Key generation: is it possible to fail fast?

Werner Koch wk at
Mon Feb 20 09:15:15 CET 2017

On Fri, 17 Feb 2017 21:51, dkg at said:

> conservative, and use that to seed a cryptographically-strong
> pseudorandom number generator (CSPRNG) like yarrow or fortuna.  Then
> your key generation pulls from the CSPRNG, instead of /dev/random
> directly.

Actually this is how the Libgcrypt RNG has always worked.  It is merly
that as an extra security pitch we require some extra seeding for
creating long term keys.

Thus the actual question is whether the extra security margin we gain
trough the extra seeding is worth the trouble.

In the past /dev/urandom was not guaranteed to be actually seeded and
thus the use of the blocking /dev/random was the needed.  With the
advent of the getrandom system call on Linux we known that /dev/urandom
is seeded and thus we could do without the blocking /dev/random. I don't
want to decide that myself, though.



A note about libgcrypt's RNG:

   This random number generator is modelled after the one described in
   Peter Gutmann's 1998 Usenix Security Symposium paper: "Software
   Generation of Practically Strong Random Numbers".  See also chapter
   6 in his book "Cryptographic Security Architecture", New York,
   2004, ISBN 0-387-95387-6.

   Note that the acronym CSPRNG stands for "Continuously Seeded
   PseudoRandom Number Generator" as used in Peter's implementation of
   the paper and not only for "Cryptographically Secure PseudoRandom
   Number Generator".

Nowadays CSPRNG is used with the meaning you gave above, which should be
a self-evident for cryptograhic applications.

The manual has a more detailed description.

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170220/abe39401/attachment.sig>

More information about the Gnupg-devel mailing list