Is /dev/random considered truly random?
For instance, could it be used to generate a one-time pad key?
Also, what are its sources and how could it be used to generate a random number between x and y?
The only thing in this universe that can be considered truly is one based on quantum effects. Common example is radioactive decay. For certain atoms you can be sure only about half-life, but you can't be sure which nucleus will break up next.
About /dev/random
- it depends on implementation. In Linux it uses as entropy sources:
The Linux kernel generates entropy from keyboard timings, mouse movements, and IDE timings and makes the random character data available to other operating system processes through the special files /dev/random and /dev/urandom.
Wiki
It means that it is better than algorithmic random generators, but it is not perfect as well. The entropy may not be distributed randomly and can be biased.
This was philosophy. Practice is that on Linux /dev/random
is random enough for vast majority of tasks.
There are implementations of random generators that have more entropy sources, including noise on audio inputs, CPU temperature sensors etc. Anyway they are not true.
There is interesting site where you can get Genuine random numbers, generated by radioactive decay.
Strictly speaking, /dev/random
is not really completely random. /dev/random
feeds on hardware sources which are assumed to be impredictible in some way; then it mixes such data using functions (hash functions, mostly) which are also assumed to be one-way. So the "true randomness" of /dev/random
is thus relative to the inherent security of the mixing functions, security which is no more guaranteed than that of any other cryptographic primitive, in particular the PRNG hidden in /dev/urandom
.
The difference between /dev/random
and /dev/urandom
is that the former will try to maintain an estimate (which means "a wild guess") of how much entropy it has gathered, and will refuse to output more bits than that. On the other hand, /dev/urandom
will happily produce megabytes of data from the entropy it has.
The security difference between the two approaches is meaningless unless you assume that "classical" cryptographic algorithms can be broken, and you use one of the very few information-theoretic algorithms (eg OTP or Shamir's secret sharing); and, even then, /dev/random
may be considered as more secure than /dev/urandom
only if the mixing functions are still considered to be one-way, which is not compatible with the idea that a classical cryptographic algorithm can be broken. So, in practice and even in theory, no difference whatsoever. You can use the output of /dev/urandom
for an OTP and it will not be broken because of any structure internal to /dev/urandom
-- actual management of the obtained stream will be the weak point (especially long-time storage). On the other hand, /dev/random
has very real practical issues, namely that it can block at untimely instants. It is really irksome when an automated OS install blocks (for hours !) because SSH server key generation insists on using /dev/random
and needlessly stalls for entropy.
There are many applications which read /dev/random
as a kind of ritual, as if it was "better" than /dev/urandom
, probably on a karmic level. This is plain wrong, especially when the alea is to be used with classical cryptographic algorithms (eg to generate a SSH server public key). Do not do that. Instead, use /dev/urandom
and you will live longer and happier. Even for one-time pad.
(Just for completeness, there is a quirk with /dev/urandom
as implemented on Linux: it will never block, even if it has not gathered any entropy at all since previous boot. Distributions avoid this problem by creating a "random seed" at installation time, with /dev/random
, and using that seed at each boot to initialize the PRNG used by /dev/urandom
; a new random seed is regenerated immediately, for next boot. This ensures that /dev/urandom
always works over a sufficiently big internal seed. The FreeBSD implementation of /dev/urandom
will block until a given entropy threshold is reached, which is safer.)
/dev/random
will block if there's not enough random data in the entropy pool whereas /dev/urandom
will not. Instead, /dev/urandom
will fall back to a PRNG (kernel docs). From the same docs:
The random number generator [entropy pool] gathers environmental noise from device drivers and other sources into an entropy pool.
So /dev/random
is not algorithmic, like a PRNG, but it may not be "truly random" either. Mouse movements and keystroke timings tend to follow patterns and can be used for exploits but you'll have to weigh the risk against your use case.
To get a random number between x
and y
using /dev/random
, assuming you're happy with a 32-bit integer, you could have a look at the way the Java java.util.Random class does it ( nextInt()
), substituting in appropriate code to read from /dev/random
for the nextBytes()
method.
上一篇: 腌制密码:最佳实践?