diff options
Diffstat (limited to 'man7/random.7')
-rw-r--r-- | man7/random.7 | 213 |
1 files changed, 0 insertions, 213 deletions
diff --git a/man7/random.7 b/man7/random.7 deleted file mode 100644 index 5ba6d33..0000000 --- a/man7/random.7 +++ /dev/null @@ -1,213 +0,0 @@ -'\" t -.\" Copyright (C) 2008, George Spelvin <linux@horizon.com>, -.\" and Copyright (C) 2008, Matt Mackall <mpm@selenic.com> -.\" and Copyright (C) 2016, Laurent Georget <laurent.georget@supelec.fr> -.\" and Copyright (C) 2016, Nikos Mavrogiannopoulos <nmav@redhat.com> -.\" -.\" SPDX-License-Identifier: Linux-man-pages-copyleft -.\" -.\" The following web page is quite informative: -.\" http://www.2uo.de/myths-about-urandom/ -.\" -.TH random 7 2023-10-31 "Linux man-pages 6.7" -.SH NAME -random \- overview of interfaces for obtaining randomness -.SH DESCRIPTION -The kernel random-number generator relies on entropy gathered from -device drivers and other sources of environmental noise to seed -a cryptographically secure pseudorandom number generator (CSPRNG). -It is designed for security, rather than speed. -.P -The following interfaces provide access to output from the kernel CSPRNG: -.IP \[bu] 3 -The -.I /dev/urandom -and -.I /dev/random -devices, both described in -.BR random (4). -These devices have been present on Linux since early times, -and are also available on many other systems. -.IP \[bu] -The Linux-specific -.BR getrandom (2) -system call, available since Linux 3.17. -This system call provides access either to the same source as -.I /dev/urandom -(called the -.I urandom -source in this page) -or to the same source as -.I /dev/random -(called the -.I random -source in this page). -The default is the -.I urandom -source; the -.I random -source is selected by specifying the -.B GRND_RANDOM -flag to the system call. -(The -.BR getentropy (3) -function provides a slightly more portable interface on top of -.BR getrandom (2).) -.\" -.SS Initialization of the entropy pool -The kernel collects bits of entropy from the environment. -When a sufficient number of random bits has been collected, the -entropy pool is considered to be initialized. -.SS Choice of random source -Unless you are doing long-term key generation (and most likely not even -then), you probably shouldn't be reading from the -.I /dev/random -device or employing -.BR getrandom (2) -with the -.B GRND_RANDOM -flag. -Instead, either read from the -.I /dev/urandom -device or employ -.BR getrandom (2) -without the -.B GRND_RANDOM -flag. -The cryptographic algorithms used for the -.I urandom -source are quite conservative, and so should be sufficient for all purposes. -.P -The disadvantage of -.B GRND_RANDOM -and reads from -.I /dev/random -is that the operation can block for an indefinite period of time. -Furthermore, dealing with the partially fulfilled -requests that can occur when using -.B GRND_RANDOM -or when reading from -.I /dev/random -increases code complexity. -.\" -.SS Monte Carlo and other probabilistic sampling applications -Using these interfaces to provide large quantities of data for -Monte Carlo simulations or other programs/algorithms which are -doing probabilistic sampling will be slow. -Furthermore, it is unnecessary, because such applications do not -need cryptographically secure random numbers. -Instead, use the interfaces described in this page to obtain -a small amount of data to seed a user-space pseudorandom -number generator for use by such applications. -.\" -.SS Comparison between getrandom, /dev/urandom, and /dev/random -The following table summarizes the behavior of the various -interfaces that can be used to obtain randomness. -.B GRND_NONBLOCK -is a flag that can be used to control the blocking behavior of -.BR getrandom (2). -The final column of the table considers the case that can occur -in early boot time when the entropy pool is not yet initialized. -.ad l -.TS -allbox; -lbw13 lbw12 lbw14 lbw18 -l l l l. -Interface Pool T{ -Blocking -\%behavior -T} T{ -Behavior when pool is not yet ready -T} -T{ -.I /dev/random -T} T{ -Blocking pool -T} T{ -If entropy too low, blocks until there is enough entropy again -T} T{ -Blocks until enough entropy gathered -T} -T{ -.I /dev/urandom -T} T{ -CSPRNG output -T} T{ -Never blocks -T} T{ -Returns output from uninitialized CSPRNG (may be low entropy and unsuitable for cryptography) -T} -T{ -.BR getrandom () -T} T{ -Same as -.I /dev/urandom -T} T{ -Does not block once is pool ready -T} T{ -Blocks until pool ready -T} -T{ -.BR getrandom () -.B GRND_RANDOM -T} T{ -Same as -.I /dev/random -T} T{ -If entropy too low, blocks until there is enough entropy again -T} T{ -Blocks until pool ready -T} -T{ -.BR getrandom () -.B GRND_NONBLOCK -T} T{ -Same as -.I /dev/urandom -T} T{ -Does not block once is pool ready -T} T{ -.B EAGAIN -T} -T{ -.BR getrandom () -.B GRND_RANDOM -+ -.B GRND_NONBLOCK -T} T{ -Same as -.I /dev/random -T} T{ -.B EAGAIN -if not enough entropy available -T} T{ -.B EAGAIN -T} -.TE -.ad -.\" -.SS Generating cryptographic keys -The amount of seed material required to generate a cryptographic key -equals the effective key size of the key. -For example, a 3072-bit RSA -or Diffie-Hellman private key has an effective key size of 128 bits -(it requires about 2\[ha]128 operations to break) so a key generator -needs only 128 bits (16 bytes) of seed material from -.IR /dev/random . -.P -While some safety margin above that minimum is reasonable, as a guard -against flaws in the CSPRNG algorithm, no cryptographic primitive -available today can hope to promise more than 256 bits of security, -so if any program reads more than 256 bits (32 bytes) from the kernel -random pool per invocation, or per reasonable reseed interval (not less -than one minute), that should be taken as a sign that its cryptography is -.I not -skillfully implemented. -.\" -.SH SEE ALSO -.BR getrandom (2), -.BR getauxval (3), -.BR getentropy (3), -.BR random (4), -.BR urandom (4), -.BR signal (7) |