How does Windows GnuPG generate random numbers on keygen?
Ryan Malayter
rmalayter@bai.org
Fri Feb 15 23:14:02 2002
From: Peter Constantinidis
>How can we find out what it uses?
>
>I'm also wondering if this means usage of GnuPG
>on non-unix systems is insecure as Sam Simpson's
>RSA v.s. DH faq mentions GnuPG and says due to the
>random number generator it should not be used 'in ernest'
>on non-unix systems which I read as a polite way to
>say 'not trustworthy'.
I downloaded the GnuPG 1.06 source, and looked at the file rndw32.c.
It appears that GnuPG doesn't use CryptoAPI for random generation on Windows
at all. This is understandable. GnuPG is open-source, and it wouldn't want
to trust a closed-source program for something as security-critical as an
entropy gatherer.
What GnuPG does do is read a multitude of performance counters and system
timers, check for # of bytes free in memory and on disk, and hash all the
results together with the random_seed file. One could argue that these
closed-source sources of data are just as suspect as CryptoAPI, but
whatever. The basic RNG design appears to use a fast pool / slow pool scheme
similar to that used in the very secure Yarrow RNG. See
http://www.counterpane.com/yarrow.html for more details.
All in all, I think this is a pretty good entropy collection mechanism.
Although I would like to see GnuPG use the hardware RNG present in newer
Intel chipsets, I don't think Intel supports accesssing it through anything
other than CryptoAPI. Maybe I'm wrong.
I'd also like an option in GnuPG to distill entropy from the noise of a
sound card with a disconnected microphone, but I suppose that, too is asking
a bit much of Werner and Co.
-ryan-
::::::::::::::::::::::::::::::
A fanatic is one who can't change his mind and won't change the subject.
-Sir winston Churchill
::::Original Message::::
From: Ryan Malayter
Sent: Friday, February 15, 2002 3:17 PM
To: 'Peter Constantinidis'
Subject: RE: How does Windows GnuPG generate random numbers on keygen?
You can look at the source code to find out if it uses CryptoAPI. I don't
think it does.
I couldn't find any mention of GnuPG in Sam Simpson's FAQ, but I know that
GnuPG uses it own a random seed file and conservative entropy estimates when
generating keys. It will wait for keyboard interrupts, mouse movements, etc,
to make sure it has enough entropy.
GnuPG (and PGP) work securely even without an OS-level secure RNG. When a
random number is requested, some portion of the random seed file, some
system counters and clock data, and some keyboard and mouse timing events
are collected and hashed with SHA-1. Some of the results are hashed again,
and inserted into random seed to replace the 'used' entropy with 'new'
entropy. This is pretty secure, as long as your memory contents or random
seed file are not compromised.
::::Original Message::::
From: Peter Constantinidis [mailto:peter@constantinidis.ca]
Sent: Tuesday, February 12, 2002 6:13 PM
To: Ryan Malayter
Subject: Re: How does Windows GnuPG generate random numbers on keygen?
>The Windows CryptoAPI provides a pretty good system entropy pool, much
>like /dev/rand does on Linux systems. You access this pool with the
>CryptGenRandom API call, although I don't believe the Windows version
>of GnuPG uses it.
How can we find out what it uses?
I'm also wondering if this means usage of GnuPG on non-unix systems is
insecure as Sam Simpson's RSA v.s. DH faq mentions GnuPG and says due to the
random number generator it should not be used 'in ernest' on non-unix
systems which I read as a polite way to say 'not trustworthy'.
If someone could clarify all this that would be excellent.
Best,
P.