1 .\" Copyright (c) 2001-2015 Mark R V Murray. All rights reserved.
3 .\" Redistribution and use in source and binary forms, with or without
4 .\" modification, are permitted provided that the following conditions
6 .\" 1. Redistributions of source code must retain the above copyright
7 .\" notice, this list of conditions and the following disclaimer.
8 .\" 2. Redistributions in binary form must reproduce the above copyright
9 .\" notice, this list of conditions and the following disclaimer in the
10 .\" documentation and/or other materials provided with the distribution.
12 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
16 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 .Nd the entropy device
34 .Cd "options RANDOM_LOADABLE"
35 .Cd "options RANDOM_ENABLE_UMA"
40 returns an endless supply of random bytes when read.
41 It also accepts and reads data
44 The generator will start in an
46 state, and will block reads until
47 it is seeded for the first time.
48 This may cause trouble at system boot
49 when keys and the like
52 so steps should be taken to ensure a
53 seeding as soon as possible.
57 by using the KERN_ARND sysctl.
61 .Dl "sysctl -x -B 16 kern.arandom"
63 This sysctl will not return
70 of random number generators
71 is a bootstrapping problem
72 that needs very careful attention.
75 to find enough randomness
76 to seed a random number generator
77 until a system is fully operational,
78 but the system requires random numbers
79 to become fully operational.
80 It is (or more accurately should be)
81 critically important that the
84 before the first time it is used.
85 In the case where a dummy or "blocking-only"
87 it is the responsibility
88 of the system architect
89 to ensure that no blocking reads
90 hold up critical processes.
92 To see the current settings of the software
94 device, use the command line:
96 .Dl "sysctl kern.random"
98 which results in something like:
99 .Bd -literal -offset indent
100 kern.random.fortuna.minpoolsize: 64
101 kern.random.harvest.mask_symbolic: [HIGH_PERFORMANCE], ... ,CACHED
102 kern.random.harvest.mask_bin: 00111111111
103 kern.random.harvest.mask: 511
104 kern.random.random_sources: 'Intel Secure Key RNG'
108 .Dl kern.random.fortuna.minpoolsize
110 .Dl kern.random.harvest.mask
111 all settings are read-only.
114 .Pa kern.random.fortuna.minpoolsize
116 to set the seed threshold.
117 A smaller number gives a faster seed,
118 but a less secure one.
120 values between 64 and 256
124 .Va kern.random.harvest.mask
125 bitmask is used to select
126 the possible entropy sources.
127 A 0 (zero) value means
128 the corresponding source
130 as an entropy source.
131 Set the bit to 1 (one)
135 .Va kern.random.harvest.mask_bin
137 .Va kern.random.harvest.mask_symbolic
139 can be used to confirm
140 that the choices are correct.
141 Note that disabled items
143 are listed in square brackets.
146 for more on the harvesting of entropy.
149 .Cd "options RANDOM_LOADABLE"
153 device is not created
154 until an "algorithm module"
157 are built by default,
163 module is deprecated,
164 and will be removed in
166 Use of the Yarrow algorithm
168 but while still present
169 in the kernel source,
170 it can be selected with the
171 .Cd "options RANDOM_YARROW"
173 Note that these loadable modules
174 are slightly less efficient
175 than their compiled-in equivalents.
176 This is because some functions
177 must be locked against
178 load and unload events,
179 and also must be indirect calls
180 to allow for removal.
183 .Cd "options RANDOM_ENABLE_UMA"
187 device will obtain entropy
188 from the zone allocator.
189 This is potentially very high rate,
190 and if so will be of questionable use.
194 Determining this is not trivial,
195 so experimenting and measurement
200 The use of randomness in the field of computing
201 is a rather subtle issue because randomness means
202 different things to different people.
203 Consider generating a password randomly,
204 simulating a coin tossing experiment or
205 choosing a random back-off period when a server does not respond.
206 Each of these tasks requires random numbers,
207 but the random numbers in each case have different requirements.
209 Generation of passwords, session keys and the like
210 requires cryptographic randomness.
211 A cryptographic random number generator should be designed
212 so that its output is difficult to guess,
213 even if a lot of auxiliary information is known
214 (such as when it was seeded, subsequent or previous output, and so on).
217 seeding for cryptographic random number generators is provided by the
220 which provides real randomness.
223 library call provides a pseudo-random sequence
224 which is generally reckoned to be suitable for
225 simple cryptographic use.
226 The OpenSSL library also provides functions for managing randomness
227 via functions such as
231 Note that OpenSSL uses the
233 device for seeding automatically.
235 Randomness for simulation is required in engineering or
236 scientific software and games.
237 The first requirement of these applications is
238 that the random numbers produced conform to some well-known,
239 usually uniform, distribution.
240 The sequence of numbers should also appear numerically uncorrelated,
241 as simulation often assumes independence of its random inputs.
242 Often it is desirable to reproduce
243 the results of a simulation exactly,
244 so that if the generator is seeded in the same way,
245 it should produce the same results.
246 A peripheral concern for simulation is
247 the speed of a random number generator.
249 Another issue in simulation is
250 the size of the state associated with the random number generator, and
251 how frequently it repeats itself.
253 a program which shuffles a pack of cards should have 52!\& possible outputs,
254 which requires the random number generator to have 52!\& starting states.
255 This means the seed should have at least log_2(52!) ~ 226 bits of state
256 if the program is to stand a chance of outputting all possible sequences,
257 and the program needs some unbiased way of generating these bits.
261 device could be used for seeding here,
262 but in practice, smaller seeds are usually considered acceptable.
265 provides two families of functions which are considered
266 suitable for simulation.
269 family of functions provides a random integer
271 .if t 2\u\s731\s10\d\(mi1.
278 are provided for deterministically setting
279 the state of the generator and
282 is provided for setting the state via the
287 family of functions are also provided,
288 which provide random floating point numbers in various ranges.
290 Randomness that is used for collision avoidance
291 (for example, in certain network protocols)
292 has slightly different semantics again.
293 It is usually expected that the numbers will be uniform,
294 as this produces the lowest chances of collision.
296 the seeding of the generator is very important,
297 as it is required that different instances of
298 the generator produce independent sequences.
299 However, the guessability or reproducibility of the sequence is unimportant,
300 unlike the previous cases.
303 does also provide the traditional
306 for compatibility purposes.
308 it is known to be poor for simulation and
309 absolutely unsuitable for cryptographic purposes,
310 so its use is discouraged.
312 .Bl -tag -width ".Pa /dev/random"
328 .%B Cryptography Engineering
330 .%O ISBN 978-0-470-47424-2
337 The current software implementation,
341 .An Mark R V Murray ,
342 and is an implementation of the
344 algorithm by Ferguson
346 It replaces the previous
352 is no longer supported
354 and is therefore deprecated.