1man(7) rdrand-gen man page man(7)
2
6 rdrand-gen - Generate randomness by using RdRand on Intel's CPUs.
7
9 rdrand-gen [--amount NUM] [--method NAME] [--output FILE]
10 [--threads NUM] [--aes-ctr [--aes-keys FILE]] [--verbose] [--version]
11 [--help]
12
15 RdRand is an instruction for returning random numbers from an Intel on-
16 chip hardware random number generator. RdRand is available on Ivy
17 Bridge and later processors.
18 It uses cascade construction, combining a HW RNG operating at 3Gbps
20 with CSPRNG with all components sealed on CPU. The entropy source is a
21 metastable circuit, with unpredictable behavior based on thermal noise.
22 The entropy is fed into a 3:1 compression ratio entropy extractor
23 (whitener) based on AES-CBC-MAC. Online statistical tests are performed
24 at this stage and only high quality random data are used as the seed
25 for cryptographically secure SP800-90 AES-CTR DRBG compliant PRNG.
26 This generator is producing maximum of 512 128-bit AES blocks before
27 it's reseeded. According to documentation the 512 blocks is a upper
28 limit for reseed, in practice it reseeds much more frequently.
29 Despite the statistical tests did not reveal any flaws in RdRand's out‐
31 put, it's intern operation cannot be verified (with a possibility for
32 the backdoor to be built into it).
33 rdrand-gen is a simple application for generating randomness on Intel's
36 CPUs (Ivy Bridge and newers) using the HW RNG on the CPU. It can use
37 three methods of generating: Default get_bytes - is fastest (on a lap‐
38 top with a Core i7 about 200 MiB/s in one thread) and simply pulls out
39 randomness from the HW RNG, and two slow, but more secure methods.
40 These two methods, reseed_delay and reseed_skip are enforcing full re‐
41 generation of the CPU's pool before each single value that is pushed
42 out.
43 reseed_delay is putting small delays (20 microseconds), long enough to
45 allow the HW to reseed the RdRand's internal generator with new thermal
46 noise based entropy so that two consequent values returned by re‐
47 seed_delay are guaranteed to be produced with different seed. re‐
48 seed_skip is taking one of 1025 64bit values (the size of the inner
49 pool) and throwing away the rest, forcing the HW to reseed. The perfo‐
50 mance of these reseeding methods is about 1/1000 of the default one.
51 The performance differs on each machine, one one machine the re‐
52 seed_skip is faster than reseed_delay , while on another one it can be
53 different.
54 If aes-ctr is set, then the output of RdRand instruction is encrypted
56 with AES-CTR from OpenSSL. It can either use a random key, or you can
57 give it a set of keys and nonces to use by using aes-keys parameter. If
58 AES is not enabled by the first flag, the keys are ignored.
59 Syntax of the key file is following:
61 On each line is a hexadecimal string containing a key and a nonce.
62 There can be 128 lines at max. Length of a single key is twice of the
63 nonce, so if K stands for a key character and N for a nonce, a single
64 line in the key file will look like the following.
65 KKKKNN
66 24 bytes (48 characters) for a key and a nonce represents a 128bit key.
68 This is also the only currently supported length of the key. See Exam‐
69 ples for a simple way of generating the key file.
70
74 --help -h Print this help.
75 --amount -n NUM Generate given amount of bytes. Suffixes: K, M,
76 G, T. Without the option or when 0, generate unlimited amount.
77 --method -m NAME Use method NAME (default is get_bytes , others
78 are reseed_skip and reseed_delay ).
79 --output -o FILE Save the generated data to the file.
80 --threads -t NUM Run the generator in NUM threads (default 2).
81 --aes-ctr -a Encrypt the output with AES-CTR.
82 --aes-keys -k FILE Use given key file for the AES encryption
83 instead of random one. Works only when -a is set.
84 --verbose -v Be verbose (will print on stderr).
85 --version -V Print version.
86 AES keys in file for -k argument has to be 24 bytes long in hexadecimal
88 form.
89
92 Write 10.5MB of random data to the file /tmp/random
93 rdrand-gen -n 10.5M -o /tmp/random
94 Generate 20 random passwords of length 20 build from all letters and
96 digits. Use the secure get_uint64_array_reseed_skip method.
97 (rdrand-gen -n2k -m reseed_skip | tr -cd '[:alnum:]' | fold -w 20 &&
98 echo ) | head -20
99 Create GPG encrypted keyfile for aespipe.
102 Encrypt:
103 tar -cvf - files... | bzip2 | aespipe -w 10 -K keyfile.gpg >archive.aes
104 Decrypt:
105 aespipe -d -K keyfile.gpg < /tmp/archive.aes | bzip2 -d -q | tar -tvf -
106 rdrand-gen -n3705 -m reseed_skip | uuencode -m - | head -n 66 | tail -n
107 65 | \
108 gpg --symmetric -a > keyfile.gpg
109 Test the randomness of the generated data with dieharder test suite
111 rdrand-gen | dieharder -g 200 -a
112 Test the randomness of the generated data with PractRand
114 rdrand-gen | practrand-RNG_test stdin8 -tlmax 4G
115 Measure the speed of generation.
117 rdrand-gen | pv > /dev/null
118 Create a key file for AES encryption
121 head -n 3100 /dev/random | xxd -p -c 24 | head -n 129 | tail -n 128 >
122 keys.txt
123 Create the keys and pass them to the rdrand-gen without saving the keys
125 on disk
126 rdrand-gen -a -k <(head -n 3100 /dev/random | \
127 xxd -p -c 24 | head -n 129 | tail -n 128)
128
133 librdrand(3) librdrand-aes(3)
134
137 No known bugs.
138
141 Jan Tulak (jan@tulak.me) Jiri Hladky (hladky.jiri@gmail.com)
1421.2 24 April 2014 man(7)