excessive usage of /dev/random?

Werner Koch wk at gnupg.org
Thu Apr 30 08:50:00 CEST 2015


On Wed, 29 Apr 2015 20:20, dkg at fifthhorseman.net said:

> however, i noticed that using 2.1.3, the following command reads 300
> bytes from /dev/random:

All GnuPG versions do this.  GnuPG has always used its own CSPRNG where
/dev/random is used only as a seed.  A pool of 600 bytes is used and
pre-seeded from the ~/.gnupg/random_seed state file is available.  Now
for key generation we do not want to rely on too much existing state and
thus require that 50% fresh entropy is mixed into the pool.  Thus the
need for 300 bytes from /dev/random or whatever is used for the entropy
gatherer.

The Linux entropy collectors and thus the quality of /dev/random is
highly depending on the kernel version, hardware, and OS.  Sometimes
/dev/random is very slow but sometimes way too fast on similar hardware.
Thus /dev/random is never used directly; better safe than sorry.  The
Libgcrypt/GnuPG RNG design has been evaluated by the BSI for an internal
project where they only questioned the quality and version by version
changes of the entropy gatherer on Linux, i.e. /dev/random.  The results
seem to be confidential, however I have some insight because I helped
them by answering questions and leading them through the source code.

Since Libgcrypt 1.6.0 an application may bypass the regular RNG and
directly use /dev/random using gcry_control:

     'GCRYCTL_SET_PREFERRED_RNG_TYPE; Arguments: int'
          These are advisory commands to select a certain random number
          generator.  They are only advisory because libraries may not
          know what an application actually wants or vice versa.  Thus
          Libgcrypt employs a priority check to select the actually used
          RNG. If an applications selects a lower priority RNG but a
          library requests a higher priority RNG Libgcrypt will switch
          to the higher priority RNG. Applications and libraries should
          use these control codes before 'gcry_check_version'.  The
          available generators are:
          'GCRY_RNG_TYPE_STANDARD'
               A conservative standard generator based on the
               "Continuously Seeded Pseudo Random Number Generator"
               designed by Peter Gutmann.
          'GCRY_RNG_TYPE_FIPS'
               A deterministic random number generator conforming to he
               document "NIST-Recommended Random Number Generator Based
               on ANSI X9.31 Appendix A.2.4 Using the 3-Key Triple DES
               and AES Algorithms" (2005-01-31).  This implementation
               uses the AES variant.
          'GCRY_RNG_TYPE_SYSTEM'
               A wrapper around the system's native RNG. On Unix system
               these are usually the /dev/random and /dev/urandom
               devices.
          The default is 'GCRY_RNG_TYPE_STANDARD' unless FIPS mode as
          been enabled; in which case 'GCRY_RNG_TYPE_FIPS' is used and
          locked against further changes.

     'GCRYCTL_GET_CURRENT_RNG_TYPE; Arguments: int *'
          This command stores the type of the currently used RNG as an
          integer value at the provided address.

GnuPG does not use it.   Details about the RNG architecture can be found
in the Libgcrypt manual.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list