Re: Why does gpg use so much entropy from /dev/random?

[Werner Koch]

On Sun, 31 Mar 2013 11:45, philip.g.pot...@gmail.com said:

 Can anyone shed any light on this? Why does GPG use more entropy than
 /dev/random says it should?

Which /dev/random - there are hundreds of variants of that device all
with other glitches.  Thus GnuPG has always used /dev/random only as a
source of entropy to seed its own RNG:

  This random number generator is loosely modelled after the one
  described in Peter Gutmann's paper: Software Generation of
  Practically Strong Random Numbers.@footnote{Also described in chapter
  6 of his book Cryptographic Security Architecture, New York, 2004,
  ISBN 0-387-95387-6.}
  
  A pool of 600 bytes is used and mixed using the core RIPE-MD160 hash
  transform function.  Several extra features are used to make the
  robust against a wide variety of attacks and to protect against
  failures of subsystems.  The state of the generator may be saved to a
  file and initially seed form a file.
  
  Depending on how Libgcrypt was build the generator is able to select
  the best working entropy gathering module.  It makes use of the slow
  and fast collection methods and requires the pool to initially seeded
  form the slow gatherer or a seed file.  An entropy estimation is used
  to mix in enough data from the gather modules before returning the
  actual random output.  Process fork detection and protection is
  implemented.
  
GPG uses ~/.gnupg/random_seed but it needs to creater it first.  For
generating keys it also makes sure to put in a lot of new entropy just
to be safe.  Better be safe than sorry (cf. the recent NetBSD problem).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why does gpg use so much entropy from /dev/random?

[Philip Potter]

Thanks very much, I didn't know about the --gen-random command and the
quality level option. I'll have a look at the source code and see if I can
understand further.

Can you set the quality level for other generation commands, or just for
--gen-random?


On 31 March 2013 18:33, Hauke Laging mailinglis...@hauke-laging.de wrote:

 Am So 31.03.2013, 10:45:54 schrieb Philip Potter:

  GPG uses /dev/random as its entropy source. It pulls a lot of entropy
 from
  this source. More entropy, in fact, than the linux /dev/random manpage
  suggests it should. Quoting from the manpage:

 I don't know the gpg source, the following (3) is just a guess.


  Recently when generating a 2048-bit key, I got a message that GPG needed
  280 *bytes* more entropy. This is far more than 256 bits.

 1) If you don't do anything special then two keys are generated (mainkey
 and
 subkey).

 2) A 2048 bit RSA key is supposed to be as secure as a 112 bit symmetric
 key.
 I don't know whether you can map a 112 bit symmetric key directly to RSA
 key
 values. You need find primes after all. Maybe the algorithm to do that
 consumes additional entropy.

 3) Who knows how random the /dev/random output really is? I guess that the
 entropy quality can be increased by consuming more (make one good bit
 from 16
 bad bits).

 strace -e trace=open,read gpg --armor --gen-random 0 16
 [...]
 open(/dev/urandom, O_RDONLY)  = 3
 read(3, \332\376J\314\1[\357\n7ee\303\372\3555h, 16) = 16


 strace -e trace=open,read gpg --armor --gen-random 1 16
 [...]
 open(/dev/urandom, O_RDONLY)  = 3
 read(3, \3471=\307+n\3656\204\31!\232\270\303\324[, 16) = 16

 (Strange. Werner, have I found a bug? :-)  )


 strace -e trace=open,read gpg --armor --gen-random 2 16
 [...]
 open(/dev/random, O_RDONLY)   = 4
 read(4, \1\362P\231.., 300) = 128
 read(4, +7m\2314|\353.., 172) = 128
 read(4, \233\272~\237\.., 44) = 44

 So we see: If high quality entropy is required then gpg reads
 (128+128+44)/16=18.75 times as much entropy from /dev/random as demanded.


 Hauke
 --
 ☺
 PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
 http://www.openpgp-schulungen.de/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why does gpg use so much entropy from /dev/random?

[Hauke Laging]

Am Mo 01.04.2013, 10:53:02 schrieb Philip Potter:

 Can you set the quality level for other generation commands, or just for
 --gen-random?

None that I know of. Doesn't make sense elsewhere IMHO, too.


Hauke
--
☺
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-schulungen.de/


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Why does gpg use so much entropy from /dev/random?

[Philip Potter]

This is related to another current thread, but I think this deserves its
own.

GPG uses /dev/random as its entropy source. It pulls a lot of entropy from
this source. More entropy, in fact, than the linux /dev/random manpage
suggests it should. Quoting from the manpage:

While some safety margin above that minimum is reasonable, as a guard
against flaws in the CPRNG algorithm, no cryptographic primitive available
today can hope to promise more than 256 bits of security, so if any program
reads more than 256 bits (32 bytes) from the kernel random pool per
invocation, or per reasonable reseed interval (not less than one minute),
that should be taken as a sign that its cryptography is not skilfully
implemented.

Recently when generating a 2048-bit key, I got a message that GPG needed
280 *bytes* more entropy. This is far more than 256 bits.

I am not an expert in cryptography, so I am in no position to pass
judgement on GPG or on /dev/random; however, it seems to me that GPG's
implementation disagrees with /dev/random's manpage.

Can anyone shed any light on this? Why does GPG use more entropy than
/dev/random says it should?

(I've written down these thoughts in more detail at
http://rhebus.posterous.com/why-does-gpg-need-so-much-entropy -- sadly,
this link will expire in a month when posterous shuts down)

Phil
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why does gpg use so much entropy from /dev/random?

[Hauke Laging]

Am So 31.03.2013, 10:45:54 schrieb Philip Potter:

 GPG uses /dev/random as its entropy source. It pulls a lot of entropy from
 this source. More entropy, in fact, than the linux /dev/random manpage
 suggests it should. Quoting from the manpage:

I don't know the gpg source, the following (3) is just a guess.


 Recently when generating a 2048-bit key, I got a message that GPG needed
 280 *bytes* more entropy. This is far more than 256 bits.

1) If you don't do anything special then two keys are generated (mainkey and
subkey).

2) A 2048 bit RSA key is supposed to be as secure as a 112 bit symmetric key.
I don't know whether you can map a 112 bit symmetric key directly to RSA key
values. You need find primes after all. Maybe the algorithm to do that
consumes additional entropy.

3) Who knows how random the /dev/random output really is? I guess that the
entropy quality can be increased by consuming more (make one good bit from 16
bad bits).

strace -e trace=open,read gpg --armor --gen-random 0 16
[...]
open(/dev/urandom, O_RDONLY)  = 3
read(3, \332\376J\314\1[\357\n7ee\303\372\3555h, 16) = 16


strace -e trace=open,read gpg --armor --gen-random 1 16
[...]
open(/dev/urandom, O_RDONLY)  = 3
read(3, \3471=\307+n\3656\204\31!\232\270\303\324[, 16) = 16

(Strange. Werner, have I found a bug? :-)  )


strace -e trace=open,read gpg --armor --gen-random 2 16
[...]
open(/dev/random, O_RDONLY)   = 4
read(4, \1\362P\231.., 300) = 128
read(4, +7m\2314|\353.., 172) = 128
read(4, \233\272~\237\.., 44) = 44

So we see: If high quality entropy is required then gpg reads
(128+128+44)/16.75 times as much entropy from /dev/random as demanded.


Hauke
--
☺
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-schulungen.de/


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users