Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...

s, and are special files that serve as

cryptographically secure pseudorandom number generator A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also loosely kno ...

s. They allow access to environmental noise collected from device drivers and other sources. typically blocked if there was less

entropy Entropy is a scientific concept, as well as a measurable physical property, that is most commonly associated with a state of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynam ...

available than requested; more recently (see below, different OS's differ) it usually blocks at startup until sufficient entropy has been gathered, then unblocks permanently. The device typically was never a blocking device, even if the pseudorandom number generator seed was not fully initialized with entropy since boot. Not all operating systems implement the same methods for and .

Linux

Random number generation in kernel space was implemented for the first time for

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...

in 1994 by Theodore Ts'o. The implementation used secure hashes rather than ciphers, to avoid cryptography export restrictions that were in place when the generator was originally designed. The implementation was also designed with the assumption that any given hash or cipher might eventually be found to be weak, and so the design is durable in the face of any such weaknesses. Fast recovery from pool compromise is not considered a requirement, because the requirements for pool compromise are sufficient for much easier and more direct attacks on unrelated parts of the operating system. In Ts'o's implementation, the generator keeps an estimate of the number of

bit The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...

s of noise in the

entropy pool In computing, a hardware random number generator (HRNG) or true random number generator (TRNG) is a device that generates random numbers from a physical process, rather than by means of an algorithm. Such devices are often based on microscopic ...

. From this entropy pool random numbers are created. When read, the device will only return random bytes within the estimated number of bits of noise in the entropy pool. When the entropy pool is empty, reads from will

block Block or blocked may refer to: Arts, entertainment and media Broadcasting * Block programming, the result of a programming strategy in broadcasting * W242BX, a radio station licensed to Greenville, South Carolina, United States known as ''96.3 ...

until additional environmental noise is gathered. The intent is to serve as a

, delivering output with entropy as large as possible. This is suggested by the authors for use in generating cryptographic keys for high-value or long-term protection. A counterpart to is ("unlimited"/non-blocking random source) which reuses the internal pool to produce more pseudo-random bits. This means that the call will not block, but the output may contain less entropy than the corresponding read from . While is still intended as a pseudorandom number generator suitable for most cryptographic purposes, the authors of the corresponding

man page A man page (short for manual page) is a form of software documentation usually found on a Unix or Unix-like operating system. Topics covered include computer programs (including library and system calls), formal standards and conventions, and e ...

note that, theoretically, there may exist an as-yet-unpublished attack on the algorithm used by , and that users concerned about such an attack should use instead. However such an attack is unlikely to come into existence, because once the entropy pool is unpredictable it doesn't leak security by a reduced number of bits. It is also possible to write to . This allows any user to mix random data into the pool. Non-random data is harmless, because only a privileged user can issue the ioctl needed to increase the entropy estimate. The current amount of entropy and the size of the Linux kernel entropy pool, both measured in bits, are available in and can be displayed by the command and respectively. Gutterman, Pinkas, & Reinman in March 2006 published a detailed cryptographic analysis of the Linux random number generator in which they describe several weaknesses. Perhaps the most severe issue they report is with embedded or

Live CD A live CD (also live DVD, live disc, or live operating system) is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading f ...

systems, such as routers and diskless clients, for which the bootup state is predictable and the available supply of entropy from the environment may be limited. For a system with non-volatile memory, they recommend saving some state from the RNG at shutdown so that it can be included in the RNG state on the next reboot. In the case of a router for which network traffic represents the primary available source of entropy, they note that saving state across reboots "would require potential attackers to either eavesdrop on all network traffic" from when the router is first put into service, or obtain direct access to the router's internal state. This issue, they note, is particularly critical in the case of a wireless router whose network traffic can be captured from a distance, and which may be using the RNG to generate keys for data encryption. The Linux kernel provides support for several

hardware random number generator In computing, a hardware random number generator (HRNG) or true random number generator (TRNG) is a device that generates random numbers from a physical process, rather than by means of an algorithm. Such devices are often based on microscopic ...

s, should they be installed. The raw output of such a device may be obtained from . With Linux kernel 3.16 and newer, the kernel itself mixes data from

s into on a sliding scale based on the definable entropy estimation quality of the HWRNG. This means that no userspace daemon, such as from , is needed to do that job. With Linux kernel 3.17+, the VirtIO RNG was modified to have a default quality defined above 0, and as such, is currently the only HWRNG mixed into by default. The entropy pool can be improved by programs like , , etc. With ,

s like ''Entropy Key, etc.'' can write to . The

diehard tests The diehard tests are a battery of statistical tests for measuring the quality of a random number generator. They were developed by George Marsaglia over several years and first published in 1995 on a CD-ROM of random numbers. Test overview ; Bi ...

programs , and can test these random number generators. In January 2014, Daniel J. Bernstein published a critique of how Linux mixes different sources of entropy. He outlines an attack in which one source of entropy capable of monitoring the other sources of entropy could modify its output to nullify the randomness of the other sources of entropy. Consider the function where ''H'' is a hash function and ''x'', ''y'', and ''z'' are sources of entropy with ''z'' being the output of a CPU based malicious HRNG Z: # ''Z'' generates a random value of ''r''. # ''Z'' computes . # If the output of is equal to the desired value, output ''r'' as ''z''. # Else, repeat starting at 1. Bernstein estimated that an attacker would need to repeat 16 times to compromise DSA and ECDSA. This is possible because Linux reseeds H on an ongoing basis instead of using a single high quality seed. In October 2016, with the release of Linux kernel version 4.8, the kernel's was switched over to a ChaCha20-based cryptographic pseudorandom number generator (CPRNG) implementation by Theodore Ts'o, based on Bernstein's well-regarded stream cipher ChaCha20. In 2020, the Linux kernel version 5.6 only blocks when the CPRNG hasn't initialized. Once initialized, and behave the same.

BSD systems

The FreeBSD operating system provides a link to . Both block only until properly seeded. FreeBSD's PRNG (

Fortuna Fortuna ( la, Fortūna, equivalent to the Greek goddess Tyche) is the goddess of fortune and the personification of luck in Roman religion who, largely thanks to the Late Antique author Boethius, remained popular through the Middle Ages until at ...

) reseeds regularly, and does not attempt to estimate entropy. On a system with small amount of network and disk activity, reseeding is done after a fraction of a second. Since OpenBSD 5.1 (May 1, 2012) and used an algorithm based on RC4 but renamed to ARC4 because of intellectual property reasons. While random number generation here uses system entropy gathered in several ways, the ARC4 algorithm provides a fail-safe, ensuring that a rapid and high quality pseudo-random number stream is provided even when the pool is in a low entropy state. The system automatically uses hardware random number generators (such as those provided on some Intel PCI hubs) if they are available, through the OpenBSD Cryptographic Framework. As of OpenBSD 5.5 (May 1, 2014), the call used for OpenBSD's random devices no longer uses ARC4, but ChaCha20 (''arc4random'' name might be reconsidered as ''A Replacement Call for Random''). was removed in OpenBSD 6.3 (April 15, 2018). NetBSD's implementation of the legacy API has been switched over to ChaCha20 as well.

macOS, iOS and other Apple OSes

All Apple OSes have moved to Fortuna since at least December 2019, possibly earlier. It is based on

SHA-256 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compressi ...

. Multiple entropy sources such as the secure enclave RNG, boot phase timing jitter, hardware interrupt (timing assumed) are used. RDSEED/RDRAND is used on Intel-based Macs that support it. Seed (entropy) data is also stored for subsequent reboots. Prior to the change,

macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...

and

iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also include ...

used 160-bit

Yarrow ''Achillea millefolium'', commonly known as yarrow () or common yarrow, is a flowering plant in the family Asteraceae. Other common names include old man's pepper, devil's nettle, sanguinary, milfoil, soldier's woundwort, and thousand seal. The ...

based on

SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20- byte) hash value known as a message digest – typically rendered as 40 hexadec ...

. There is no difference between and ; both behave identically.

Other operating systems

and are also available on Solaris, NetBSD, Tru64 UNIX 5.1B, AIX 5.2 and HP-UX 11i v2. As with FreeBSD, AIX implements its own Yarrow-based design, however AIX uses considerably fewer entropy sources than the standard implementation and stops refilling the pool when it thinks it contains enough entropy. In

Windows NT Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system. The first version of Win ...

, similar functionality is delivered by , but reading the special file does not work as in UNIX. The documented methods to generate cryptographically random bytes are CryptGenRandom and RtlGenRandom. Windows

PowerShell PowerShell is a task automation and configuration management program from Microsoft, consisting of a command-line shell and the associated scripting language. Initially a Windows component only, known as Windows PowerShell, it was made open-sou ...

provides access to a cryptographically secure pseudorandom number generator via the cmdlet. Cygwin on Windows provides implementations of both and , which can be used in scripts and programs.

References

External links