/Dev/random and/dev/urandom notes

1. Basic Introduction

/Dev/random and/dev/urandom are Random Pseudo devices provided in Linux. The tasks of these two devices are to provide random byte data streams that are never empty. Many decryption and security applications (such as SSH keys and SSL keys) require random data streams they provide.

The difference between the two devices is that the/dev/random pool depends on the system interruption. Therefore, when the number of system interruptions is insufficient, the/dev/random device will be blocked all the time, the process to be read enters the waiting state until the number of system interruptions is sufficient. The/dev/random device can ensure the randomness of data. /Dev/urandom does not rely on the system interruption, so it does not cause the process to wait, but the data randomness is not high.

You can use the cat command to read the data streams of/dev/random and/dev/urandom (binary data streams, which are hard to read). You can use the OD command to convert the data streams to hexadecimal format and view them:

During the cat process, it was found that the/dev/random generation speed is relatively slow, sometimes there will be a large pause, and the/dev/urandom generation speed is very fast, there is basically no pause.

Using the DD command to copy data streams from these devices, we can find that the speed varies greatly:

Read 1 kb byte streams from/dev/random:

Read 1 kb byte streams from/dev/urandom:

Through program testing, it is also found that the more the/dev/Random Device is read, the slower its response.

When mcrypt is extended using PHP encryption, The mcrypt_create_iv () function is used to create an initial vector (initialization vector) from a random source. The signature of this function is:

string mcrypt_create_iv ( int $size [, int $source = MCRYPT_DEV_URANDOM ] )

Note that $ source is the second parameter of the function. In versions earlier than PhP 5.6.0, this parameter defaults to mcrypt_dev_random. That is, mcrypt_create_iv obtains random data sources from the/dev/Random Device by default. When the number of system concurrency is high, the system cannot provide enough interruptions, which will cause the access process to suspend (LOCK) and thus fail to respond normally.

A simple test script is as follows:

1 <? PhP2 define ("mcrypt_key", "x90! -= Zo2s "); 3 $ src =" test "; 4 5 $ size = mcrypt_get_iv_size (mcrypt_blowfish, mcrypt_mode_ecb); 6 $ IV = mcrypt_create_iv ($ size ); 7 $ encrypted = mcrypt_ecb (mcrypt_blowfish, mcrypt_key, $ SRC, mcrypt_decrypt, $ IV); // 5.5 + deprecated, please test with the latest API

We have previously found that the output of the CAT/dev/random data stream has a large pause. When the concurrency is large, the read process may wait or even fail to respond.

Fortunately, we can specify the second parameterMcrypt_dev_urandomForce/dev/urandom to use random data streams (/dev/urandom is used as the random data source by default in PHP 5.6.0 + ).

2. Other Purposes of/dev/random and/dev/random

1. These two pseudo devices can be used to generate random temporary file names instead of mktemp:

cat /dev/urandom |od –x | tr –d  ‘ ‘| head –n 1

A 128-bit temporary file name can be generated, which has high randomness and security.

2. The footprint generated by SSH-keygen can be simulated. The script is as follows:

 1 #/bin/sh - 2 cat /dev/urandom | 3 od -x | 4 head -n 1| 5 cut -d ‘ ‘ -f 2- | 6 awk -v ORS=":"  7 ‘{ 8     for(i=1; i<=NF; i++){ 9         if(i == NF){10             ORS = "\n";11         }12         print substr($i,1,2) ":" substr($i,3,2);13     }14 }‘

A brief explanation of the script:

(1). CAT/dev/urandom | OD-x | head-N 1 is used to read a data stream from a random device and convert it to hexadecimal. The output of this section is similar:

(2) because the first column is actually the data offset and is not a random data stream, use cut to retrieve the following fields again: Cut-D ''-F 2-

(3). Use awk program output. Ors is the built-in variable of awk. It refers to the output record delimiter. The default value is \ n.

Script output result:

Is it quite similar to the footprint generated by SSH-keygen? : D

/Dev/random and/dev/urandom notes