/dev/random: differenze tra le versioni
Contenuto cancellato Contenuto aggiunto
m r2.7.1) (Bot: Tolgo: fi:Urandom |
inizio traduzione, work in progress |
||
Riga 1:
{{S|Unix}}
Nei sistemi operativi [[Unix]] e [[Unix-like]], '''/dev/random''' (random device, dispositivo casuale) è un [[file speciale]]
▲L'implementazione di /dev/random non è univoca in tutti i sistemi Unix-like. [[Linux]] è stato il primo sistema Unix-like a implementare /dev/random come generatore di numeri casuali. Implementazioni simili si trovano in [[FreeBSD]], [[Solaris (sistema operativo)|Solaris]], [[Mac OS X]], [[NetBSD]], [[OpenBSD]], [[Tru64|Tru64 UNIX 5.1B]], [[AIX (sistema operativo)|AIX 5.2]], e [[HP-UX|HP-UX 11i v2]]. Nei sistemi [[Windows]] della famiglia NT funzioni simili vengono svolte dal file ksecdd.sys.
==Linux==
La generazione di numeri casuali dal [[kernel]] è stata implementata per la prima volta in [[Linux]]<ref>{{cite web|url=http://www.randombit.net/bitbashing/security/syllable_dev_random.html |title=On Syllable's /dev/random |author=Jack Lloyd |date=December 9, 2008 |accessdate=2009-04-27|archiveurl=http://www.webcitation.org/5gOzG0qvc|archivedate=2009-04-29|deadurl=no}}</ref> nel 1994 da [[Theodore Ts'o]].<ref>{{cite web|url=http://everything2.com/title/%252Fdev%252Frandom |title=/dev/random |date=June 8, 2003 |publisher=everything2.com |accessdate=2009-04-27|archiveurl=http://www.webcitation.org/5gOzGLECz|archivedate=2009-04-29|deadurl=no}}</ref>. L'implementazione usa [[SHA-1|hash sicuri]] al posto di un [[cifrario]] per evitare problemi legali che erano presenti al momento del progetto. L'implementazione tiene anche conto del fatto che un certo hash o cifrario potrebbe essere scoperto essere debole, e quindi il progetto è durabile contro ogni tale debolezza. <!--Fast recovery from [[pool compromise]] is not considered a requirement, because the requirements for pool compromise are sufficient for much easier and more direct attacks on unrelated parts of the operating system.-->
In questa implementazione, il generatore mantiene una stima del numero di [[bit]]s di rumore nella [[entropy pool]]. Da questa entropy pool i numeri casuali sono creati. Quando viene letto, <code>/dev/random</code> ritorna solo byte casuali ll'interno della stima del numero di bit di rumore nell'entropy pool. <code>/dev/random</code> può essere adatto per gli utenti che necessitano di una casualità di ottima qualità come per la creazione di [[one time pad]] o [[chiave pubblica|chiavi pubbliche]]. Quando l'entropy pool è vuota, la lettura di <code>/dev/random</code> si interrompe fino a quando non viene accumulato nuovo rumore ambientale.<ref>{{man|4|urandom}}</ref> Il motivo è di fornire un [[generatore di numeri pseudocasuale crittograficamente sicuro]], fornendo un output con un'entropia il più grande possibile.
Una controparte di <code>/dev/random</code> è '''/dev/urandom''' (sorgente causale non bloccata "unlocked" <ref>http://www.kernel.org/doc/man-pages/online/pages/man4/random.4.html</ref>) che riusa il pool interno per produrre bits pseudocasuali aggiuntivi. Questo significa che la richiesta non si blocca, ma il risultato potrebbe contenere meno entropia rispetto a <code>/dev/random</code>. Nonostante sia un generatore di numeri pseudocasuali adatto per la maggior parte delle applicazioni crittografiche, non è raccomandato per la generazione di chiavi crittografiche a lunga scadenza.
È inoltre possibile scrivere su <code>/dev/random</code>. Questo consente ad ogni utente di mischiare i dati casuali all'interno del pool. L'attuale ammontare dell'entropia e la dimensione dell'entropy pool del kernel Linux è disponibile attraverso <code>/proc/sys/kernel/random/</code>.
Nel Marzo 2006 Gutterman, Pinkas, & Reinman hanno pubblicato un'analisi dettagliata del generatore di numeri casuali di Linux<ref>{{cite web|url=http://www.pinkas.net/PAPERS/gpr06.pdf |title=Analysis of the Linux Random Number Generator |author=Zvi Gutterman |coauthors=Benny Pinkas, Tzachy Reinman |date=March 6, 2006 |format=PDF |accessdate=2008-09-18}}</ref> nel quale descrivono alcune debolezze. Probabilmente il problema più importante riportato è quello che si verifica con sistemi [[sitema embedded|embedded]] o con i [[Live CD]] nel quale lo stato di bootup è prevedibile e l'entropia disponibile dall'ambiente potrebbe essere limitata. Per i sistemi con memoria non volatile, è raccomandato salvare qualche stato del generatore allo spegnimento in modo da poterlo usare come stato al successivo avvio. Nel caso dei router nei quali il traffico di rete rappresenta la sorgente primaria di entropia, gli autori notano che salvare lo stato tra riavvii "dovrebbe far richiere a un potenziale attaccante di spiare su tutto il traffico di rete" che passa per il router, e ottenere un accesso diretto allo stato interno del router. Questo problema è particolarmente critico nel caso di router wireless il cui traffico di rete può essere catturato a distanza, il quale può essere utilizzato per generare chiavi crittografiche.
==FreeBSD==
The FreeBSD operating system implements a 256-bit variant of the [[Yarrow algorithm]], intended to provide a [[cryptographically secure pseudorandom number generator|cryptographically secure pseudorandom stream]]—this replaced a previous Linux style random device. Unlike the Linux <code>/dev/random</code>, the FreeBSD <code>/dev/random</code> device never blocks. Its behavior is similar to the Linux <code>/dev/urandom</code>, and <code>/dev/urandom</code> on FreeBSD is linked to <code>/dev/random</code>.
Yarrow is based on the assumptions that modern PRNGs are very secure if their internal state is unknown to an attacker, and that they are better understood than the estimation of entropy. Whilst entropy pool based methods are completely secure if implemented correctly, if they overestimate their entropy they may become less secure than well-seeded PRNGs. In some cases an attacker may have a considerable amount of control over the entropy, for example a diskless server may get almost all of it from the network—rendering it potentially vulnerable to man-in-the-middle attacks. Yarrow places a lot of emphasis on avoiding any pool compromise and on recovering from it as quickly as possible. It is regularly reseeded; on a system with small amount of network and disk activity, this is done after a fraction of a second.
In 2004, [[Landon Curt Noll]] tested the FreeBSD 5.2.1 version of '''/dev/random''' and suggested that it was not cryptographically secure because its output had multiple uniformity flaws.<ref>{{cite |title=How good is LavaRnd?: Detailed Description of Test Results and Conclusions |url=http://www.lavarnd.org/what/nist-test.html |date=22 Sep 2004 |work=LavaRnd |publisher=LavaRnd |accessdate=22 Dec. 2010}}</ref> Similar flaws were found in the [[Linux]] 2.4.21-20, [[Solaris (operating system)|Solaris]] 8 patch 108528-18, and [[Mac OS X]] 10.3.5 implementations of '''/dev/random'''.
FreeBSD also provides support for [[hardware random number generator]]s, which will replace Yarrow when present.
==Other operating systems==
<code>/dev/random</code> and <code>/dev/urandom</code> are also available on [http://blogs.sun.com/yenduri/entry/dev_random_in_solaris Solaris], [http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man4/random.4.html Mac OS X], [http://netbsd.gw.com/cgi-bin/man-cgi?rnd++NetBSD-current NetBSD], [http://www.openbsd.org/cgi-bin/man.cgi?query=srandom&apropos=0&sektion=4&manpath=OpenBSD+Current&arch=i386&format=html OpenBSD],
[http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/V51B_HTML/MAN/MAN4/0199____.HTM Tru64 UNIX 5.1B],
[http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.files/doc/aixfiles/random.htm#idx927 AIX 5.2],
and
[http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I HP-UX 11i v2]. As with FreeBSD, AIX implements its own Yarrow-based design, however AIX uses considerably fewer entropy sources than the standard <code>/dev/random</code> implementation and stops refilling the pool when it thinks it contains enough entropy.<ref>{{cite web|url=http://lists.gnupg.org/pipermail/gnupg-devel/2003-April/019954.html |title=AIX 5.2 /dev/random and /dev/urandom devices |publisher=Lists.gnupg.org |author=Iain Roberts |date=April 25, 2003 |accessdate=2008-09-18}}</ref>
In [[Windows NT]], similar functionality is delivered by <code>ksecdd.sys</code>, but reading the special file <code>\Device\KsecDD</code> does not work as in UNIX. The documented methods to generate cryptographically random bytes are
[[CryptGenRandom]] and [[RtlGenRandom]].
While [[DOS]] doesn't naturally provide such functionality there is an open source third-party driver called [http://www.rahul.net/dkaufman/index.html Noise.sys] which functions similarly in that it creates 2 devices, <code>RANDOM$</code> and <code>URANDOM$</code>, which are also accessible as <code>/DEV/RANDOM$</code> and <code>/DEV/URANDOM$</code>, that programs can access for random data.
==EGD as an alternative==
A software program called '''EGD''' (entropy gathering daemon) is a common alternative for Unix systems which do not support the /dev/random device. It is a [[user space]] [[Daemon (computer software)|daemon]] which provides high quality cryptographic random data. Some cryptographic software such as [[OpenSSL]], [[GNU Privacy Guard]], and the [[Apache HTTP Server]] support using EGD when a /dev/random device is not available.
[http://egd.sourceforge.net/ EGD], or a compatible alternative such as [http://prngd.sourceforge.net/ prngd], gather pseudo-random entropy from various sources, process it to remove bias and improve cryptographic quality, and then make it available over a [[Unix ___domain socket]] (with '''/dev/egd-pool''' being a common choice), or over a [[Internet socket|TCP socket]]. The entropy gathering usually entails periodically [[Fork (operating system)|forking]] subprocesses to query attributes of the system that are likely to be frequently changing and unpredictable, such as monitoring CPU, I/O, and network usage as well as the contents of various log files and [[Temporary folder|temporary directories]].
EGD communicates with other programs which need random data using a simple [[Protocol (computing)|protocol]]. The client connects to an EGD socket and sends a command, identified by the value of the first [[octet]]:
* command 0: query the amount of entropy currently available. The EGD daemon returns a 4-byte number in [[Endianness|big endian]] format representing the number of random bytes that can currently be satisfied without delay.
* command 1: get random bytes, no blocking. The second byte in the request tells EGD how many random bytes of output it should return, from 1 to 255. If EGD does not have enough entropy to immediately satisfy the request, fewer bytes, or perhaps no bytes may be returned. The first octet of the reply indicates how many additional bytes, those containing the random data, immediately follow in the reply.
* command 2: get random bytes, blocking. The second byte tells EGD how many random bytes of output it should return. If EGD does not have enough entropy, it will wait until it has gathered enough before responding. Unlike command 1, the reply starts immediately with the random bytes rather than a length octet, as the total length of returned data will not vary from the amount requested.
* command 3: update entropy. This command allows the client to provide additional entropy to be added to EGD's internal pool. The next two bytes, interpreted as a 16-bit big endian integer indicate how many bits of randomness the caller is claiming to be supplying. The fourth byte indicates how many additional bytes of source data follow in the request. The EGD daemon may mix in the received entropy and will return nothing back.
==See also==
* [[Unix philosophy]]
* [[Standard streams]]
* <tt>[[:/dev/full]]</tt>
* <tt>[[:/dev/null]]</tt>
* <tt>[[:/dev/zero]]</tt>
* <tt>[[:/dev]]</tt>
* [[Hardware random number generator]]
* [[Cryptographically secure pseudo-random number generator]]
* [[Yarrow algorithm]]
* [[Fortuna (PRNG)|Fortuna algorithm]]
==Notes==
{{reflist}}
==References==
{{morefootnotes|date=December 2010}}
* [http://msdn2.microsoft.com/en-us/library/aa379942.aspx CryptGenRandom]
* [http://msdn2.microsoft.com/en-us/library/aa387694.aspx RtlGenRandom]
* [http://www.suse.de/~thomas/papers/random-analysis.pdf Biege, Thomas; Analysis of a strong Random Number Generator] [http://www.suse.de/~thomas/papers/23c3-random-analysis.pdf Slides]
{{DEFAULTSORT:/Dev/Random}}
[[Category:Randomness|Dev Random]]
[[Category:Unix|Dev Random]]
[[Category:Device file]]
[[de:/dev/random]]
[[es:/dev/random]]
[[fr:/dev/random]]
[[it:/dev/random]]
[[ja:/dev/random]]
[[pl:/dev/random]]
[[pt:/dev/random]]
[[ru:/dev/random и /dev/urandom]]
[[tr:/dev/random]]
[[zh:/dev/random]]
==Voci correlate==
| |||