[Help-gnutls] Alternate random device for certtool

Werner Koch wk at gnupg.org
Fri Dec 5 09:13:24 CET 2008


On Fri,  5 Dec 2008 08:17, nmav at gnutls.org said:

> I don't understand. The issue for certtool that was reported was that it
> was blocking in /dev/random and taking a lot of time to produce any
> output. This was the reason I've put QUICK_RANDOM there.

Right, it is blocking because it needs to generate random numbers and do
do this we need to gather entropy from physical sources.  If the
bandwidth of these sources is that small it just takes a long time.  If
the box is idle it may even not finish at all.  Recall that a computer
is a deterministic machine and that it is hard to extract unpredictable
events from a deterministic machines (actually impossible, but
fortunately a general purpose computer is not completely deterministic.)

Ask the user to work on the box to give it a chnace to collect entroy.
For example "find /usr -type f | xargs cat >/dev/null" gets the disk to
work and thus floods the box with interrupts.

> I don't think so. Block for indefinite time (can be even hours) does not
> offer anything unless you can wait. If you want to generate keys and you

I disagree: If you want a secure key, you need to invest something, be
it time to wait for sporadic interrupts, keep on working on the box or
even install a hardware RNG.

> [0]. Also being blocking does not protect from being a bad algorithm. As
> far as I know there are known issues to the blocking linux rng (were
> discussed some years ago in gnutls-dev) and they still cannot gather any
> entropy from network devices because its state can be compromised!

And thus your solution is to give up on it and use a a deterministc
source like /dev/urandom?  If /dev/random blocks, /dev/urandom will only
return a sequence of bytes which is predictable if you know the initial
state of the RNG.

It al depends on what you want.  The default for Libgcrypt is to make
sure that there is really strong random available for key generation and
to do with a not so strong (read /dev/urandom) for session keys etc.  If
you don't want that (transient-key) gives you a way to degrade random
quality for key generation.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.




More information about the Gcrypt-devel mailing list