[Help-gnutls] Alternate random device for certtool

Werner Koch wk at gnupg.org
Sat Dec 6 14:09:26 CET 2008


On Fri,  5 Dec 2008 21:06, nmav at gnutls.org said:

> There are many parts in a typical PC that can feed a prng with
> non-deterministic data. Typical examples are the network card and sound

Please read Peter's papers on this subject.  In particular, network
traffic does not yield any usable entropy.

> 1. It needs to block when it thinks it does not have enough randomness

Right, that is the correct behaviour.  Actually I believe that current
linux even estimates a too high entropy.

> 2. It does not use all available random data sources because its state
> could be compromised by a malicious or broken source.

Currect behaviour.

> Fortuna [0] is a suitable PRNG replacement, because it has none of these

Well, as you say, this is a PRNG.  It needs to be seeded.  And the seed
is the most problematic part.  Almost all evaluations are handwaving the
problem.  The use of a continuously seeded PRNG is a pragmatical
solution towards these problems.  IIRC, NIST's special publication
800-90 suggest to re-seed a PRNG as ofthe as possible.  FIPS 140-2
allows and suggest for re-seeded.  For a real entropy source you need a
*reliable* hardware entropy source.

> Moreover the blocking interface makes it's easy to prevent someone from
> creating a key... Just cat /dev/random, or open many tcp connections to
> a linux host.

So what?  You are under attack and you still want to create a key on
that attcked box? 

> /dev/urandom is not deterministic it just has worse PR.
> /dev/random is the SAME as /dev/urandom with the exception that it
> blocks when it THINKS randomness gathered is not enough. If it thinks

That is simply not true.  Read the 2006 paper by Gutterman, Pinkas and
Reinman on the Linux RNG.

Yes, I have a pretty conservative POV on entropy gathering.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.




More information about the Gcrypt-devel mailing list