Bug#475168: certtool --generate-dh-params is ridiculously wasteful of entropy

Thu Sep 30 09:38:37 CEST 2010

I just thought I'd forward mention of Debian bug #475168, available at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475168

Briefly, running 
strace -eread -s12 certtool --generate-dh-params --bits 384
(certtool (GnuTLS 2.8.6) 2.9.9, using libgcrypt11 1.4.5-2)

shows 25 120-bytes reads from /dev/urandom, totalling 3000 bytes (14400
bits) for seed material.  This is grotesquely excessive and unnecessarily
drains the entropy pool for other users.  To quote the Linux /dev/random
man page:

	The amount of seed material required to generate a cryptographic
	key equals the effective key size of the key.  For example, a
	3072-bit RSA or Diffie-Hellman private key has an effective key
	size of 128 bits (it requires about 2^128 operations to break)
	so a key generator only needs 128 bits (16 bytes) of seed material
	from /dev/random.

	While some safety margin above that minimum is reasonable, as
	a guard against flaws in the CPRNG algorithm, no cryptographic
	primitive available today can hope to promise more than 256
	bits of security, so if any  program reads more than 256 bits
	(32 bytes) from the kernel random pool per invocation, or
	per reasonable reseed interval (not less than one minute),
	that should be taken as a sign that its cryptography is not
	skilfully implemented.

That's perhaps an oversimplification (I think the Blum-Blum-Shub
generator can do a bit better, assuming factoring is hard), but the
point is still true: using stupid amounts of seed material makes the
implementation look stupid.

Indeed, for D-H *parameter* generation, the seed doesn't have to be secure
at all, although I can see the advantage in using a common PRNG.

Is it possible to make the implementation less stupid?

Thank you!