True RNG and GnuPG / libgcrypt

[Charles Swiger]

Hi--

On Oct 3, 2013, at 4:47 AM, Leo Gaspard <ekleog at gmail.com> wrote:
>> It might be nice to accurately know whether a platform provides a trustworthy
>> and genuinely random /dev/random, but there is no reason preventing GnuPG /
>> libcrypt from doing Fortuna in userspace (aside spending some extra
>> memory and CPU resources) so that it doesn't have to trust the quality
>> of /dev/random.
> 
> Knowing that /dev/random is directly OS-managed, distrusting it is directly like
> distrusting the OS. (Assuming the OS claims it has a secure randomness
> compressor.)
> 
> And, once you do not trust your own OS, you can trust absolutely no program
> running on it. Thus you are not able to trust GnuPG, if you run it on your
> not-trusted OS.

Yes, that's true as far as it goes: if the OS has been maliciously compromised,
then no program running on it can be considered secure or trustworthy.

However, please also note that bugs or flaws in what was believed to be a good
implementation of /dev/random, OpenSSL's rand, etc can lead to weak crypto.
A recent case-in-point was the Android SecureRandom issue affecting Bitcoin and
possibly other apps, which was due to OpenSSL not being properly initialized:

http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html

> So I believe implementing a fortuna "generator" in GnuPG is not the most urgent
> improvement to be made -- though I know nothing of GnuPG's current most-wanted
> improvements.

I seem to recall interest in supporting GnuPG on Android, so it would seem worthwhile
to make sure that GnuPG is properly seeding OpenSSL and/or libgcrypt.  My own quick
check of libgcrypt sources suggests that it will treat Android as a Linux flavor
and try to seed its CSPRNG from /dev/random.

Regards,
-- 
-Chuck