[Help-gnutls] Alternate random device for certtool

Werner Koch wk at gnupg.org
Thu Dec 4 12:36:06 CET 2008 

On Sat, 29 Nov 2008 09:21, nmav at gnutls.org said:

> I upgraded to gcrypt 1.4.4 and I notice the same delay, and strace shows
> that /dev/random is being used even with this flag.

What you do in certtool is to call 

  if (info.quick_random != 0)
    gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);

very early.  In fact as the first call to libgcrypt. At that point the
library is not initialixed and thus it has not checked whether it is in
FIPS mode; thus the default is used which is the more restrictive FIPS
mode:
  
  /* This may be called before full initialization to degrade the
     quality of the RNG for the sake of a faster running test suite.  */
  void
  _gcry_enable_quick_random_gen (void)
  {
    if (fips_mode ())
      ;  /* Not used.  */
    else
      _gcry_rngcsprng_enable_quick_gen ();
  }
  
As you see the flag can't be set in this case.  What you need to do is
to set this flag during initialization: That is after a first call to
gcry_check_version.  This is how it is done in by libgcrypt regression
tests.

Anyway, using this flag is strongly discouraged.  It is only useful for
testing.  gpg for example refuse to use a key if the random number
generator is in this mode and the User ID of the key is not flagged as
insecure.  That is a bit paranoid but older version of libgcrypt even
did not used a strong RNG in the quick mode.

If you want to use not so strong keys, you better use the transient-key
feature available since 1.4.2:

  @item transient-key
  This is only meaningful for RSA keys.  This is a flag with no value.  If
  given the RSA key is created using a faster and a somewhat less secure
  random number generator.  This flag may be used for keys which are only
  used for a short time and do not require full cryptographic strength.

Usage example:

      err = gcry_sexp_build (&key_spec, NULL,
                             gcry_fips_mode_active ()
                             ? "(genkey (RSA (nbits %d)))"
                             : "(genkey (RSA (nbits %d)(transient-key)))",
                             p_sizes[testno]);
  
You may use that even with older Libgcrypt versions, however it is
ignored then.  The fips mode test is required because this flag is
refused by gcry_pk_genkey in fips mode.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gcrypt-devel mailing list