Random Seed for Generating PGP Keys

NIIBE Yutaka gniibe at fsij.org
Thu May 28 03:12:06 CEST 2015


On 05/27/2015 10:14 PM, George Lee wrote:
> I'm not trying to generate multiple random numbers, but just generate a PGP
> key one time in a way that is very hard to crack by basing it on a one-time
> seed generated manually in a reliably random way.

I'd understand your point.  I interpret it as: you would like to
control your computing, especially around cryptography, specifically
your PGP key.

I also would understand your (a kind of) frustration not being able to
get direct answer.  People say different opinions.

I think that more knobs for finer control/tuning doesn't work well
here (the risk of bad configuration would be huge), and that would be
a reason why GnuPG/libgcrypt has an interface to replace its random
generation process by an external input.

> I know that a CSPRNG is supposed to make this cryptographically
> secure, but (and correct me if I'm wrong) it seems that some one-time
> offline truly random process (like rolling a thousand non-biased coins by a
> no-biased person) is guaranteed to be more random than any HWRNG or
> software RNG that might actually have correlations you're not aware of.

I think that modern HWRNG implementations should be more than "rolling
a thousand non-biased coins by a no-biased person".  The generation
speed of HWRNG is far better than an experiment by a person, and it is
(usually) tested by modern empirical statistical testing.  Modern
empirical statistical testing checks/requires Giga bytes of random
number sequence, at least, or Tera bytes.  I don't think it is
practical for an experiment by a person to ask generating even Mega
bytes of sequence to test.

I think that if your point is bias of correlations, no person can beat
modern HWRNG.

> also seems less susceptible to somebody using knowledge of the software or
> number-generating process to better crack what numbers you used.


The question here is the likeliness of back door(s).  Even if the
sequence is tested by modern empirical statistical testing by Tera
bytes and it says no bias and no correlations, it is possible someone
else has (more) knowledge than a user and can guess the sequence
(forward or backward).

> (1) Is there a way to seed the random number generators used by GnuPG with
> a one-time manually entered seed?

Although I don't recommend to do it, you can modify the file:
.gnupg/random_seed (the binary file).

Alternatively, you can feed to /dev/random to stir the system random
pool.  Then, you can indirectly feed your entropy for the generation
of GPG key.

In my Debian GNU/Linux, I can do:

    $ cat > /dev/random

In this way, I can enter anything (say, the result of coin experiment
in any encoding, in any language, in any format) to stir the system
random pool.  No, this doesn't increase the value of
/proc/sys/kernel/random/entropy_avail, just we can stir.

If you would like better control of it, please see the manual of
random(4) to write a program using ioctl with RNDADDENTROPY.  Then,
you can increase /proc/sys/kernel/random/entropy_avail.

Besides, there is a file /var/lib/random-seed (in my Debian).  You can
edit this file (by root) if you really would like to do so.

The reason why I don't recommend modifying /var/lib/random-seed or
.gnupg/random_seed directly is that there will be more chance to make
errors for the modification (than getting better result).

> (2) Is there a way to seed any of the random number generators people have
> mentioned in this thread, with a one-time manually entered seed?

I don't know any HWRNG products with manually entered seed, but in the
standard document, it is addressed that keyed hash/encryption can be
used (instead of normal hash/encryption) as conditioning component.
(Conditioning component is the component to remove bias).

So, in theory, it is possible to add such a feature.

> (3) Is there a way to have GnuPG use a different random number generator
> like he ones people mentioned on this thread?

No, I don't think so.

Alternatively, you can feed to /dev/random from any random number generator.

If you don't want to use /dev/random and GnuPG implementation to
generate GPG key, I think that it is still possible to write a small
program to generate OpenPGP key.

> (4) Of the random number generators mentioned in this thread, which are
> cryptographically secure?

Do you mean something like:

    A PRBG that passes the next-bit test (possibly under some
    plausible but un-proved mathematical assumption such as the
    intractability of factoring integers) is called a
    cryptographically secure pseudorandom bit generator (CSPRBG).

in Chapter 5, Pseudorandom Bits and Sequences of HAC [0]?
Please note that it is for Psudorandom generator, but we can
consider similar criteria.

Any modern HWRNG, system's /dev/random, or the structure of GnuPG's
random generation process all use similar component to prevent
possible attacks to guess its random number sequence.

[0] Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied
    Cryptography, CRC Press, 1996. http://cacr.uwaterloo.ca/hac/

More information about the Gnupg-users mailing list