Random sources for 150+ hosts

Bjoern Fischer bfischer@Techfak.uni-bielefeld.de
Wed, 16 Aug 2000 01:31:40 +0200


Hello GnuPG users,

we are planning to use GnuPG in a heterogenous environment:
We need to support 150-200 hosts running Solaris, IRIX or
Tru64 Unix.

We are currently facing the difficulty to find good random
sources on each host/platform. There are several methods to
debate:

1. On Solaris use /dev/random (Andreas Meier's one, or that
   provided with the SUNWski); on IRIX and Tru64 Unix use
   egd. This requires that egd runs on every machine (except
   Suns). But even if egd runs under it's own user id, it
   still consumes resources massively (RAM, CPU,
   administration, etc.). I won't accept this unless everything
   else hurts even more.

2. On Solaris use /dev/random (Andreas Meier's one, or that
   provided with the SUNWski); for IRIX and Tru64 Unix provide
   a "centralized" egd-server via TCP socket. Our network
   environment is fully switched. Not that this ensures 100%
   security but it should be a hurdle against eavesdropping.

3. Implement a /dev/random in hardware, feed random to a
   randomness server and distribute it to all clients.
   This should provide high quality entropy, but this gain
   is damped (or lost at all?) if we send the random data
   unprotected (same as 2).

At first glance 2 and 3 are inacceptable -- distributing random
data over (switched) ethernet without further protection.
But if bad guy is able to eavesdrop any traffic to and from
a workstation there are many things far more interesting
than random data for encryption purposes. E.g. you may listen
to NFS traffic (homes and most apps NFS mounted), you may
get the private PGP/GPG key and X11 authentication cookies,
then you are able to contact the X11 server and get the pass
phrase.

What if we encrypt this random data? Even when using a weak
encryption, there is no chance to perform a brute force attack,
since there's no way to tell whether an attempt was successful
or not.
   
Suggestions are welcome.

  Björn Fischer

-- 
-----BEGIN GEEK CODE BLOCK-----
GCS d--(+) s++: a- C+++(-) UB++++OSI++++$ P+++(-) L---(++) !E W- N+ o>+
K- !w !O !M !V  PS++  PE-  PGP++  t+++  !5 X++ tv- b+++ D++ G e+ h-- y+ 
------END GEEK CODE BLOCK------

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org