excessive usage of /dev/random?
Werner Koch
wk at gnupg.org
Thu Apr 30 08:50:00 CEST 2015
On Wed, 29 Apr 2015 20:20, dkg at fifthhorseman.net said:
> however, i noticed that using 2.1.3, the following command reads 300
> bytes from /dev/random:
All GnuPG versions do this. GnuPG has always used its own CSPRNG where
/dev/random is used only as a seed. A pool of 600 bytes is used and
pre-seeded from the ~/.gnupg/random_seed state file is available. Now
for key generation we do not want to rely on too much existing state and
thus require that 50% fresh entropy is mixed into the pool. Thus the
need for 300 bytes from /dev/random or whatever is used for the entropy
gatherer.
The Linux entropy collectors and thus the quality of /dev/random is
highly depending on the kernel version, hardware, and OS. Sometimes
/dev/random is very slow but sometimes way too fast on similar hardware.
Thus /dev/random is never used directly; better safe than sorry. The
Libgcrypt/GnuPG RNG design has been evaluated by the BSI for an internal
project where they only questioned the quality and version by version
changes of the entropy gatherer on Linux, i.e. /dev/random. The results
seem to be confidential, however I have some insight because I helped
them by answering questions and leading them through the source code.
Since Libgcrypt 1.6.0 an application may bypass the regular RNG and
directly use /dev/random using gcry_control:
'GCRYCTL_SET_PREFERRED_RNG_TYPE; Arguments: int'
These are advisory commands to select a certain random number
generator. They are only advisory because libraries may not
know what an application actually wants or vice versa. Thus
Libgcrypt employs a priority check to select the actually used
RNG. If an applications selects a lower priority RNG but a
library requests a higher priority RNG Libgcrypt will switch
to the higher priority RNG. Applications and libraries should
use these control codes before 'gcry_check_version'. The
available generators are:
'GCRY_RNG_TYPE_STANDARD'
A conservative standard generator based on the
"Continuously Seeded Pseudo Random Number Generator"
designed by Peter Gutmann.
'GCRY_RNG_TYPE_FIPS'
A deterministic random number generator conforming to he
document "NIST-Recommended Random Number Generator Based
on ANSI X9.31 Appendix A.2.4 Using the 3-Key Triple DES
and AES Algorithms" (2005-01-31). This implementation
uses the AES variant.
'GCRY_RNG_TYPE_SYSTEM'
A wrapper around the system's native RNG. On Unix system
these are usually the /dev/random and /dev/urandom
devices.
The default is 'GCRY_RNG_TYPE_STANDARD' unless FIPS mode as
been enabled; in which case 'GCRY_RNG_TYPE_FIPS' is used and
locked against further changes.
'GCRYCTL_GET_CURRENT_RNG_TYPE; Arguments: int *'
This command stores the type of the currently used RNG as an
integer value at the provided address.
GnuPG does not use it. Details about the RNG architecture can be found
in the Libgcrypt manual.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list