xref: /freebsd/share/man/man4/random.4 (revision f39bffc62c1395bde25d152c7f68fdf7cbaab414)
1.\" Copyright (c) 2001-2015	Mark R V Murray.  All rights reserved.
2.\"
3.\" Redistribution and use in source and binary forms, with or without
4.\" modification, are permitted provided that the following conditions
5.\" are met:
6.\" 1. Redistributions of source code must retain the above copyright
7.\"    notice, this list of conditions and the following disclaimer.
8.\" 2. Redistributions in binary form must reproduce the above copyright
9.\"    notice, this list of conditions and the following disclaimer in the
10.\"    documentation and/or other materials provided with the distribution.
11.\"
12.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
22.\" SUCH DAMAGE.
23.\"
24.\" $FreeBSD$
25.\"
26.Dd August 17, 2015
27.Dt RANDOM 4
28.Os
29.Sh NAME
30.Nm random
31.Nd the entropy device
32.Sh SYNOPSIS
33.Cd "device random"
34.Cd "options RANDOM_LOADABLE"
35.Cd "options RANDOM_ENABLE_UMA"
36.Sh DESCRIPTION
37The
38.Nm
39device
40returns an endless supply of random bytes when read.
41It also accepts and reads data
42as any ordinary file.
43.Pp
44The generator will start in an
45.Em unseeded
46state, and will block reads until
47it is seeded for the first time.
48This may cause trouble at system boot
49when keys and the like
50are generated from
51.Nm
52so steps should be taken to ensure a
53seeding as soon as possible.
54.Pp
55It is also possible
56to read random bytes
57by using the KERN_ARND sysctl.
58On the command line
59this could be done by
60.Pp
61.Dl "sysctl -x -B 16 kern.arandom"
62.Pp
63This sysctl will not return
64random bytes unless
65the
66.Nm
67device is seeded.
68.Pp
69This initial seeding
70of random number generators
71is a bootstrapping problem
72that needs very careful attention.
73In some cases,
74it may be difficult
75to find enough randomness
76to seed a random number generator
77until a system is fully operational,
78but the system requires random numbers
79to become fully operational.
80It is (or more accurately should be)
81critically important that the
82.Nm
83device is seeded
84before the first time it is used.
85In the case where a dummy or "blocking-only"
86device is used,
87it is the responsibility
88of the system architect
89to ensure that no blocking reads
90hold up critical processes.
91.Pp
92To see the current settings of the software
93.Nm
94device, use the command line:
95.Pp
96.Dl "sysctl kern.random"
97.Pp
98which results in something like:
99.Bd -literal -offset indent
100kern.random.fortuna.minpoolsize: 64
101kern.random.harvest.mask_symbolic: [HIGH_PERFORMANCE], ... ,CACHED
102kern.random.harvest.mask_bin: 00111111111
103kern.random.harvest.mask: 511
104kern.random.random_sources: 'Intel Secure Key RNG'
105.Ed
106.Pp
107Other than
108.Dl kern.random.fortuna.minpoolsize
109and
110.Dl kern.random.harvest.mask
111all settings are read-only.
112.Pp
113The
114.Pa kern.random.fortuna.minpoolsize
115sysctl is used
116to set the seed threshold.
117A smaller number gives a faster seed,
118but a less secure one.
119In practice,
120values between 64 and 256
121are acceptable.
122.Pp
123The
124.Va kern.random.harvest.mask
125bitmask is used to select
126the possible entropy sources.
127A 0 (zero) value means
128the corresponding source
129is not considered
130as an entropy source.
131Set the bit to 1 (one)
132if you wish to use
133that source.
134The
135.Va kern.random.harvest.mask_bin
136and
137.Va kern.random.harvest.mask_symbolic
138sysctls
139can be used to confirm
140that the choices are correct.
141Note that disabled items
142in the latter item
143are listed in square brackets.
144See
145.Xr random_harvest 9
146for more on the harvesting of entropy.
147.Pp
148When
149.Cd "options RANDOM_LOADABLE"
150is used,
151the
152.Pa /dev/random
153device is not created
154until an "algorithm module"
155is loaded.
156Two of these modules
157are built by default,
158.Em random_fortuna
159and
160.Em random_yarrow .
161The
162.Em random_yarrow
163module is deprecated,
164and will be removed in
165.Fx 12.
166Use of the Yarrow algorithm
167is not encouraged,
168but while still present
169in the kernel source,
170it can be selected with the
171.Cd "options RANDOM_YARROW"
172kernel option.
173Note that these loadable modules
174are slightly less efficient
175than their compiled-in equivalents.
176This is because some functions
177must be locked against
178load and unload events,
179and also must be indirect calls
180to allow for removal.
181.Pp
182When
183.Cd "options RANDOM_ENABLE_UMA"
184is used,
185the
186.Pa /dev/random
187device will obtain entropy
188from the zone allocator.
189This is potentially very high rate,
190and if so will be of questionable use.
191If this is the case,
192use of this option
193is not recommended.
194Determining this is not trivial,
195so experimenting and measurement
196using tools such as
197.Xr dtrace 1
198will be required.
199.Sh RANDOMNESS
200The use of randomness in the field of computing
201is a rather subtle issue because randomness means
202different things to different people.
203Consider generating a password randomly,
204simulating a coin tossing experiment or
205choosing a random back-off period when a server does not respond.
206Each of these tasks requires random numbers,
207but the random numbers in each case have different requirements.
208.Pp
209Generation of passwords, session keys and the like
210requires cryptographic randomness.
211A cryptographic random number generator should be designed
212so that its output is difficult to guess,
213even if a lot of auxiliary information is known
214(such as when it was seeded, subsequent or previous output, and so on).
215On
216.Fx ,
217seeding for cryptographic random number generators is provided by the
218.Nm
219device,
220which provides real randomness.
221The
222.Xr arc4random 3
223library call provides a pseudo-random sequence
224which is generally reckoned to be suitable for
225simple cryptographic use.
226The OpenSSL library also provides functions for managing randomness
227via functions such as
228.Xr RAND_bytes 3
229and
230.Xr RAND_add 3 .
231Note that OpenSSL uses the
232.Nm
233device for seeding automatically.
234.Pp
235Randomness for simulation is required in engineering or
236scientific software and games.
237The first requirement of these applications is
238that the random numbers produced conform to some well-known,
239usually uniform, distribution.
240The sequence of numbers should also appear numerically uncorrelated,
241as simulation often assumes independence of its random inputs.
242Often it is desirable to reproduce
243the results of a simulation exactly,
244so that if the generator is seeded in the same way,
245it should produce the same results.
246A peripheral concern for simulation is
247the speed of a random number generator.
248.Pp
249Another issue in simulation is
250the size of the state associated with the random number generator, and
251how frequently it repeats itself.
252For example,
253a program which shuffles a pack of cards should have 52!\& possible outputs,
254which requires the random number generator to have 52!\& starting states.
255This means the seed should have at least log_2(52!) ~ 226 bits of state
256if the program is to stand a chance of outputting all possible sequences,
257and the program needs some unbiased way of generating these bits.
258Again,
259the
260.Nm
261device could be used for seeding here,
262but in practice, smaller seeds are usually considered acceptable.
263.Pp
264.Fx
265provides two families of functions which are considered
266suitable for simulation.
267The
268.Xr random 3
269family of functions provides a random integer
270between 0 to
271.if t 2\u\s731\s10\d\(mi1.
272.if n (2**31)\(mi1.
273The functions
274.Xr srandom 3 ,
275.Xr initstate 3
276and
277.Xr setstate 3
278are provided for deterministically setting
279the state of the generator and
280the function
281.Xr srandomdev 3
282is provided for setting the state via the
283.Nm
284device.
285The
286.Xr drand48 3
287family of functions are also provided,
288which provide random floating point numbers in various ranges.
289.Pp
290Randomness that is used for collision avoidance
291(for example, in certain network protocols)
292has slightly different semantics again.
293It is usually expected that the numbers will be uniform,
294as this produces the lowest chances of collision.
295Here again,
296the seeding of the generator is very important,
297as it is required that different instances of
298the generator produce independent sequences.
299However, the guessability or reproducibility of the sequence is unimportant,
300unlike the previous cases.
301.Pp
302.Fx
303does also provide the traditional
304.Xr rand 3
305library call,
306for compatibility purposes.
307However,
308it is known to be poor for simulation and
309absolutely unsuitable for cryptographic purposes,
310so its use is discouraged.
311.Sh FILES
312.Bl -tag -width ".Pa /dev/random"
313.It Pa /dev/random
314.El
315.Sh SEE ALSO
316.Xr arc4random 3 ,
317.Xr drand48 3 ,
318.Xr rand 3 ,
319.Xr RAND_add 3 ,
320.Xr RAND_bytes 3 ,
321.Xr random 3 ,
322.Xr sysctl 8 ,
323.Xr random 9
324.Rs
325.%A Ferguson
326.%A Schneier
327.%A Kohno
328.%B Cryptography Engineering
329.%I Wiley
330.%O ISBN 978-0-470-47424-2
331.Re
332.Sh HISTORY
333A
334.Nm
335device appeared in
336.Fx 2.2 .
337The current software implementation,
338introduced in
339.Fx 10.0 ,
340is by
341.An Mark R V Murray ,
342and is an implementation of the
343.Em Fortuna
344algorithm by Ferguson
345.Em et al .
346It replaces the previous
347.Em Yarrow
348implementation,
349introduced in
350.Fx 5.0 .
351The Yarrow algorithm
352is no longer supported
353by its authors,
354and is therefore deprecated.
355