True RNG and GnuPG / libgcrypt
Leo Gaspard
ekleog at gmail.com
Thu Oct 3 13:55:33 CEST 2013
On Wed, Oct 02, 2013 at 03:49:21PM -0700, Charles Swiger wrote:
> Indeed, putting a hopefully-strong (but maybe not) RNG or PRNG behind a hash
> function like AES-256 is the notion which algorithms like Yarrow and Fortuna
> use, and which FreeBSD and MacOS X in turn use for our /dev/random devices:
>
> http://en.wikipedia.org/wiki/Yarrow_algorithm
> http://en.wikipedia.org/wiki/Fortuna_%28PRNG%29
>
> It might be nice to accurately know whether a platform provides a trustworthy
> and genuinely random /dev/random, but there is no reason preventing GnuPG /
> libcrypt from doing Fortuna in userspace (aside spending some extra
> memory and CPU resources) so that it doesn't have to trust the quality
> of /dev/random.
Knowing that /dev/random is directly OS-managed, distrusting it is directly like
distrusting the OS. (Assuming the OS claims it has a secure randomness
compressor.)
And, once you do not trust your own OS, you can trust absolutely no program
running on it. Thus you are not able to trust GnuPG, if you run it on your
not-trusted OS.
So I believe implementing a fortuna "generator" in GnuPG is not the most urgent
improvement to be made -- though I know nothing of GnuPG's current most-wanted
improvements.
Cheers,
Leo
More information about the Gnupg-devel
mailing list