/dev/random
topic - Beschreibung
Beschreibung
/dev/random
- Zeichenorientierte virtuelle Gerätedatei
- Programme können auf einen systemweiten Zufallszahlengenerator von hoher Qualität zugreifen
- Da für netzwerkorientierte Systeme wie Unix Kryptographie-Dienste und damit Zufallszahlen eine bedeutende Rolle spielen, kommt dieser Datei und dem dahinterstehenden Treiber eine wichtige Bedeutung zu.
- Zufallsgenerator sammelt Umgebungsrauschen von Gerätetreibern und anderen Quellen in einem Entropie-„Pool“
- Der Generator speichert auch eine Abschätzung über die Anzahl der Bits im Entropie-Pool
- Aus diesem „Pool“ werden die Zufallszahlen generiert
- Beim Lesen gibt
/dev/random
nur solange Zufallszahlen zurück, bis die abgeschätzte Entropiemenge erschöpft ist
- dann blockieren Lesezugriffe auf
/dev/random
, bis zusätzliches Umgebungsrauschen erhalten wurde.[1][2]/dev/random
sollte ausreichend sein für Anwendungszwecke, die auf eine sehr hohe Qualität der Zufälligkeit angewiesen sind, wie etwa Verschlüsselung (beispielsweise One-Time-Pads oder Schlüsselerzeugung) - Aus Geschwindigkeitsgründen wird in der Praxis oft nur der „Seed“ eines Pseudo-Zufallszahlengenerators von
/dev/random
gelesen (z. B. in OpenSSL, PGP und GnuPG).
- Der aktuelle Füllstand des Entropie-Pools lässt sich unter Linux aus der Datei
/proc/sys/kernel/random/entropy_avail
ermitteln.
- Eine Ausgabe der Datei liefert die verfügbare Entropie in Bit, wobei das Maximum von 4096 Bit einem vollständig gefüllten „Pool“ entspricht.
/dev/urandom
Aus /dev/urandom
(unlimited random) können wie aus /dev/random
Zufallszahlen gelesen werden.
/dev/urandom
blockiert nicht wenn eine definierte Entropieschwelle unterschritten wird
In diesem Fall kann nicht ganz ausgeschlossen werden, dass es einem Angreifer gelingt, die erzeugten Pseudozufallszahlen im Nachhinein zu berechnen.[3]
Standardisierung
/dev/random
(wie auch/dev/urandom
) ist weder im Filesystem Hierarchy Standard 2.3 noch in der Single UNIX Specification 3.0 spezifiziert.
- Der Linux-Kernel stellte 1994 als erstes Betriebssystem ein
/dev/random
-Gerät bereit, woraufhin andere unixoide Betriebssysteme nachzogen,[4][5] so zum Beispiel FreeBSD 2.2 ab Juni 2000[6] oder Solaris 9 ab 2002.[7]
Implementierungen
In FreeBSD findet ein auf dem Yarrow-Algorithmus basierender Generator Verwendung[8]. AIX verwendet seit AIX 5.2 ebenfalls eine Yarrow-Implementation.[9]
In Linux verhält sich /dev/random
seit 2020 wie /dev/urandom
, da dessen Zufallszahlen mittlerweile als praktikabel selbst für kryptographische Zwecke angesehen werden.[10]
Verbesserung der Entropie
- Über Software lässt sich die Entropie verbessern sowie der Entropie-Pool vergrößern, damit mehr Zufallszahlen zur Verfügung stehen
- Mit der GNU-Software
rng-tools
lassen sich unter Linux und ähnlichen Betriebssystemen physikalische Zufallszahlengeneratoren einbinden.[11]
Anwendungen
Siehe auch
Dokumentation
RFC
Man-Pages
Info-Pages
Links
Einzelnachweise
Projekt
Weblinks
Literatur
- Dokumentation und Analyse des Linux-Pseudozufallszahlengenerators Eine Studie im Auftrag des Bundesamtes für Sicherheit in der Informationstechnik (BSI); Dezember 2013
Wikipedia EN
In Unix-like operating systems, Vorlage:Mono and Vorlage:Mono are special files that serve as cryptographically secure pseudorandom number generators.
- They allow access to environmental noise collected from device drivers and other sources.[1] Vorlage:Mono typically blocked if there was less entropy available than requested; more recently (see below for the differences between operating systems) it usually blocks at startup until sufficient entropy has been gathered, then unblocks permanently.
- The Vorlage:Mono device typically was never a blocking device, even if the pseudorandom number generator seed was not fully initialized with entropy since boot.
- Not all operating systems implement the same methods for Vorlage:Mono and Vorlage:Mono.
Linux
Random number generation in kernel space was implemented for the first time for Linux[2] in 1994 by Theodore Ts'o.[3] The implementation used secure hashes rather than ciphers,Vorlage:Clarify to avoid cryptography export restrictions that were in place when the generator was originally designed.
- The implementation was also designed with the assumption that any given hash or cipher might eventually be found to be weak, and so the design is durable in the face of any such weaknesses.
- Fast recovery from pool compromise is not considered a requirement, because the requirements for pool compromise are sufficient for much easier and more direct attacks on unrelated parts of the operating system.
In Ts'o's implementation, the generator keeps an estimate of the number of bits of noise in the entropy pool.
- From this entropy pool random numbers are created.
- When read, the Vorlage:Mono device will only return random bytes within the estimated number of bits of noise in the entropy pool. When the entropy pool is empty, reads from Vorlage:Mono will block until additional environmental noise is gathered.[4] The intent is to serve as a cryptographically secure pseudorandom number generator, delivering output with entropy as large as possible.
- This is suggested by the authors for use in generating cryptographic keys for high-value or long-term protection.[4]
A counterpart to Vorlage:Mono is Vorlage:Mono ("unlimited"[5]/non-blocking random source[4]) which reuses the internal pool to produce more pseudo-random bits.
- This means that the call will not block, but the output may contain less entropy than the corresponding read from Vorlage:Mono.
- While Vorlage:Mono is still intended as a pseudorandom number generator suitable for most cryptographic purposes, the authors of the corresponding man page note that, theoretically, there may exist an as-yet-unpublished attack on the algorithm used by Vorlage:Mono, and that users concerned about such an attack should use Vorlage:Mono instead.[4] However such an attack is unlikely to come into existence, because once the entropy pool is unpredictable it doesn't leak security by a reduced number of bits.[6]
It is also possible to write to Vorlage:Mono.
- This allows any user to mix random data into the pool.
- Non-random data is harmless, because only a privileged user can issue the ioctl needed to increase the entropy estimate.Vorlage:Dubious The current amount of entropy and the size of the Linux kernel entropy pool, both measured in bits, are available in Vorlage:Mono and can be displayed by the command Vorlage:Code and Vorlage:Code respectively.
Gutterman, Pinkas, & Reinman in March 2006 published a detailed cryptographic analysis of the Linux random number generator[7] in which they describe several weaknesses.
- Perhaps the most severe issue they report is with embedded or Live CD systems, such as routers and diskless clients, for which the bootup state is predictable and the available supply of entropy from the environment may be limited.
- For a system with non-volatile memory, they recommend saving some state from the RNG at shutdown so that it can be included in the RNG state on the next reboot.
- In the case of a router for which network traffic represents the primary available source of entropy, they note that saving state across reboots "would require potential attackers to either eavesdrop on all network traffic" from when the router is first put into service, or obtain direct access to the router's internal state.
- This issue, they note, is particularly critical in the case of a wireless router whose network traffic can be captured from a distance, and which may be using the RNG to generate keys for data encryption.
The Linux kernel provides support for several hardware random number generators, should they be installed.
- The raw output of such a device may be obtained from Vorlage:Mono.[8]
With Linux kernel 3.16 and newer,[9] the kernel itself mixes data from hardware random number generators into Vorlage:Mono on a sliding scale based on the definable entropy estimation quality of the HWRNG.
- This means that no userspace daemon, such as Vorlage:Mono from Vorlage:Mono, is needed to do that job.
- With Linux kernel 3.17+, the VirtIO RNG was modified to have a default quality defined above 0,[10] and as such, is currently the only HWRNG mixed into Vorlage:Mono by default.
The entropy pool can be improved by programs like Vorlage:Mono, Vorlage:Mono, Vorlage:Mono etc. With Vorlage:Mono, hardware random number generators like Entropy Key, etc. can write to Vorlage:Mono.
- The diehard tests programs Vorlage:Mono, Vorlage:Mono and Vorlage:Mono can test these random number generators.[11][12][13][14]
In January 2014, [[Daniel J.
- Bernstein]] published a critique[15] of how Linux mixes different sources of entropy. He outlines an attack in which one source of entropy capable of monitoring the other sources of entropy could modify its output to nullify the randomness of the other sources of entropy. Consider the function Vorlage:Tmath where H is a hash function and x, y, and z are sources of entropy with z being the output of a CPU based malicious HRNG Z:
- Z generates a random value of r.
- Z computes Vorlage:Tmath.
- If the output of Vorlage:Tmath is equal to the desired value, output r as z.
- Else, repeat starting at 1.
Bernstein estimated that an attacker would need to repeat Vorlage:Tmath 16 times to compromise DSA and ECDSA. This is possible because Linux reseeds H on an ongoing basis instead of using a single high quality seed.
In October 2016, with the release of Linux kernel version 4.8, the kernel's Vorlage:Mono was switched over to a ChaCha20-based cryptographic pseudorandom number generator (CPRNG) implementation[16] by Theodore Ts'o, based on [[Daniel J.
- Bernstein|Bernstein]]'s well-regarded stream cipher ChaCha20.
In 2020, the Linux kernel version 5.6 Vorlage:Mono only blocks when the CPRNG hasn't initialized.
- Once initialized, Vorlage:Mono and Vorlage:Mono behave the same.[17]
BSD systems
The FreeBSD operating system provides a Vorlage:Mono link to Vorlage:Mono. Both block only until properly seeded. FreeBSD's PRNG (Fortuna) reseeds regularly, and does not attempt to estimate entropy. On a system with small amount of network and disk activity, reseeding is done after a fraction of a second.
Since OpenBSD 5.1 (May 1, 2012) Vorlage:Mono and Vorlage:Mono used an algorithm based on RC4 but renamed to ARC4 because of intellectual property reasons.
- While random number generation here uses system entropy gathered in several ways, the ARC4 algorithm provides a fail-safe, ensuring that a rapid and high quality pseudo-random number stream is provided even when the pool is in a low entropy state.
- The system automatically uses hardware random number generators (such as those provided on some Intel PCI hubs) if they are available, through the OpenBSD Cryptographic Framework.
- As of OpenBSD 5.5 (May 1, 2014), the Vorlage:Code call used for OpenBSD's random devices no longer uses ARC4, but ChaCha20 (arc4random name might be reconsidered as A Replacement Call for Random).[18][19] Vorlage:Mono was removed in OpenBSD 6.3 (April 15, 2018).[20]
NetBSD's implementation of the legacy Vorlage:Code API has been switched over to ChaCha20 as well.[21]
macOS, iOS and other Apple OSes
All Apple OSes have moved to Fortuna since at least December 2019, possibly earlier.[22] It is based on SHA-256. Multiple entropy sources such as the secure enclave RNG, boot phase timing jitter, hardware interrupt (timing assumed) are used. RDSEED/RDRAND is used on Intel-based Macs that support it. Seed (entropy) data is also stored for subsequent reboots.
Prior to the change, macOS and iOS used 160-bit Yarrow based on SHA-1.[23]
There is no difference between Vorlage:Mono and Vorlage:Mono; both behave identically.[24][25]
Other operating systems
Vorlage:Mono and Vorlage:Mono are also available on Solaris,[26] NetBSD,[27] Tru64 UNIX 5.1B,[28] AIX 5.2[29] and HP-UX 11i v2.[30] As with FreeBSD, AIX implements its own Yarrow-based design, however AIX uses considerably fewer entropy sources than the standard Vorlage:Mono implementation and stops refilling the pool when it thinks it contains enough entropy.[31]
In Windows NT, similar functionality is delivered by Vorlage:Mono, but reading the special file Vorlage:Mono does not work as in UNIX.
- The documented methods to generate cryptographically random bytes are CryptGenRandom and RtlGenRandom.
- Windows PowerShell provides access to a cryptographically secure pseudorandom number generator via the Vorlage:Mono cmdlet.[32]
Cygwin on Windows provides implementations of both Vorlage:Mono and Vorlage:Mono, which can be used in scripts and programs.[33]
See also
- CryptGenRandom – The Microsoft Windows API's CSPRNG
- Vorlage:Mono
- Entropy-supplying system calls
- Fortuna algorithm
- Hardware random number generator
- Standard streams
External links
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ 4,0 4,1 4,2 4,3 Vorlage:Man
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite AV media
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Man
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Man
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Man
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web
- ↑ Vorlage:Cite web