1man(7)                        rdrand-gen man page                       man(7)
2
3
4

NAME

6       rdrand-gen - Generate randomness by using RdRand on Intel's CPUs.
7

SYNOPSIS

9       rdrand-gen [--amount NUM] [--method NAME] [--output FILE]
10       [--threads NUM] [--aes-ctr [--aes-keys FILE]] [--verbose] [--version]
11       [--help]
12
13

DESCRIPTION

15       RdRand is an instruction for returning random numbers from an Intel on-
16       chip hardware random number  generator.  RdRand  is  available  on  Ivy
17       Bridge and later processors.
18
19       It  uses  cascade  construction,  combining a HW RNG operating at 3Gbps
20       with CSPRNG with all components sealed on CPU. The entropy source is  a
21       metastable circuit, with unpredictable behavior based on thermal noise.
22       The entropy is fed into  a  3:1  compression  ratio  entropy  extractor
23       (whitener) based on AES-CBC-MAC. Online statistical tests are performed
24       at this stage and only high quality random data are used  as  the  seed
25       for  cryptographically  secure  SP800-90  AES-CTR  DRBG compliant PRNG.
26       This generator is producing maximum of 512 128-bit  AES  blocks  before
27       it's  reseeded.  According  to  documentation the 512 blocks is a upper
28       limit for reseed, in practice it reseeds much more frequently.
29
30       Despite the statistical tests did not reveal any flaws in RdRand's out‐
31       put,  it's  intern operation cannot be verified (with a possibility for
32       the backdoor to be built into it).
33
34
35       rdrand-gen is a simple application for generating randomness on Intel's
36       CPUs  (Ivy  Bridge and newers) using the HW RNG on the CPU.  It can use
37       three methods of generating: Default get_bytes - is fastest (on a  lap‐
38       top  with a Core i7 about 200 MiB/s in one thread) and simply pulls out
39       randomness from the HW RNG, and two  slow,  but  more  secure  methods.
40       These  two methods, reseed_delay and reseed_skip are enforcing full re‐
41       generation of the CPU's pool before each single value  that  is  pushed
42       out.
43
44       reseed_delay  is putting small delays (20 microseconds), long enough to
45       allow the HW to reseed the RdRand's internal generator with new thermal
46       noise  based  entropy  so  that  two  consequent values returned by re‐
47       seed_delay are guaranteed to be  produced  with  different  seed.   re‐
48       seed_skip  is  taking  one  of 1025 64bit values (the size of the inner
49       pool) and throwing away the rest, forcing the HW to reseed.  The perfo‐
50       mance  of  these  reseeding methods is about 1/1000 of the default one.
51       The performance differs on  each  machine,  one  one  machine  the  re‐
52       seed_skip  is faster than reseed_delay , while on another one it can be
53       different.
54
55       If aes-ctr is set, then the output of RdRand instruction  is  encrypted
56       with  AES-CTR  from OpenSSL. It can either use a random key, or you can
57       give it a set of keys and nonces to use by using aes-keys parameter. If
58       AES is not enabled by the first flag, the keys are ignored.
59
60       Syntax of the key file is following:
61       On  each  line  is  a  hexadecimal string containing a key and a nonce.
62       There can be 128 lines at max. Length of a single key is twice  of  the
63       nonce,  so  if K stands for a key character and N for a nonce, a single
64       line in the key file will look like the following.
65       KKKKNN
66
67       24 bytes (48 characters) for a key and a nonce represents a 128bit key.
68       This  is also the only currently supported length of the key. See Exam‐
69       ples for a simple way of generating the key file.
70
71
72

OPTIONS

74         --help       -h      Print this help.
75         --amount     -n NUM Generate given amount of bytes. Suffixes:  K,  M,
76       G, T. Without the option or when 0, generate unlimited amount.
77         --method      -m  NAME Use method NAME (default is get_bytes , others
78       are reseed_skip and reseed_delay ).
79         --output     -o FILE Save the generated data to the file.
80         --threads    -t NUM Run the generator in NUM threads (default 2).
81         --aes-ctr    -a Encrypt the output with AES-CTR.
82         --aes-keys   -k FILE Use given key file for the AES encryption
83                         instead of random one. Works only when -a is set.
84         --verbose    -v Be verbose (will print on stderr).
85         --version    -V Print version.
86
87       AES keys in file for -k argument has to be 24 bytes long in hexadecimal
88       form.
89
90

EXAMPLES

92       Write 10.5MB of random data to the file /tmp/random
93       rdrand-gen -n 10.5M -o /tmp/random
94
95       Generate  20  random  passwords of length 20 build from all letters and
96       digits. Use the secure get_uint64_array_reseed_skip method.
97       (rdrand-gen -n2k -m reseed_skip | tr -cd '[:alnum:]' | fold  -w  20  &&
98       echo ) | head -20
99
100
101       Create GPG encrypted keyfile for aespipe.
102       Encrypt:
103       tar -cvf - files... | bzip2 | aespipe -w 10 -K keyfile.gpg >archive.aes
104       Decrypt:
105       aespipe -d -K keyfile.gpg < /tmp/archive.aes | bzip2 -d -q | tar -tvf -
106       rdrand-gen -n3705 -m reseed_skip | uuencode -m - | head -n 66 | tail -n
107       65 | \
108       gpg --symmetric -a > keyfile.gpg
109
110       Test the randomness of the generated data with dieharder test suite
111       rdrand-gen | dieharder -g 200 -a
112
113       Test the randomness of the generated data with PractRand
114       rdrand-gen | practrand-RNG_test stdin8 -tlmax 4G
115
116       Measure the speed of generation.
117       rdrand-gen | pv > /dev/null
118
119
120       Create a key file for AES encryption
121       head -n 3100 /dev/random | xxd -p -c 24 | head -n 129 | tail -n  128  >
122       keys.txt
123
124       Create the keys and pass them to the rdrand-gen without saving the keys
125       on disk
126       rdrand-gen -a -k <(head -n 3100 /dev/random | \
127       xxd -p -c 24 | head -n 129 | tail -n 128)
128
129
130
131

SEE ALSO

133       librdrand(3) librdrand-aes(3)
134
135

BUGS

137       No known bugs.
138
139

AUTHOR

141       Jan Tulak (jan@tulak.me) Jiri Hladky (hladky.jiri@gmail.com)
142
143
144
1451.2                              24 April 2014                          man(7)
Impressum