[gnutls-dev] Feature request: not really random session keys

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Jan 18 13:40:49 CET 2006


On 1/18/06, Florian Weimer <fw at deneb.enyo.de> wrote:
> Okay, the subject line might be a bit misleading.  On server machines,
> random bits are a very scarce ressource, and you cannot really afford
> to throw them a way at a rate of a few kbps.  Yet if you run certain
> network servers (or clients) with GNUTLS, this is what happens -- and
> these servers stall from time to time, waiting for more randomness.
> I would like to see an additional API which allows code to degrade
> session key randomness to a mere PRNG (i.e. /dev/urandom instead of
> /dev/random).  In a theoretical sense, this sacrifices Perfect Forward
> Secrecy, but for some applications (MTAs, for example) this is not
> such a relevant issue anyway.

Well, gnutls shouldn't use /dev/random on normal server use. For example if
you use only TLS /dev/random shouldn't be accessed. Only if you generate
private keys (or RSA parameters) /dev/random will be used.

regards,
Nikos




More information about the Gnutls-devel mailing list