Is /dev/random data a psuedo-random AES cypher, and where does the entropy come from

randomSecurity

My current understanding of an entropy pool is that it gathers truly random bits of data at a slow rate. I'd like to know how Unix & Linux collect entropy, and how that entropy is used by /dev/random.

I've heard (generically) of entropy collection methods such as the video card cpu's status when a "randomly" selected network packet arrives, matched against the hiss factor in the digital-analog converter, and other even more obtuse methods.

I believe that the entropy "pool" is tapped as need be, and is used to seed a psuedo random generator….

I'm not after an in-depth answer, but I am interested to know if this is the general approach used by Unix/Linux ?.. and perhaps some hints about what is actually going on at the entropy-collection coal-face… and then, what is the entropy fed into.. Is it an AES Rijndael cipher?

The background information for my comemnts above, came from Steve Gibson's Security Now! podcast: Episode #301 Going Random, Part 2 of 2… He only spoke generically (but as is his style, with enough detail and clarity so that even I could understand him. Having listened to the preceding 300 episodes helps :), …and I'd like to know if this is how Unix/Linux does it…

Best Answer

Linux has two random number generators available to userspace, /dev/random and /dev/urandom.

/dev/random is a source of "true" randomness - i.e. it is not generated by a pseudo-random number generator. Entropy is fed into this by the input driver and the interrupt handler, through the functions add_input_randomness and add_interrupt_randomness. Processes reading this device will block if the entropy runs out.

/dev/urandom is a pseudo-random number generator. It is fed by the same entropy pool as /dev/random, but when that runs out, it switches to a cryptographically strong generator.

Userspace applications can feed into the entropy pool by writing to /dev/{,u}random.

Have a read of the random(4) manual page, and the file drivers/char/random.c in the kernel source tree. It is well commented and most of what you ask is explained there.

FreeBSD's /dev/random by default is a pseudo-random number generator using the Yarrow algorithm (but can point to a hardware RNG if one is connected). The software generator takes entropy from Ethernet and serial connections and hardware interrupts (changeable through sysctl kern.random). The Yarrow algorithm is believed to be secure as long as the internal state is unknown, therefore /dev/random should always output high-quality data without blocking. See random(4).

On NetBSD, /dev/random provides random data based only on entropy collected (from disks, network, input devices, and/or tape drives; adjustable using rndctl), while /dev/urandom falls back to a PRNG when the entropy pool is empty, similar to Linux. See random(4), rndctl(8), rnd(9).

OpenBSD has four generators: /dev/random is a hardware generator, /dev/srandom is a secure random data generator (using MD5 on the entropy pool: "disk and network device interrupts and such"), /dev/urandom is similar but falls back to a PRNG when the entropy pool is empty. The fourth, /dev/arandom, is also a PRNG but using RC4. See random(4), arc4random(3).

Mac OS X also uses the Yarrow algorithm for /dev/random, but has an identically working /dev/urandom for compatibility. "Additional entropy is fed to the generator regularly by the SecurityServer daemon from random jitter measurements of the kernel." See random(4).

Related Solutions

Linux dd Command – Why Does dd from /dev/random Give Different File Sizes?

You're observing a combination of the peculiar behavior of dd with the peculiar behavior of Linux's /dev/random. Both, by the way, are rarely the right tool for the job.

Linux's /dev/random returns data sparingly. It is based on the assumption that the entropy in the pseudorandom number generator is extinguished at a very fast rate. Since gathering new entropy is slow, /dev/random typically relinquishes only a few bytes at a time.

dd is an old, cranky program initially intended to operate on tape devices. When you tell it to read one block of 1kB, it attempts to read one block. If the read returns less than 1024 bytes, tough, that's all you get. So dd if=/dev/random bs=1K count=2 makes two read(2) calls. Since it's reading from /dev/random, the two read calls typically return only a few bytes, in varying number depending on the available entropy. See also When is dd suitable for copying data? (or, when are read() and write() partial)

Unless you're designing an OS installer or cloner, you should never use /dev/random under Linux, always /dev/urandom. The urandom man page is somewhat misleading; /dev/urandom is in fact suitable for cryptography, even to generate long-lived keys. The only restriction with /dev/urandom is that it must be supplied with sufficient entropy; Linux distributions normally save the entropy between reboots, so the only time you might not have enough entropy is on a fresh installation. Entropy does not wear off in practical terms. For more information, read Is a rand from /dev/urandom secure for a login key? and Feeding /dev/random entropy pool?.

Most uses of dd are better expressed with tools such as head or tail. If you want 2kB of random bytes, run

head -c 2k </dev/urandom >rand

With older Linux kernels, you could get away with

dd if=/dev/urandom of=rand bs=1k count=2

because /dev/urandom happily returned as many bytes as requested. But this is no longer true since kernel 3.16, it's now limited to 32MB.

In general, when you need to use dd to extract a fixed number of bytes and its input is not coming from a regular file or block device, you need to read byte by byte: dd bs=1 count=2048.

Linux – Use the raspberry pi as a source of entropy for /dev/random

As the Wikipedia page says:

It is also possible to write to /dev/random. This allows any user to mix random data into the pool. Non-random data is harmless, because only a privileged user can issue the ioctl needed to increase the entropy estimate. The current amount of entropy and the size of the Linux kernel entropy pool are available in /proc/sys/kernel/random/, which can be displayed by the command cat /proc/sys/kernel/random/entropy_avail.

So, in your case, if you are really intent on injecting some randomness obtained from the RaspberryPi as a file, then all you need is to write the file into /dev/random with a simple "cat randomfilefromrasp > /dev/random". What would be more complex (and require extra rights) would be to assert that the extra randomness ensures some given value of extra "entropy". But it matters only for the irksome blocking mechanism of /dev/random (this device tends to block when it supposes that it has burnt all its entropy); your extra file still gets added to the mix and will contribute to the actual entropy (i.e. you do get the security benefits, even if the kernel does not notice it).

Best Answer

Related Solutions

Linux dd Command – Why Does dd from /dev/random Give Different File Sizes?

Linux – Use the raspberry pi as a source of entropy for /dev/random

Related Question