Random sources for 150+ hosts
Wed, 16 Aug 2000 01:31:40 +0200
Hello GnuPG users,
we are planning to use GnuPG in a heterogenous environment:
We need to support 150-200 hosts running Solaris, IRIX or
We are currently facing the difficulty to find good random
sources on each host/platform. There are several methods to
1. On Solaris use /dev/random (Andreas Meier's one, or that
provided with the SUNWski); on IRIX and Tru64 Unix use
egd. This requires that egd runs on every machine (except
Suns). But even if egd runs under it's own user id, it
still consumes resources massively (RAM, CPU,
administration, etc.). I won't accept this unless everything
else hurts even more.
2. On Solaris use /dev/random (Andreas Meier's one, or that
provided with the SUNWski); for IRIX and Tru64 Unix provide
a "centralized" egd-server via TCP socket. Our network
environment is fully switched. Not that this ensures 100%
security but it should be a hurdle against eavesdropping.
3. Implement a /dev/random in hardware, feed random to a
randomness server and distribute it to all clients.
This should provide high quality entropy, but this gain
is damped (or lost at all?) if we send the random data
unprotected (same as 2).
At first glance 2 and 3 are inacceptable -- distributing random
data over (switched) ethernet without further protection.
But if bad guy is able to eavesdrop any traffic to and from
a workstation there are many things far more interesting
than random data for encryption purposes. E.g. you may listen
to NFS traffic (homes and most apps NFS mounted), you may
get the private PGP/GPG key and X11 authentication cookies,
then you are able to contact the X11 server and get the pass
What if we encrypt this random data? Even when using a weak
encryption, there is no chance to perform a brute force attack,
since there's no way to tell whether an attempt was successful
Suggestions are welcome.
-----BEGIN GEEK CODE BLOCK-----
GCS d--(+) s++: a- C+++(-) UB++++OSI++++$ P+++(-) L---(++) !E W- N+ o>+
K- !w !O !M !V PS++ PE- PGP++ t+++ !5 X++ tv- b+++ D++ G e+ h-- y+
------END GEEK CODE BLOCK------
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to firstname.lastname@example.org