Alternate egd socket
Dave Dykstra
dwd at bell-labs.com
Thu Feb 10 12:05:24 CET 2000
On Thu, Feb 10, 2000 at 06:05:59PM +0100, Werner Koch wrote:
> On Thu, 10 Feb 2000, Dave Dykstra wrote:
>
> > Also, EGD can eat up a lot of memory, especially if multiple people are
> > running it. At least GnuPG offers the "rndunix" alternative to EGD (on
>
> EGD should be run as system service to replace the missing /dev/random
> (okay not a real replace but in the case of GnuPG it is a replace because
> /dev/random is used only as a seed to the internal PRNG). IMO it does
> not make sense to run it for each user - quite bad for system load.
Yes, it is. Do you agree that it is a security problem if you let any user
create the /tmp/entropy to be shared by everybody?
...
> IMHO, is someone is able to access the random seed file, he will also
> be able to access the secret keyring ... well, and then he loads it
> down starts a dictionary attack and in kost cases he will be able to
> get the passphrase. Why the trouble and messing with random numbers
> to get _one_ message decoded when you are abe to get the secret key.
Yes, I was thinking that too; I just didn't know if it was possible to
get any useful information from the random seed file, and it sounds like
it isn't.
> Let's see whether I can implement it for the next release.
Cool, thanks. That will permit fast, convenient --encrypt without any
superuser intervention on machines that don't have /dev/random. After that
I think the only reason to use EGD would be for a faster --gen-key.
You could perhaps borrow some stuff for handling the random seed file from
the last free version of ssh at
ftp://ftp.cert.dfn.de/pub/tools/net/ssh/snapshots/ssh-1.2.12.tar.gz
That's what OpenSSH folks plan to do.
- Dave Dykstra
More information about the Gnupg-devel
mailing list