1.\" $NetBSD: rnd.4,v 1.40 2022/03/20 18:19:57 riastradh Exp $ 2.\" 3.\" Copyright (c) 2014-2020 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Taylor R. Campbell. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd May 1, 2020 31.Dt RND 4 32.Os 33.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 34.Sh NAME 35.Nm rnd 36.Nd random number generator 37.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 38.Sh DESCRIPTION 39The 40.Pa /dev/random 41and 42.Pa /dev/urandom 43devices generate bytes randomly with uniform distribution. 44Every read from them is independent. 45.Bl -tag -width /dev/urandom 46.It Pa /dev/urandom 47Never blocks. 48.It Pa /dev/random 49Sometimes blocks. 50Will block early at boot if the system's state is known to be 51predictable. 52.El 53.Pp 54Applications should read from 55.Pa /dev/urandom , 56or the 57.Xr sysctl 7 58variable 59.Li kern.arandom , 60when they need randomly generated data, e.g. key material for 61cryptography or seeds for simulations. 62(The 63.Xr sysctl 7 64variable 65.Li kern.arandom 66is limited to 256 bytes per read, but is otherwise equivalent to 67reading from 68.Pa /dev/urandom 69and always works even in a 70.Xr chroot 8 71environment without requiring a populated 72.Pa /dev 73tree and without opening a file descriptor, so 74.Li kern.arandom 75may be preferable to use in libraries.) 76.Pp 77Systems should be engineered to judiciously read at least once from 78.Pa /dev/random 79at boot before running any services that talk to the internet or 80otherwise require cryptography, in order to avoid generating keys 81predictably. 82.Pa /dev/random 83may block at any time, so programs that read from it must be prepared 84to handle blocking. 85Interactive programs that block due to reads from 86.Pa /dev/random 87can be especially frustrating. 88.Pp 89If interrupted by a signal, reads from either 90.Pa /dev/random 91or 92.Pa /dev/urandom 93may return short, so programs that handle signals must be prepared to 94retry reads. 95.Pp 96Writing to either 97.Pa /dev/random 98or 99.Pa /dev/urandom 100influences subsequent output of both devices, guaranteed to take 101effect at next open. 102If you have a coin in your pocket, you can flip it 256 times and feed 103the outputs to 104.Pa /dev/random 105to guarantee your system is in a state that nobody but you and the 106bored security guard watching the surveillance camera in your office 107can guess: 108.Bd -literal -offset abcd 109% echo tthhhhhthhhththtthhhhthtththttth... > /dev/random 110.Ed 111.Pp 112(Sequence generated from a genuine US quarter dollar, guaranteed 113random.) 114.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 115.Sh SECURITY MODEL 116The 117.Nm 118subsystem provides the following security properties against two 119different classes of attackers, provided that there is enough entropy 120from entropy sources not seen by attackers: 121.Bl -bullet -offset abcd 122.It 123An attacker who has seen some outputs and can supply some entropy 124sources' inputs to the operating system cannot predict past or future 125unseen outputs. 126.It 127An attacker who has seen the entire state of the machine cannot predict 128past outputs. 129.El 130.Pp 131One 132.Sq output 133means a single read, no matter how short it is. 134.Pp 135.Sq Cannot predict 136means it is conjectured of the cryptography in 137.Fa /dev/random 138that any computationally bounded attacker who tries to distinguish 139outputs from uniform random cannot do more than negligibly better than 140uniform random guessing. 141.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 142.Sh ENTROPY 143The operating system continuously makes observations of hardware 144devices, such as network packet timings, disk seek delays, and 145keystrokes. 146The observations are combined into a seed for a cryptographic 147pseudorandom number generator (PRNG) which is used to generate the 148outputs of both 149.Pa /dev/random 150and 151.Pa /dev/urandom . 152.Pp 153An attacker may be able to guess with nonnegligible chance of success 154what your last keystroke was, but guessing every observation the 155operating system may have made is more difficult. 156The difficulty of the best strategy at guessing a random variable is 157analyzed as the -log_2 of the highest probability of any outcome, 158measured in bits, and called its 159.Em min-entropy , 160or 161.Em entropy 162for short in cryptography. 163For example: 164.Bl -bullet -offset abcd -compact 165.It 166A fair coin toss has one bit of entropy. 167.It 168A fair (six-sided) die roll has a little over 2.5 bits of entropy. 169.It 170A string of two independent fair coin tosses has two bits of entropy. 171.It 172The toss of a pair of fair coins that are glued together has one bit of 173entropy. 174.It 175A uniform random distribution with 176.Fa n 177possibilities has log_2 178.Fa n 179bits of entropy. 180.It 181An utterance from an accounting troll who always says 182.Sq nine 183has zero bits of entropy. 184.El 185.Pp 186Note that entropy is a property of an observable physical process, like 187a coin toss, or of a state of knowledge about that physical process; it 188is not a property of a specific sample obtained by observing it, like 189the string 190.Sq tthhhhht . 191There are also kinds of entropy in information theory other than 192min-entropy, including the more well-known Shannon entropy, but they 193are not relevant here. 194.Pp 195Hardware devices that the operating system monitors for observations 196are called 197.Em "entropy sources" , 198and the observations are combined into an 199.Em "entropy pool" . 200The 201.Xr rndctl 8 202command queries information about entropy sources and the entropy pool, 203and can control which entropy sources the operating system uses or 204ignores. 205.Pp 206256 bits of entropy is typically considered intractable to guess with 207classical computers and with current models of the capabilities of 208quantum computers. 209.Pp 210Systems with nonvolatile storage should store a secret from 211.Pa /dev/urandom 212on disk during installation or shutdown, and feed it back during boot, 213so that the work the operating system has done to gather entropy \(em 214including the work its operator may have done to flip a coin! \(em can be 215saved from one boot to the next, and so that newly installed systems 216are not vulnerable to generating cryptographic keys predictably. 217.Pp 218The boot loaders in some 219.Nx 220ports support a command to load a seed from disk before the 221kernel has started. 222For those that don't, the 223.Xr rndctl 8 224command can do it once userland has started, for example by setting 225.Dq Li random_seed=YES 226in 227.Pa /etc/rc.conf , 228which is enabled by default; see 229.Xr rc.conf 5 . 230.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 231.Sh LIMITATIONS 232Some people worry about recovery from state compromise \(em that is, 233ensuring that even if an attacker sees the entire state of the 234operating system, then the attacker will be unable to predict any new 235future outputs as long as the operating system gathers fresh entropy 236quickly enough. 237.Pp 238But if an attacker has seen the entire state of your machine, 239refreshing entropy is probably the least of your worries, so we do not 240address that threat model here. 241.Pp 242The 243.Nm 244subsystem does 245.Em not 246automatically defend against hardware colluding with an attacker to 247influence entropy sources based on the state of the operating system. 248.Pp 249For example, a PCI device or CPU instruction for random number 250generation which has no side channel to an attacker other than the 251.Pa /dev/urandom 252device could be bugged to observe all other entropy sources, and to 253carefully craft 254.Sq observations 255that cause a certain number of bits of 256.Pa /dev/urandom 257output to be ciphertext that either is predictable to an attacker or 258conveys a message to an attacker. 259.Pp 260No amount of scrutiny by the system's operator could detect this. 261The only way to prevent this attack would be for the operator to 262disable all entropy sources that may be colluding with an attacker. 263If you're not sure which ones are not, you can always disable all of 264them and fall back to the coin in your pocket. 265.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 266.Sh IOCTLS 267The 268.Pa /dev/random 269and 270.Pa /dev/urandom 271devices support a number of ioctls, defined in the 272.In sys/rndio.h 273header file, for querying and controlling the entropy pool. 274.Pp 275Since timing between hardware events contributes to the entropy pool, 276statistics about the entropy pool over time may serve as a side channel 277for the state of the pool, so access to such statistics is restricted 278to the super-user and should be used with caution. 279.Pp 280Several ioctls are concerned with particular entropy sources, described 281by the following structure: 282.Bd -literal 283typedef struct { 284 char name[16]; /* symbolic name */ 285 uint32_t total; /* estimate of entropy provided */ 286 uint32_t type; /* RND_TYPE_* value */ 287 uint32_t flags; /* RND_FLAG_* mask */ 288} rndsource_t; 289 290#define RND_TYPE_UNKNOWN 291#define RND_TYPE_DISK /* disk device */ 292#define RND_TYPE_ENV /* environment sensor (temp, fan, &c.) */ 293#define RND_TYPE_NET /* network device */ 294#define RND_TYPE_POWER /* power events */ 295#define RND_TYPE_RNG /* hardware RNG */ 296#define RND_TYPE_SKEW /* clock skew */ 297#define RND_TYPE_TAPE /* tape drive */ 298#define RND_TYPE_TTY /* tty device */ 299#define RND_TYPE_VM /* virtual memory faults */ 300 301#define RND_TYPE_MAX /* value of highest-numbered type */ 302 303#define RND_FLAG_COLLECT_TIME /* use timings of samples */ 304#define RND_FLAG_COLLECT_VALUE /* use values of samples */ 305#define RND_FLAG_ESTIMATE_TIME /* estimate entropy of timings */ 306#define RND_FLAG_ESTIMATE_VALUE /* estimate entropy of values */ 307#define RND_FLAG_NO_COLLECT /* ignore samples from this */ 308#define RND_FLAG_NO_ESTIMATE /* do not estimate entropy */ 309.Ed 310.Pp 311The following ioctls are supported: 312.Bl -tag -width abcd 313.It Dv RNDGETENTCNT Pq Vt uint32_t 314Return the number of bits of entropy the system is estimated to have. 315.It Dv RNDGETSRCNUM Pq Vt rndstat_t 316.Bd -literal 317typedef struct { 318 uint32_t start; 319 uint32_t count; 320 rndsource_t source[RND_MAXSTATCOUNT]; 321} rndstat_t; 322.Ed 323.Pp 324Fill the 325.Fa sources 326array with information about up to 327.Fa count 328entropy sources, starting at 329.Fa start . 330The actual number of sources described is returned in 331.Fa count . 332At most 333.Dv RND_MAXSTATCOUNT 334sources may be requested at once. 335.It Dv RNDGETSRCNAME Pq Vt rndstat_name_t 336.Bd -literal 337typedef struct { 338 char name[16]; 339 rndsource_t source; 340} rndstat_name_t; 341.Ed 342.Pp 343Fill 344.Fa source 345with information about the entropy source named 346.Fa name , 347or fail with 348.Dv ENOENT 349if there is none. 350.It Dv RNDCTL Pq Vt rndctl_t 351.Bd -literal 352typedef struct { 353 char name[16]; 354 uint32_t type; 355 uint32_t flags; 356 uint32_t mask; 357} rndctl_t; 358.Ed 359.Pp 360For each entropy source of the type 361.Fa type , 362or if 363.Fa type 364is 365.Li 0xff 366then for the entropy source named 367.Fa name , 368replace the flags in 369.Fa mask 370by 371.Fa flags . 372.It Dv RNDADDDATA Pq Vt rnddata_t 373.Bd -literal 374typedef struct { 375 uint32_t len; 376 uint32_t entropy; 377 unsigned char data[RND_SAVEWORDS * sizeof(uint32_t)]; 378} rnddata_t; 379.Ed 380.Pp 381Feed 382.Fa len 383bytes of data to the entropy pool. 384The sample is expected to have been drawn with at least 385.Fa entropy 386bits of entropy. 387.Pp 388This ioctl can be used only once per boot. 389It is intended for a system that saves entropy to disk on shutdown and 390restores it on boot, so that the system can immediately be 391unpredictable without having to wait to gather entropy. 392.It Dv RNDGETPOOLSTAT Pq Vt rndpoolstat_t 393.Bd -literal 394typedef struct { 395 uint32_t poolsize; /* size of each LFSR in pool */ 396 uint32_t threshold; /* no. bytes of pool hash returned */ 397 uint32_t maxentropy; /* total size of pool in bits */ 398 uint32_t added; /* no. bits of entropy ever added */ 399 uint32_t curentropy; /* current entropy `balance' */ 400 uint32_t discarded; /* no. bits dropped when pool full */ 401 uint32_t generated; /* no. bits yielded by pool while 402 curentropy is zero */ 403} rndpoolstat_t; 404.Ed 405.Pp 406Return various statistics about entropy. 407.El 408.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 409.Sh SYSCTLS 410The following 411.Xr sysctl 8 412variables provided by 413.Nm 414can be set by privileged users: 415.Bl -tag -width abcd 416.It Dv kern.entropy.collection Pq Vt bool 417(Default on.) 418Enables entering data into the entropy pool. 419If disabled, no new data can be entered into the entropy pool, whether 420by device drivers, by writes to 421.Pa /dev/random 422or 423.Pa /dev/urandom , 424or by the 425.Dv RNDADDDATA 426ioctl. 427.It Dv kern.entropy.depletion Pq Vt bool 428(Default off.) 429Enables 430.Sq entropy depletion , 431meaning that even after attaining full entropy, the kernel subtracts 432the number of bits read out of the entropy pool from its estimate of 433the system entropy. 434This is not justified by modern cryptography \(em an adversary will 435never guess the 256-bit secret in a Keccak sponge no matter how much 436output from the sponge they see \(em but may be useful for testing. 437.It Dv kern.entropy.consolidate Pq Vt int 438Trigger for entropy consolidation: executing 439.Dl # sysctl -w kern.entropy.consolidate=1 440causes the system to consolidate pending entropy from per-CPU pools 441into the global pool, and waits until done. 442.El 443.Pp 444The following read-only 445.Xr sysctl 8 446variables provide information to privileged users about the state of 447the entropy pool: 448.Bl -tag -width abcd 449.It Dv kern.entropy.needed Pq Vt unsigned int 450Number of bits of entropy the system is waiting for in the global pool 451before reads from 452.Pa /dev/random 453will return without blocking. 454When zero, the system is considered to have full entropy. 455.It Dv kern.entropy.pending Pq Vt unsigned int 456Number of bits of entropy pending in per-CPU pools. 457This is the amount of entropy that will be contributed to the global 458pool at the next consolidation, such as from triggering 459.Dv kern.entropy.consolidate . 460.It Dv kern.entropy.epoch Pq Vt unsigned int 461Number of times system has reached full entropy, or entropy has been 462consolidated with 463.Dv kern.entropy.consolidate , 464as an unsigned 32-bit integer. 465Consulted inside the kernel by subsystems such as 466.Xr cprng 9 467to decide whether to reseed. 468Initially set to 2^32 \- 1 469.Pq i.e., Li "(unsigned)\-1" 470meaning the system has never reached full entropy and the entropy has 471never been consolidated; never again set to 2^32 \- 1. 472Never zero, so applications can initialize a cache of the epoch to zero 473to ensure they reseed the next time they check whether it is different 474from the stored epoch. 475.El 476.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 477.Sh IMPLEMENTATION NOTES 478(This section describes the current implementation of the 479.Nm 480subsystem at the time of writing. 481It may be out-of-date by the time you read it, and nothing in here 482should be construed as a guarantee about the behaviour of the 483.Pa /dev/random 484and 485.Pa /dev/urandom 486devices.) 487.Pp 488Device drivers gather samples from entropy sources and absorb them into 489a collection of per-CPU Keccak sponges called 490.Sq entropy pools 491using the 492.Xr rnd 9 493kernel API. 494The device driver furnishes an estimate for the entropy of the sampling 495process, under the assumption that each sample is independent. 496When the estimate of entropy pending among the per-CPU entropy pools 497reaches a threshold of 256 bits, the entropy is drawn from the per-CPU 498pools and consolidated into a global pool. 499Keys for 500.Pa /dev/random , 501.Pa /dev/urandom , 502.Li kern.arandom , 503and the in-kernel 504.Xr cprng 9 505subsystem are extracted from the global pool. 506.Pp 507Early after boot, before CPUs have been detected, device drivers 508instead enter directly into the global pool. 509If anything in the system extracts data from the pool before the 510threshold has been reached at least once, the system will print a 511warning to the console and reset the entropy estimate to zero. 512The reason for resetting the entropy estimate to zero in this case is 513that an adversary who can witness output from the pool with partial 514entropy \(em say, 32 bits \(em can undergo a feasible brute force 515search to ascertain the complete state of the pool; as such, the 516entropy of the adversary's state of knowledge about the pool is zero. 517.Pp 518If the operator is confident that the drivers' estimates of the entropy 519of the sampling processes are too conservative, the operator can issue 520.Dl # sysctl -w kern.entropy.consolidate=1 521to force consolidation into the global pool. 522The operator can also fool the system into thinking it has more entropy 523than it does by feeding data from 524.Pa /dev/urandom 525into 526.Pa /dev/random , 527but this voids the security model and should be limited to testing 528purposes. 529.Pp 530.Em Short 531reads from 532.Pa /dev/urandom 533are served by a persistent per-CPU Hash_DRBG instance that is 534reseeded from the entropy pool after any entropy consolidation. 535Reads from 536.Pa /dev/random 537and 538.Em long 539reads from 540.Pa /dev/urandom 541are served by a temporary Hash_DRBG seeded from the entropy pool on 542each read. 543.Pp 544When 545.Sq entropy depletion 546is enabled by 547setting the sysctl variable 548.Dv kern.entropy.depletion Ns Li \&=1 , 549every read from 550.Pa /dev/random 551is limited to 256 bits, since reading more than that would nearly 552always block again. 553.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 554.Sh FILES 555.Bl -tag -width /dev/urandom -compact 556.It Pa /dev/random 557Uniform random byte source. 558May block. 559.It Pa /dev/urandom 560Uniform random byte source. 561Never blocks. 562.El 563.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 564.Sh DIAGNOSTICS 565The 566.Nm 567subsystem may print the following warnings to the console likely 568indicating security issues: 569.Bl -diag -offset indent 570.It WARNING: system needs entropy for security; see entropy(7) 571A process tried to draw from the entropy pool before enough inputs from 572reliable entropy sources have been entered. 573.Pp 574The entropy may be low enough that an adversary who sees the output 575could guess the state of the pool by brute force, so in this event the 576system resets its estimate of entropy to none. 577.Pp 578This message is rate-limited to happen no more often than once per 579minute, so if you want to make sure it is gone you should consult 580.Dv kern.entropy.needed 581to confirm it is zero. 582.El 583.Pp 584The 585.Nm 586subsystem may print any of various messages about obtaining an entropy 587seed from the bootloader to diagnose saving and loading seeds on disk: 588.Bl -diag -offset indent 589.It entropy: entering seed from bootloader with N bits of entropy 590The bootloader provided an entropy seed to the kernel, which recorded 591an estimate of N bits of entropy in the process that generated it. 592.It entropy: no seed from bootloader 593The bootloader did not provide an entropy seed to the kernel before 594starting the kernel. 595This does not necessarily indicate a problem; not all bootloaders 596support the option, and the 597.Xr rc.conf 5 598setting 599.Li random_seed=YES 600can serve instead. 601.It entropy: invalid seed length N, expected sizeof(rndsave_t) = M 602The bootloader provided an entropy seed of the wrong size to the 603kernel. 604This may indicate a bug in 605.Xr rndctl 8 . 606The seed will be ignored. 607.It entropy: invalid seed checksum 608The entropy seed provided by the bootloader was malformed. 609The seed will be entered into the entropy pool, but it will be 610considered to contribute no entropy. 611.It entropy: double-seeded by bootloader 612A buggy bootloader tried to provide an entropy seed more than once to 613the kernel. 614Subsequent seeds will be entered into the entropy pool, but they will 615be considered to contribute no entropy. 616.It entropy: ready 617The system has full entropy for the first time. 618.El 619.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 620.Sh SEE ALSO 621.Xr arc4random 3 , 622.Xr entropy 7 , 623.Xr rndctl 8 , 624.Xr cprng 9 , 625.Xr rnd 9 626.Rs 627.%A Elaine Barker 628.%A John Kelsey 629.%T Recommendation for Random Number Generation Using Deterministic Random Bit Generators 630.%D June 2015 631.%Q United States Department of Commerce 632.%I National Institute of Standards and Technology 633.%O NIST Special Publication 800-90A, Revision 1 634.%U https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final 635.Re 636.Rs 637.%A Meltem S\(:onmez Turan 638.%A Elaine Barker 639.%A John Kelsey 640.%A Kerry A. McKay 641.%A Mary L. Baish 642.%A Mike Boyle 643.%T Recommendations for the Entropy Sources Used for Random Bit Generation 644.%D January 2018 645.%Q United States Department of Commerce 646.%I National Institute of Standards and Technology 647.%O NIST Special Publication 800-90B 648.%U https://csrc.nist.gov/publications/detail/sp/800-90b/final 649.Re 650.Rs 651.%A Daniel J. Bernstein 652.%T Entropy Attacks! 653.%D 2014-02-05 654.%U http://blog.cr.yp.to/20140205-entropy.html 655.Re 656.Rs 657.%A Nadia Heninger 658.%A Zakir Durumeric 659.%A Eric Wustrow 660.%A J. Alex Halderman 661.%T Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices 662.%B Proceedings of the 21st USENIX Security Symposium 663.%I USENIX 664.%D August 2012 665.%P 205-220 666.%U https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger 667.%U https://factorable.net/ 668.Re 669.Rs 670.%A Edwin T. Jaynes 671.%B Probability Theory: The Logic of Science 672.%I Cambridge University Press 673.%D 2003 674.%U https://bayes.wustl.edu/ 675.Re 676.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 677.Sh HISTORY 678The 679.Pa /dev/random 680and 681.Pa /dev/urandom 682devices first appeared in 683.Nx 1.3 . 684.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 685.Sh AUTHORS 686.An -nosplit 687The 688.Nm 689subsystem was first implemented by 690.An Michael Graff Aq Mt explorer@flame.org , 691was then largely rewritten by 692.An Thor Lancelot Simon Aq Mt tls@NetBSD.org , 693and was most recently largely rewritten by 694.An Taylor R. Campbell Aq Mt riastradh@NetBSD.org . 695.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 696.Sh BUGS 697Many people are confused about what 698.Pa /dev/random 699and 700.Pa /dev/urandom 701mean. 702Unfortunately, no amount of software engineering can fix that. 703