Questions about key generation and RNG

Roscoe eocsor at gmail.com
Thu Sep 2 13:09:34 CEST 2010 

On Thu, Aug 5, 2010 at 10:39 PM, Simon Nauberg <snauberg at gmx.de> wrote:
> b) In the German Wikipedia, I've read the following quote:
> "Aus Performancegründen wird in der Praxis oft nur der Seed eines Pseudo-Zufallszahlengenerators von /dev/random gelesen (z. B. in OpenSSL, PGP und GnuPG)." (http://de.wikipedia.org/wiki//dev/random)
> Which means about, that only the seed of the PRNG from /dev/random would be used by gnupg.
> This sounds like a limitation, so what exactly does it mean? Is it that gnupg has it's own PRNG (if so which one? BBS? Yarrow?) and uses /dev/random just to seed that one?

Reading the comments at the start of random.c answers that :), as I
imagine you've noticed.

> c) When creating keys (especially the asymmetric keys) a good entropy is very critical. Is there kind of a "how to" what one should do or avoid in order to gain "best possible" entropy for that? E.g. things like, not generating a directly after booting, producting a lot of valuable entropy (e.g. via keybord/mouse events) before.

Well, as you've observed the ultimate source of entropy under
GNU/Linux is /dev/random and that in order for its output to be any
good it has to be sufficiently seeded.

> d) Should one use EGD rather than /dev/random (or whatever gnupg uses internally)? If so, why is it better?

Depends. Is there some reason to trust EGD over /dev/random? You're
probably going to have to do some research on that front....Though
most of the world seems happy to use /dev/random. It certainly isn't
perfect, as research will reveal.


> e) When creating keys with "highest demands"... it probably makes sense to use TRNGs, right?
> If so, does this still help if gnugp comes with its own PRNG and uses /dev/random just for seeding that (see (b) ).

You could seed /dev/random, though if you distrust /dev/random a more
direct way would be to write 600 bytes of TRNG output to
~/.gnupg/random_seed, and take steps to ensure an adversary could
never read that file - for if they could,  you'd be relying on
/dev/random and the system time.

> Is it suggested to use several TRNGs at once?

Maybe. It certainly increases ones confidence. If you XOR together the
output of a set of TRNGs, it'll be at least as good as the best TRNG
in your set.

> f) Any other hints for key-generation? e.g. obscure tricks like changing the system-time, if that one is taken into account for the RNG. Or stuff like that?

Changing system time is a waste of time (ha!).


-- Roscoe

More information about the Gnupg-devel mailing list