alternative random device
David Shaw
dshaw at jabberwocky.com
Mon Feb 10 02:58:02 CET 2003
On Sun, Feb 09, 2003 at 07:21:28PM +0000, Matthew Byng-Maddick wrote:
> On Sun, Feb 09, 2003 at 07:58:38PM +0100, Janusz A . Urbanowicz wrote:
> > Jacob Perkins napisa?[a]/wrote/schrieb:
> > > I'm not sure how common this is, but I am using gentoo, which
> > > provides a /dev/urandom device, which seems to have much better
> > > performance than /dev/random. I actually had to restart earlier
> > > because /dev/random stopped working, and gnupg couldn't generate
> > > any keys, though /dev/urandom worked fine. Is it possible to
> > > configure gnupg to use /dev/urandom instead of /dev/random?
> > > How? --enable-static-rnd doesn't seem to allow specifying the
> > > device. If it current isn't possible, I think a configure time
> > > option should be added, maybe --random-device=. This is all
> > > with gnupg-1.2.1
> > This is a feature. /dev/random is assumed to be a source of
> > cryptographically safe random bits source, while /dev/urandom is
> > not. No one should use /dev/urandom for crypto.
> This depends on the type of crypto, in fact. Something like the
> secret number in a (session) DH key is perfectly adequately
> generated by /dev/urandom, because you're very unlikely to be able
> to recover the state, however something like a long-lived private
> key is a bad thing to be generating in that way, because you would
> rather have real randomness than any sort of (possibly recoverable
> later with some attack on the random device) pseudo-randomness.
GnuPG in fact uses both /dev/random and /dev/urandom in the way you
discuss. There is a notion of multiple quality levels of randomness.
/dev/random is used when necessary, and /dev/urandom is used the rest
of the time.
David
--
David Shaw | dshaw at jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
More information about the Gnupg-devel
mailing list