True RNG and GnuPG / libgcrypt
cswiger at mac.com
Thu Oct 3 22:56:44 CEST 2013
On Oct 3, 2013, at 1:11 PM, Leo Gaspard <ekleog at gmail.com> wrote:
>> However, please also note that bugs or flaws in what was believed to be a good
>> implementation of /dev/random, OpenSSL's rand, etc can lead to weak crypto.
>> A recent case-in-point was the Android SecureRandom issue affecting Bitcoin and
>> possibly other apps, which was due to OpenSSL not being properly initialized:
> In this case, wouldn't re-reading and triple-checking that these
> randomness-generating algorithms are indeed "random" be a better effort for the
> whole crypto community ? This way, each and every application can benefit from
> the work made on /dev/random.
Yes, that's likely why Ferguson, Kelsey, & Schneier released Yarrow (and I believe
Fortuna as well) under open, royalty-free license terms.
However, a user running GnuPG on an existing version of whatever OS isn't going to
suddenly obtain a better /dev/random unless the OS vendor releases a patch or update.
And the user gets that update installed; OpenSSL, libgcrypt, Java's crypto stuff,
etc is updated and told to use /dev/random for seeding rather than using a default
static seed initialization; and so forth up through the application stack.
>>> So I believe implementing a fortuna "generator" in GnuPG is not the most urgent
>>> improvement to be made -- though I know nothing of GnuPG's current most-wanted
>> I seem to recall interest in supporting GnuPG on Android, so it would seem worthwhile
>> to make sure that GnuPG is properly seeding OpenSSL and/or libgcrypt. My own quick
>> check of libgcrypt sources suggests that it will treat Android as a Linux flavor
>> and try to seed its CSPRNG from /dev/random.
> In this case, wouldn't developing a general algorithm for randomness
> accumulation and then proposing it to android for inclusion be a better idea
> than just sticking it in gnupg ?
> This way, all applications can take advantage of the new randomness accumulation
> algorithm. And maybe would it even be possible to re-use GNU/Linux's /dev/random
Someone has already done the work of porting Fortuna to Linux 2.6.x here:
> However, not knowing much about development on android, I am not to be trusted
> with ideas.
That's OK-- the Google folks lurking some ~5 miles to the west in Mountain View, CA
will do what they feel is best for the Android platform. :-)
> BTW, reading the first few paragraphs of the article you linked, seeding the
> PRNG from /dev/random *is* actually the thing to do, as the issue with android
> would be (if I understood) that it does not properly seed its PRNG.
Yes, that's my impression as well. Of course, it also means that you need to
trust that /dev/random provides high-quality random numbers.
More information about the Gnupg-devel