1.\" Copyright (c) 2001-2015 Mark R V Murray. All rights reserved. 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright 9.\" notice, this list of conditions and the following disclaimer in the 10.\" documentation and/or other materials provided with the distribution. 11.\" 12.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.\" $FreeBSD$ 25.\" 26.Dd August 17, 2015 27.Dt RANDOM 4 28.Os 29.Sh NAME 30.Nm random 31.Nd the entropy device 32.Sh SYNOPSIS 33.Cd "device random" 34.Cd "options RANDOM_LOADABLE" 35.Cd "options RANDOM_ENABLE_UMA" 36.Sh DESCRIPTION 37The 38.Nm 39device 40returns an endless supply of random bytes when read. 41It also accepts and reads data 42as any ordinary file. 43.Pp 44The generator will start in an 45.Em unseeded 46state, and will block reads until 47it is seeded for the first time. 48This may cause trouble at system boot 49when keys and the like 50are generated from 51.Nm 52so steps should be taken to ensure a 53seeding as soon as possible. 54.Pp 55It is also possible 56to read random bytes 57by using the KERN_ARND sysctl. 58On the command line 59this could be done by 60.Pp 61.Dl "sysctl -x -B 16 kern.arandom" 62.Pp 63This sysctl will not return 64random bytes unless 65the 66.Nm 67device is seeded. 68.Pp 69This initial seeding 70of random number generators 71is a bootstrapping problem 72that needs very careful attention. 73In some cases, 74it may be difficult 75to find enough randomness 76to seed a random number generator 77until a system is fully operational, 78but the system requires random numbers 79to become fully operational. 80It is (or more accurately should be) 81critically important that the 82.Nm 83device is seeded 84before the first time it is used. 85In the case where a dummy or "blocking-only" 86device is used, 87it is the responsibility 88of the system architect 89to ensure that no blocking reads 90hold up critical processes. 91.Pp 92To see the current settings of the software 93.Nm 94device, use the command line: 95.Pp 96.Dl "sysctl kern.random" 97.Pp 98which results in something like: 99.Bd -literal -offset indent 100kern.random.fortuna.minpoolsize: 64 101kern.random.harvest.mask_symbolic: [HIGH_PERFORMANCE], ... ,CACHED 102kern.random.harvest.mask_bin: 00111111111 103kern.random.harvest.mask: 511 104kern.random.random_sources: 'Intel Secure Key RNG' 105.Ed 106.Pp 107Other than 108.Dl kern.random.fortuna.minpoolsize 109and 110.Dl kern.random.harvest.mask 111all settings are read-only. 112.Pp 113The 114.Pa kern.random.fortuna.minpoolsize 115sysctl is used 116to set the seed threshold. 117A smaller number gives a faster seed, 118but a less secure one. 119In practice, 120values between 64 and 256 121are acceptable. 122.Pp 123The 124.Va kern.random.harvest.mask 125bitmask is used to select 126the possible entropy sources. 127A 0 (zero) value means 128the corresponding source 129is not considered 130as an entropy source. 131Set the bit to 1 (one) 132if you wish to use 133that source. 134The 135.Va kern.random.harvest.mask_bin 136and 137.Va kern.random.harvest.mask_symbolic 138sysctls 139can be used to confirm 140that the choices are correct. 141Note that disabled items 142in the latter item 143are listed in square brackets. 144See 145.Xr random_harvest 9 146for more on the harvesting of entropy. 147.Pp 148When 149.Cd "options RANDOM_LOADABLE" 150is used, 151the 152.Pa /dev/random 153device is not created 154until an "algorithm module" 155is loaded. 156Two of these modules 157are built by default, 158.Em random_fortuna 159and 160.Em random_yarrow . 161The 162.Em random_yarrow 163module is deprecated, 164and will be removed in 165.Fx 12. 166Use of the Yarrow algorithm 167is not encouraged, 168but while still present 169in the kernel source, 170it can be selected with the 171.Cd "options RANDOM_YARROW" 172kernel option. 173Note that these loadable modules 174are slightly less efficient 175than their compiled-in equivalents. 176This is because some functions 177must be locked against 178load and unload events, 179and also must be indirect calls 180to allow for removal. 181.Pp 182When 183.Cd "options RANDOM_ENABLE_UMA" 184is used, 185the 186.Pa /dev/random 187device will obtain entropy 188from the zone allocator. 189This is potentially very high rate, 190and if so will be of questionable use. 191If this is the case, 192use of this option 193is not recommended. 194Determining this is not trivial, 195so experimenting and measurement 196using tools such as 197.Xr dtrace 1 198will be required. 199.Sh RANDOMNESS 200The use of randomness in the field of computing 201is a rather subtle issue because randomness means 202different things to different people. 203Consider generating a password randomly, 204simulating a coin tossing experiment or 205choosing a random back-off period when a server does not respond. 206Each of these tasks requires random numbers, 207but the random numbers in each case have different requirements. 208.Pp 209Generation of passwords, session keys and the like 210requires cryptographic randomness. 211A cryptographic random number generator should be designed 212so that its output is difficult to guess, 213even if a lot of auxiliary information is known 214(such as when it was seeded, subsequent or previous output, and so on). 215On 216.Fx , 217seeding for cryptographic random number generators is provided by the 218.Nm 219device, 220which provides real randomness. 221The 222.Xr arc4random 3 223library call provides a pseudo-random sequence 224which is generally reckoned to be suitable for 225simple cryptographic use. 226The OpenSSL library also provides functions for managing randomness 227via functions such as 228.Xr RAND_bytes 3 229and 230.Xr RAND_add 3 . 231Note that OpenSSL uses the 232.Nm 233device for seeding automatically. 234.Pp 235Randomness for simulation is required in engineering or 236scientific software and games. 237The first requirement of these applications is 238that the random numbers produced conform to some well-known, 239usually uniform, distribution. 240The sequence of numbers should also appear numerically uncorrelated, 241as simulation often assumes independence of its random inputs. 242Often it is desirable to reproduce 243the results of a simulation exactly, 244so that if the generator is seeded in the same way, 245it should produce the same results. 246A peripheral concern for simulation is 247the speed of a random number generator. 248.Pp 249Another issue in simulation is 250the size of the state associated with the random number generator, and 251how frequently it repeats itself. 252For example, 253a program which shuffles a pack of cards should have 52!\& possible outputs, 254which requires the random number generator to have 52!\& starting states. 255This means the seed should have at least log_2(52!) ~ 226 bits of state 256if the program is to stand a chance of outputting all possible sequences, 257and the program needs some unbiased way of generating these bits. 258Again, 259the 260.Nm 261device could be used for seeding here, 262but in practice, smaller seeds are usually considered acceptable. 263.Pp 264.Fx 265provides two families of functions which are considered 266suitable for simulation. 267The 268.Xr random 3 269family of functions provides a random integer 270between 0 to 271.if t 2\u\s731\s10\d\(mi1. 272.if n (2**31)\(mi1. 273The functions 274.Xr srandom 3 , 275.Xr initstate 3 276and 277.Xr setstate 3 278are provided for deterministically setting 279the state of the generator and 280the function 281.Xr srandomdev 3 282is provided for setting the state via the 283.Nm 284device. 285The 286.Xr drand48 3 287family of functions are also provided, 288which provide random floating point numbers in various ranges. 289.Pp 290Randomness that is used for collision avoidance 291(for example, in certain network protocols) 292has slightly different semantics again. 293It is usually expected that the numbers will be uniform, 294as this produces the lowest chances of collision. 295Here again, 296the seeding of the generator is very important, 297as it is required that different instances of 298the generator produce independent sequences. 299However, the guessability or reproducibility of the sequence is unimportant, 300unlike the previous cases. 301.Pp 302.Fx 303does also provide the traditional 304.Xr rand 3 305library call, 306for compatibility purposes. 307However, 308it is known to be poor for simulation and 309absolutely unsuitable for cryptographic purposes, 310so its use is discouraged. 311.Sh FILES 312.Bl -tag -width ".Pa /dev/random" 313.It Pa /dev/random 314.El 315.Sh SEE ALSO 316.Xr arc4random 3 , 317.Xr drand48 3 , 318.Xr rand 3 , 319.Xr RAND_add 3 , 320.Xr RAND_bytes 3 , 321.Xr random 3 , 322.Xr sysctl 8 , 323.Xr random 9 324.Rs 325.%A Ferguson 326.%A Schneier 327.%A Kohno 328.%B Cryptography Engineering 329.%I Wiley 330.%O ISBN 978-0-470-47424-2 331.Re 332.Sh HISTORY 333A 334.Nm 335device appeared in 336.Fx 2.2 . 337The current software implementation, 338introduced in 339.Fx 10.0 , 340is by 341.An Mark R V Murray , 342and is an implementation of the 343.Em Fortuna 344algorithm by Ferguson 345.Em et al . 346It replaces the previous 347.Em Yarrow 348implementation, 349introduced in 350.Fx 5.0 . 351The Yarrow algorithm 352is no longer supported 353by its authors, 354and is therefore deprecated. 355