Bug#475168: certtool --generate-dh-params is ridiculously wasteful of entropy
sacrificial-spam-address at horizon.com
sacrificial-spam-address at horizon.com
Thu Sep 30 09:38:37 CEST 2010
I just thought I'd forward mention of Debian bug #475168, available at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475168
Briefly, running
strace -eread -s12 certtool --generate-dh-params --bits 384
(certtool (GnuTLS 2.8.6) 2.9.9, using libgcrypt11 1.4.5-2)
shows 25 120-bytes reads from /dev/urandom, totalling 3000 bytes (14400
bits) for seed material. This is grotesquely excessive and unnecessarily
drains the entropy pool for other users. To quote the Linux /dev/random
man page:
The amount of seed material required to generate a cryptographic
key equals the effective key size of the key. For example, a
3072-bit RSA or Diffie-Hellman private key has an effective key
size of 128 bits (it requires about 2^128 operations to break)
so a key generator only needs 128 bits (16 bytes) of seed material
from /dev/random.
While some safety margin above that minimum is reasonable, as
a guard against flaws in the CPRNG algorithm, no cryptographic
primitive available today can hope to promise more than 256
bits of security, so if any program reads more than 256 bits
(32 bytes) from the kernel random pool per invocation, or
per reasonable reseed interval (not less than one minute),
that should be taken as a sign that its cryptography is not
skilfully implemented.
That's perhaps an oversimplification (I think the Blum-Blum-Shub
generator can do a bit better, assuming factoring is hard), but the
point is still true: using stupid amounts of seed material makes the
implementation look stupid.
Indeed, for D-H *parameter* generation, the seed doesn't have to be secure
at all, although I can see the advantage in using a common PRNG.
Is it possible to make the implementation less stupid?
Thank you!
More information about the Gcrypt-devel
mailing list