Random Numbers in Perl
Kevin Buettner
kev@primenet.com
Thu, 9 Nov 2000 12:02:22 -0700
On Nov 9, 10:51am, Jason wrote:
> Kevin Buettner wrote:
> > If you read the code which implements /dev/random, you'll see that it
> > does use timings (I'm not sure if keyboard keypresses are considered
> > or not) from various of your computer's I/O subsystems in order to
> > generate its entropy pool. The numbers that you get out of
> > /dev/random are pretty good random numbers so long as you do not ask
> > for them too fast. (If you use up the entropy in the entropy pool too
> > quickly, it falls back on pseudo-random techniques for a while...)
>
> cat /dev/random
>
> spits out randomness at a medium pace. Also makes it pretty clear that
> keystrokes (or the interupts they generate) are definitly part of the
> package. Im not sure how one can use this up too fast, it seems to me
> that cat would use them up as fast as possible, and result in a
> constant stream of pseudorandom garbage if the above were true.
I was basing my remarks upon what I had read in the kernel sources.
My remarks were not based on empirical evidence. The last paragraph
from the following comment (found in drivers/char/random.c) is
pertinent...
* Computers are very predictable devices. Hence it is extremely hard
* to produce truly random numbers on a computer --- as opposed to
* pseudo-random numbers, which can easily generated by using a
* algorithm. Unfortunately, it is very easy for attackers to guess
* the sequence of pseudo-random number generators, and for some
* applications this is not acceptable. So instead, we must try to
* gather "environmental noise" from the computer's environment, which
* must be hard for outside attackers to observe, and use that to
* generate random numbers. In a Unix environment, this is best done
* from inside the kernel.
*
* Sources of randomness from the environment include inter-keyboard
* timings, inter-interrupt timings from some interrupts, and other
* events which are both (a) non-deterministic and (b) hard for an
* outside observer to measure. Randomness from these sources are
* added to an "entropy pool", which is mixed using a CRC-like function.
* This is not cryptographically strong, but it is adequate assuming
* the randomness is not chosen maliciously, and it is fast enough that
* the overhead of doing it on every interrupt is very reasonable.
* As random bytes are mixed into the entropy pool, the routines keep
* an *estimate* of how many bits of randomness have been stored into
* the random number generator's internal state.
*
* When random bytes are desired, they are obtained by taking the SHA
* hash of the contents of the "entropy pool". The SHA hash avoids
* exposing the internal state of the entropy pool. It is believed to
* be computationally infeasible to derive any useful information
* about the input of SHA from its output. Even if it is possible to
* analyze SHA in some clever way, as long as the amount of data
* returned from the generator is less than the inherent entropy in
* the pool, the output data is totally unpredictable. For this
* reason, the routine decreases its internal estimate of how many
* bits of "true randomness" are contained in the entropy pool as it
* outputs random numbers.
*
* If this estimate goes to zero, the routine can still generate
* random numbers; however, an attacker may (at least in theory) be
* able to infer the future output of the generator from prior
* outputs. This requires successful cryptanalysis of SHA, which is
* not believed to be feasible, but there is a remote possibility.
* Nonetheless, these numbers should be useful for the vast majority
* of purposes.
I can only speculate that the reason for the slowness is that it
takes a while to compute the SHA hash. (It's slow on my machine too.)
> according to /usr/src/linux/Documentation/devices.txt,
> /dev/random Nondeterministic random number gen.
> /dev/urandom Faster, less secure random number gen.
>
> /dev/urandom is the one that spits out data endlessly when subjected
> to cat...
>
> Perhaps the /dev/random in current distributions is really
> /dev/urandom? I cant say - I had to use mknod per the docs in the
> Linux source as there was no /dev/random on my system prior to me
> reading about it in a kernel upgrade (That means, BTW, that not only
> is relying on /dev/random not platform independant, but that it also
> will not function on older linux releases as well!)
To the best of my knowledge, no distribution aliases /dev/random
to /dev/urandom. If they do, this is egregiously wrong since many
programs depend upon /dev/random to generate strong random numbers.