as possible. This is suggested for use in generating cryptographic keys for high-value or long-term protection.

A counterpart to /dev/random is /dev/urandom ("unlocked"/non-blocking random source^[4]) which reuses the internal pool to produce more pseudo-random bits. This means that the call will not block, but the output may contain less entropy than the corresponding read from /dev/random. While it is still intended as a pseudorandom number generator suitable for most cryptographic purposes, it is not recommended for the generation of long-term cryptographic keys.

It is also possible to write to /dev/random. This allows any user to mix random data into the pool. Non-random data is harmless, because only a privileged user can issue the ioctl needed to increase the entropy estimate. The current amount of entropy and the size of the Linux kernel entropy pool are available in /proc/sys/kernel/random/.

Gutterman, Pinkas, & Reinman in March 2006 published a detailed cryptographic analysis of the Linux random number generator^[5] in which they describe several weaknesses. Perhaps the most severe issue they report is with embedded or Live CD systems such as routers and diskless clients, for which the bootup state is predictable and the available supply of entropy from the environment may be limited. For a system with non-volatile memory, they recommend saving some state from the RNG at shutdown so that it can be included in the RNG state on the next reboot. In the case of a router for which network traffic represents the primary available source of entropy, they note that saving state across reboots "would require potential attackers to either eavesdrop on all network traffic" from when the router is first put into service, or obtain direct access to the router's internal state. This issue, they note, is particularly critical in the case of a wireless router whose network traffic can be captured from a distance, and which may be using the RNG to generate keys for data encryption.

FreeBSD

The FreeBSD operating system implements a 256-bit variant of the Yarrow algorithm, intended to provide a cryptographically secure pseudorandom stream—this replaced a previous Linux style random device. Unlike the Linux /dev/random, the FreeBSD /dev/random device never blocks. Its behavior is similar to the Linux /dev/urandom, and /dev/urandom on FreeBSD is linked to /dev/random.

Yarrow is based on the assumptions that modern PRNGs are very secure if their internal state is unknown to an attacker, and that they are better understood than the estimation of entropy. Whilst entropy pool based methods are completely secure if implemented correctly, if they overestimate their entropy they may become less secure than well-seeded PRNGs. In some cases an attacker may have a considerable amount of control over the entropy, for example a diskless server may get almost all of it from the network—rendering it potentially vulnerable to man-in-the-middle attacks. Yarrow places a lot of emphasis on avoiding any pool compromise and on recovering from it as quickly as possible. It is regularly reseeded; on a system with small amount of network and disk activity, this is done after a fraction of a second.

In 2004, Landon Curt Noll tested the FreeBSD 5.2.1 version of /dev/random and suggested that it was not cryptographically secure because its output had multiple uniformity flaws.^[6] Similar flaws were found in the Linux 2.4.21-20, Solaris 8 patch 108528-18, and Mac OS X 10.3.5 implementations of /dev/random.

FreeBSD also provides support for hardware random number generators, which will replace Yarrow when present.

Other operating systems

/dev/random and /dev/urandom are also available on Solaris, Mac OS X, NetBSD, OpenBSD, Tru64 UNIX 5.1B, AIX 5.2, and HP-UX 11i v2. As with FreeBSD, AIX implements its own Yarrow-based design, however AIX uses considerably fewer entropy sources than the standard /dev/random implementation and stops refilling the pool when it thinks it contains enough entropy.^[7]

In Windows NT, similar functionality is delivered by ksecdd.sys, but reading the special file \Device\KsecDD does not work as in UNIX. The documented methods to generate cryptographically random bytes are CryptGenRandom and RtlGenRandom.

While DOS doesn't naturally provide such functionality there is an open source third-party driver called Noise.sys which functions similarly in that it creates 2 devices, RANDOM$ and URANDOM$, which are also accessible as /DEV/RANDOM$ and /DEV/URANDOM$, that programs can access for random data.

EGD as an alternative

A software program called EGD (entropy gathering daemon) is a common alternative for Unix systems which do not support the /dev/random device. It is a user space daemon which provides high quality cryptographic random data. Some cryptographic software such as OpenSSL, GNU Privacy Guard, and the Apache HTTP Server support using EGD when a /dev/random device is not available.

EGD, or a compatible alternative such as prngd, gather pseudo-random entropy from various sources, process it to remove bias and improve cryptographic quality, and then make it available over a Unix domain socket (with /dev/egd-pool being a common choice), or over a TCP socket. The entropy gathering usually entails periodically forking subprocesses to query attributes of the system that are likely to be frequently changing and unpredictable, such as monitoring CPU, I/O, and network usage as well as the contents of various log files and temporary directories.

EGD communicates with other programs which need random data using a simple protocol. The client connects to an EGD socket and sends a command, identified by the value of the first octet:

• command 0: query the amount of entropy currently available. The EGD daemon returns a 4-byte number in big endian format representing the number of random bytes that can currently be satisfied without delay.
• command 1: get random bytes, no blocking. The second byte in the request tells EGD how many random bytes of output it should return, from 1 to 255. If EGD does not have enough entropy to immediately satisfy the request, fewer bytes, or perhaps no bytes may be returned. The first octet of the reply indicates how many additional bytes, those containing the random data, immediately follow in the reply.
• command 2: get random bytes, blocking. The second byte tells EGD how many random bytes of output it should return. If EGD does not have enough entropy, it will wait until it has gathered enough before responding. Unlike command 1, the reply starts immediately with the random bytes rather than a length octet, as the total length of returned data will not vary from the amount requested.
• command 3: update entropy. This command allows the client to provide additional entropy to be added to EGD's internal pool. The next two bytes, interpreted as a 16-bit big endian integer indicate how many bits of randomness the caller is claiming to be supplying. The fourth byte indicates how many additional bytes of source data follow in the request. The EGD daemon may mix in the received entropy and will return nothing back.

See also

• Unix philosophy
• Standard streams
• /dev/full
• /dev/null
• /dev/zero
• /dev
• Hardware random number generator
• Cryptographically secure pseudo-random number generator
• Yarrow algorithm
• Fortuna algorithm
• CryptGenRandom -- the Microsoft Windows API's CSPRNG

Notes

1. ^ Jack Lloyd (December 9, 2008). "On Syllable's /dev/random". Archived from the original on 2009-04-29. http://www.randombit.net/bitbashing/security/syllable_dev_random.html. Retrieved 2009-04-27. 
2. ^ "/dev/random". everything2.com. June 8, 2003. Archived from the original on 2009-04-29. http://everything2.com/title/%252Fdev%252Frandom. Retrieved 2009-04-27. 
3. ^ urandom(4) – Linux Special Files Manual
4. ^ http://www.kernel.org/doc/man-pages/online/pages/man4/random.4.html
5. ^ Zvi Gutterman; Benny Pinkas, Tzachy Reinman (March 6, 2006). "Analysis of the Linux Random Number Generator" (PDF). http://www.pinkas.net/PAPERS/gpr06.pdf. Retrieved 2008-09-18. 
6. ^ "How good is LavaRnd?: Detailed Description of Test Results and Conclusions", LavaRnd (LavaRnd), 22 Sep 2004, http://www.lavarnd.org/what/nist-test.html, retrieved 22 Dec. 2010 
7. ^ Iain Roberts (April 25, 2003). "AIX 5.2 /dev/random and /dev/urandom devices". Lists.gnupg.org. http://lists.gnupg.org/pipermail/gnupg-devel/2003-April/019954.html. Retrieved 2008-09-18. 

References

• CryptGenRandom
• RtlGenRandom
• Biege, Thomas; Analysis of a strong Random Number Generator Slides