True RNG and GnuPG / libgcrypt

Charles Swiger cswiger at mac.com
Thu Oct 3 22:56:44 CEST 2013 

Hi--

On Oct 3, 2013, at 1:11 PM, Leo Gaspard <ekleog at gmail.com> wrote:
>> However, please also note that bugs or flaws in what was believed to be a good
>> implementation of /dev/random, OpenSSL's rand, etc can lead to weak crypto.
>> A recent case-in-point was the Android SecureRandom issue affecting Bitcoin and
>> possibly other apps, which was due to OpenSSL not being properly initialized:
>> 
>> http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html
> 
> In this case, wouldn't re-reading and triple-checking that these
> randomness-generating algorithms are indeed "random" be a better effort for the
> whole crypto community ? This way, each and every application can benefit from
> the work made on /dev/random.

Yes, that's likely why Ferguson, Kelsey, & Schneier released Yarrow (and I believe
Fortuna as well) under open, royalty-free license terms.

However, a user running GnuPG on an existing version of whatever OS isn't going to
suddenly obtain a better /dev/random unless the OS vendor releases a patch or update.
And the user gets that update installed; OpenSSL, libgcrypt, Java's crypto stuff,
etc is updated and told to use /dev/random for seeding rather than using a default
static seed initialization; and so forth up through the application stack.

>>> So I believe implementing a fortuna "generator" in GnuPG is not the most urgent
>>> improvement to be made -- though I know nothing of GnuPG's current most-wanted
>>> improvements.
>> 
>> I seem to recall interest in supporting GnuPG on Android, so it would seem worthwhile
>> to make sure that GnuPG is properly seeding OpenSSL and/or libgcrypt.  My own quick
>> check of libgcrypt sources suggests that it will treat Android as a Linux flavor
>> and try to seed its CSPRNG from /dev/random.
> 
> In this case, wouldn't developing a general algorithm for randomness
> accumulation and then proposing it to android for inclusion be a better idea
> than just sticking it in gnupg ?
> 
> This way, all applications can take advantage of the new randomness accumulation
> algorithm. And maybe would it even be possible to re-use GNU/Linux's /dev/random
> generator.

Someone has already done the work of porting Fortuna to Linux 2.6.x here:

  http://jlcooke.ca/random/

> However, not knowing much about development on android, I am not to be trusted
> with ideas.

That's OK-- the Google folks lurking some ~5 miles to the west in Mountain View, CA
will do what they feel is best for the Android platform.  :-)

> BTW, reading the first few paragraphs of the article you linked, seeding the
> PRNG from  /dev/random *is* actually the thing to do, as the issue with android
> would be (if I understood) that it does not properly seed its PRNG.

Yes, that's my impression as well.  Of course, it also means that you need to
trust that /dev/random provides high-quality random numbers.

Regards,
-- 
-Chuck

More information about the Gnupg-devel mailing list