Editing /dev/random (section)

=== Original implementation ===
Random number generation in [[Kernel (operating system)|kernel space]] was implemented for the first time for [[Linux]]<ref name=":0">{{cite web
 |url         = https://randombit.net/bitbashing/posts/syllable_dev_random.html
 |title       = On Syllable's /dev/random
 |first       = Jack
 |last        = Lloyd
 |date        = 2008-12-09
 |access-date  = 2019-08-21
}}</ref> in 1994 by [[Theodore Ts'o]].<ref>{{cite web
 |url         = http://everything2.com/title/%252Fdev%252Frandom
 |title       = /dev/random
 |date        = 2003-06-08
 |publisher   = [[Everything2]]
 |access-date  = 2013-07-03
 |archive-url  = https://web.archive.org/web/20091117215406/http://everything2.com/title/%252Fdev%252Frandom
 |archive-date = 2009-11-17
 |url-status     = live
}}</ref>
The implementation used [[cryptographic hash function|secure hashes]] rather than [[cipher]]s,{{clarify|date=February 2017}} to avoid [[export of cryptography|cryptography export restrictions]] that were in place when the generator was originally designed. The implementation was also designed with the assumption that any given hash or cipher might eventually be found to be weak, and so the design is durable in the face of any such weaknesses. Fast recovery from [[Entropy pool|pool compromise]] is not considered a requirement, because the requirements for pool compromise are sufficient for much easier and more direct attacks on unrelated parts of the operating system.

In Ts'o's implementation, the generator keeps an estimate of the number of [[bit]]s of noise in the [[entropy pool]]. From this entropy pool random numbers are created. When read, the {{nowrap|{{mono|/dev/random}}}} device will only return random bytes within the estimated number of bits of noise in the entropy pool.  When the entropy pool is empty, reads from {{nowrap|{{mono|/dev/random}}}} will [[Asynchronous I/O|block]] until additional environmental noise is gathered.<ref name="linux-man-page">{{man|4|random|Linux}}</ref> The intent is to serve as a [[cryptographically secure pseudorandom number generator]], delivering output with entropy as large as possible. This is suggested by the authors for use in generating cryptographic keys for high-value or long-term protection.<ref name="linux-man-page"/>

A counterpart to {{nowrap|{{mono|/dev/random}}}} is {{nowrap|{{mono|/dev/urandom}}}} ("unlimited"<ref>{{cite web | url=https://repo.or.cz/w/davej-history.git/blob/d0562c8dc:/drivers/char/random.c#l682
| title=/dev/random and /dev/urandom implementation in Linux 1.3.39, function <code>random_read_unlimited</code>
| date=1995-11-04
| access-date=2013-11-21}}</ref>/non-blocking random source<ref name="linux-man-page"/>) which reuses the internal pool to produce more pseudo-random bits. This means that the call will not block, but the output may contain less entropy than the corresponding read from {{nowrap|{{mono|/dev/random}}}}. While {{nowrap|{{mono|/dev/urandom}}}} is still intended as a pseudorandom number generator suitable for most cryptographic purposes, the authors of the corresponding [[man page]] note that, theoretically, there may exist an as-yet-unpublished attack on the algorithm used by {{nowrap|{{mono|/dev/urandom}}}}, and that users concerned about such an attack should use {{nowrap|{{mono|/dev/random}}}} instead.<ref name="linux-man-page"/> However such an attack is unlikely to come into existence, because once the entropy pool is unpredictable it doesn't leak security by a reduced number of bits.<ref>{{cite AV media|url=https://media.ccc.de/v/32c3-7441-the_plain_simple_reality_of_entropy#video&t=1262|title=The plain simple reality of entropy|author=Filippo Valsorda|date=2015-12-29}}</ref>

It is also possible to write to {{nowrap|{{mono|/dev/random}}}}. This allows any user to mix random data into the pool. Non-random data is harmless, because only a privileged user can issue the [[ioctl]] needed to increase the entropy estimate.{{Dubious|date=December 2020|reason=This isn't the reason that writing non-random data is harmless. 1. The non-random data mixes with the random data in a way that keeps only the randomness, like XOR? That would make it harmless?  2. The entropy estimate is not increased when you write to it, according to https://linux.die.net/man/4/urandom, but it DOES affect the output, so that isn't what makes it harmless. 3. Only privileged users can update the entropy estimate, which doesn't make it harmless?}} The current amount of entropy and the size of the Linux kernel entropy pool, both measured in bits, are available in {{mono|/proc/sys/kernel/random/}} and can be displayed by the command {{code|cat /proc/sys/kernel/random/entropy_avail}} and {{code|cat /proc/sys/kernel/random/poolsize}} respectively.