True RNG and GnuPG / libgcrypt
Charles Swiger
cswiger at mac.com
Thu Oct 3 00:49:21 CEST 2013
Hi--
On Oct 2, 2013, at 12:54 PM, Matthias-Christian Ott <ott at mirix.org> wrote:
> On 09/26/13 04:45, NIIBE Yutaka wrote:
>> For me, it will be simple and solid if we can use the output of an RNG
>> device directly, for key generation operation of GnuPG, given the
>> condition where such an RNG device has best quality.
>>
>> I mean, it would be good to have an interface which allows using RNG
>> device directly (even if /dev/random is available).
>
> That is a bad idea. How much “true randomness” per bit does NeuG
> generate? If this is less than 1.0, you could weaken security. For
> example with (non-deterministic) DSA you could leak parts of the private
> key, if the attacker can predict partially predict the output of the
> random number generator with a model of the device. So you can't simply
> read 128 bit of output from the random number generator, use it directly
> as the key and assume that your key provides “128 bit security”. You
> probably have to read a lot more and then compress the data with a hash
> function.
Indeed, putting a hopefully-strong (but maybe not) RNG or PRNG behind a hash
function like AES-256 is the notion which algorithms like Yarrow and Fortuna
use, and which FreeBSD and MacOS X in turn use for our /dev/random devices:
http://en.wikipedia.org/wiki/Yarrow_algorithm
http://en.wikipedia.org/wiki/Fortuna_%28PRNG%29
It might be nice to accurately know whether a platform provides a trustworthy
and genuinely random /dev/random, but there is no reason preventing GnuPG /
libcrypt from doing Fortuna in userspace (aside spending some extra
memory and CPU resources) so that it doesn't have to trust the quality
of /dev/random.
Regards,
--
-Chuck
More information about the Gnupg-devel
mailing list