differences between random and urandom
Asked Answered
P

4

73

I'm trying to find out the differences between /dev/random and /dev/urandom files

  1. What are the differences between /dev/random and /dev/urandom?
  2. When should I use them?
  3. when should I not use them?
Ptero answered 17/5, 2014 at 14:41 Comment(1)
As of Linux 5.6, they are virtually the same. Phoronix and also a Pull request.Castanets
S
42

Always use /dev/urandom.

/dev/urandom and /dev/random use the same random number generator. They both are seeded by the same entropy pool. They both will give an equally random number of an arbitrary size. They both can give an infinite amount of random numbers with only a 256 bit seed. As long as the initial seed has 256 bits of entropy, you can have an infinite supply of arbitrarily long random numbers. You gain nothing from using /dev/random. The fact that there's two devices is a flaw in the Linux API.

If you are concerned about entropy, using /dev/random is not going to fix that. But it will slow down your application while not generating numbers anymore random than /dev/urandom. And if you aren't concerned about entropy, why are you using /dev/random at all?

Here's a much better/indepth explanation on why you should always use /dev/urandom: http://www.2uo.de/myths-about-urandom/

The kernel developers are discussing removing /dev/random: https://lwn.net/SubscriberLink/808575/9fd4fea3d86086f0/

Strickle answered 30/11, 2016 at 0:51 Comment(0)
W
58

Using /dev/random may require waiting for the result as it uses so-called entropy pool, where random data may not be available at the moment.

/dev/urandom returns as many bytes as user requested and thus it is less random than /dev/random.

As can be read from the man page:

random

When read, the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool. /dev/random should be suitable for uses that need very high quality randomness such as one-time pad or key generation. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.

urandom

A read from the /dev/urandom device will not block waiting for more entropy. As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current unclassified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead.

For cryptographic purposes you should really use /dev/random because of nature of data it returns. Possible waiting should be considered as acceptable tradeoff for the sake of security, IMO.

When you need random data fast, you should use /dev/urandom of course.

Source: Wikipedia page, man page

Willyt answered 17/5, 2014 at 14:45 Comment(4)
I would disagree. Today, /dev/urandom is safe (and preferred) for the use in cryptography in almost all cases. See the other answers.Seville
jrwren, there's a lot about "myths about urandom" that is totally wrong and highly misleading, and if you think about it, it doesn't make sense! The diagrams for a start are structurally wrong, they suggest that random and urandom come from the same CSPNG source, they actually don't according to this article: lwn.net/Articles/525459Sportswoman
/dev/random is non blocking since Linux 5.6 in early 2020 (after that answer was written). For all purpose it's now indistinguishable from /dev/urandom. See lwn.net/Articles/808575. The best evisceration of /dev/random blocking stupidity is possibly research.nccgroup.com/2019/12/19/… by our own security.stackexchange.com/users/655/thomas-pornin, published a few days before Linux was ultimately fixed, but the earlier (2014) 2uo.de/myths-about-urandom is also damn good.Aunt
It's so frustrating that this is still the highest rated answer when it was wrong at the time and isn't even accurate any more.Strickle
S
42

Always use /dev/urandom.

/dev/urandom and /dev/random use the same random number generator. They both are seeded by the same entropy pool. They both will give an equally random number of an arbitrary size. They both can give an infinite amount of random numbers with only a 256 bit seed. As long as the initial seed has 256 bits of entropy, you can have an infinite supply of arbitrarily long random numbers. You gain nothing from using /dev/random. The fact that there's two devices is a flaw in the Linux API.

If you are concerned about entropy, using /dev/random is not going to fix that. But it will slow down your application while not generating numbers anymore random than /dev/urandom. And if you aren't concerned about entropy, why are you using /dev/random at all?

Here's a much better/indepth explanation on why you should always use /dev/urandom: http://www.2uo.de/myths-about-urandom/

The kernel developers are discussing removing /dev/random: https://lwn.net/SubscriberLink/808575/9fd4fea3d86086f0/

Strickle answered 30/11, 2016 at 0:51 Comment(0)
D
9

What are the differences between /dev/random and /dev/urandom?

/dev/random and /dev/urandom are interfaces to the kernel's random number generator:

  • Reading returns a stream of random bytes strong enough for use in cryptography
  • Writing to them will provide the kernel data to update the entropy pool

When it comes to the differences, it depends on the operation system:

  • On Linux, reading from /dev/random may block, which limits its use in practice considerably
  • On FreeBSD, there is none. /dev/urandom is just a symbolic link to /dev/random.

When should I use them? When should I not use them?

It is very difficult to find a use case where you should use /dev/random over /dev/urandom.

Danger of blocking:

  • This is a real problem that you will have to face when you decide to use /dev/random. For single usages like ssh-keygen it should be OK to wait for some seconds, but for most other situations it will be not an option.
  • If you use /dev/random, you should open it in nonblocking mode and provide some sort of user notification if the desired entropy is not immediately available.

Security:

The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized.

If a seed file is saved across reboots as recommended below (all major Linux distributions have done this since 2000 at least), the output is cryptographically secure against attackers without local root access as soon as it is reloaded in the boot sequence, and perfectly adequate for network encryption session keys. Since reads from /dev/random may block, users will usually want to open it in nonblocking mode (or perform a read with timeout), and provide some sort of user notification if the desired entropy is not immediately available.

Recommendation

As a general rule, /dev/urandomshould be used for everything except long-lived GPG/SSL/SSH keys.

Diba answered 29/7, 2017 at 16:48 Comment(1)
/dev/random is non blocking since Linux 5.6 in early 2020 (after that answer was written). For all purpose it's now indistinguishable from /dev/urandom. See lwn.net/Articles/808575. The best evisceration of /dev/random blocking stupidity is possibly research.nccgroup.com/2019/12/19/… by our own security.stackexchange.com/users/655/thomas-pornin, published a few days before Linux was ultimately fixed, but the earlier (2014) 2uo.de/myths-about-urandom is also damn good.Aunt
L
6

Short answer

Use /dev/urandom

Long Answer

They are both fed by the same cryptographically secure pseudorandom number generator (CSPRNG). The fact that /dev/random waits for entropy (or more specifically, waits for the system's estimation of its entropy to reach an appropriate level) only makes a difference when you are using a information-theoretically secure algorithm, as opposed to a computationally secure algorithm. The former encompasses algorithms that you probably aren't using, such as Shamir's Secret Sharing and the One-time pad. The latter contains algorithms that you actually use and care about, such as AES, RSA, Diffie-Hellman, OpenSSL, GnuTLS, etc.

So it doesn't matter if you use numbers from /dev/random since they're getting pumped out of a CSPRNG anyway, and it is "theoretically possible" to break the algorithms that you're likely using them with anyway.

Lastly, that "theoretically possible" bit means just that. In this case, that means using all of the computing power in the world, for the amount of time that that the universe has existed to crack the application.

Therefore, there is pretty much no point in using /dev/random

So use /dev/urandom

Sources

1 2 3

Lachish answered 22/5, 2017 at 21:55 Comment(2)
I agree in this case, but what about situations where there is a hardware rng? What happens in that situation, if you want to only use that rng for instance?Sportswoman
@Sportswoman Entropy from a hardware rng is fed into the kernel's entropy pool. The same pool is used for /dev/random and /dev/urandom. Remember, both devices use the exact same prng, so what's an entropy source for one is an entropy source for the other. If you want to pull entropy from only the hardware rng, you have to read from the device directly. The kernel apis always use the kernel's prng.Strickle

© 2022 - 2024 — McMap. All rights reserved.