Re: Why does gpg use so much entropy from /dev/random?
On Sun, 31 Mar 2013 11:45, philip.g.pot...@gmail.com said: Can anyone shed any light on this? Why does GPG use more entropy than /dev/random says it should? Which /dev/random - there are hundreds of variants of that device all with other glitches. Thus GnuPG has always used /dev/random only as a source of entropy to seed its own RNG: This random number generator is loosely modelled after the one described in Peter Gutmann's paper: Software Generation of Practically Strong Random Numbers.@footnote{Also described in chapter 6 of his book Cryptographic Security Architecture, New York, 2004, ISBN 0-387-95387-6.} A pool of 600 bytes is used and mixed using the core RIPE-MD160 hash transform function. Several extra features are used to make the robust against a wide variety of attacks and to protect against failures of subsystems. The state of the generator may be saved to a file and initially seed form a file. Depending on how Libgcrypt was build the generator is able to select the best working entropy gathering module. It makes use of the slow and fast collection methods and requires the pool to initially seeded form the slow gatherer or a seed file. An entropy estimation is used to mix in enough data from the gather modules before returning the actual random output. Process fork detection and protection is implemented. GPG uses ~/.gnupg/random_seed but it needs to creater it first. For generating keys it also makes sure to put in a lot of new entropy just to be safe. Better be safe than sorry (cf. the recent NetBSD problem). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why does gpg use so much entropy from /dev/random?
Thanks very much, I didn't know about the --gen-random command and the quality level option. I'll have a look at the source code and see if I can understand further. Can you set the quality level for other generation commands, or just for --gen-random? On 31 March 2013 18:33, Hauke Laging mailinglis...@hauke-laging.de wrote: Am So 31.03.2013, 10:45:54 schrieb Philip Potter: GPG uses /dev/random as its entropy source. It pulls a lot of entropy from this source. More entropy, in fact, than the linux /dev/random manpage suggests it should. Quoting from the manpage: I don't know the gpg source, the following (3) is just a guess. Recently when generating a 2048-bit key, I got a message that GPG needed 280 *bytes* more entropy. This is far more than 256 bits. 1) If you don't do anything special then two keys are generated (mainkey and subkey). 2) A 2048 bit RSA key is supposed to be as secure as a 112 bit symmetric key. I don't know whether you can map a 112 bit symmetric key directly to RSA key values. You need find primes after all. Maybe the algorithm to do that consumes additional entropy. 3) Who knows how random the /dev/random output really is? I guess that the entropy quality can be increased by consuming more (make one good bit from 16 bad bits). strace -e trace=open,read gpg --armor --gen-random 0 16 [...] open(/dev/urandom, O_RDONLY) = 3 read(3, \332\376J\314\1[\357\n7ee\303\372\3555h, 16) = 16 strace -e trace=open,read gpg --armor --gen-random 1 16 [...] open(/dev/urandom, O_RDONLY) = 3 read(3, \3471=\307+n\3656\204\31!\232\270\303\324[, 16) = 16 (Strange. Werner, have I found a bug? :-) ) strace -e trace=open,read gpg --armor --gen-random 2 16 [...] open(/dev/random, O_RDONLY) = 4 read(4, \1\362P\231.., 300) = 128 read(4, +7m\2314|\353.., 172) = 128 read(4, \233\272~\237\.., 44) = 44 So we see: If high quality entropy is required then gpg reads (128+128+44)/16=18.75 times as much entropy from /dev/random as demanded. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why does gpg use so much entropy from /dev/random?
Am Mo 01.04.2013, 10:53:02 schrieb Philip Potter: Can you set the quality level for other generation commands, or just for --gen-random? None that I know of. Doesn't make sense elsewhere IMHO, too. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why does gpg use so much entropy from /dev/random?
This is related to another current thread, but I think this deserves its own. GPG uses /dev/random as its entropy source. It pulls a lot of entropy from this source. More entropy, in fact, than the linux /dev/random manpage suggests it should. Quoting from the manpage: While some safety margin above that minimum is reasonable, as a guard against flaws in the CPRNG algorithm, no cryptographic primitive available today can hope to promise more than 256 bits of security, so if any program reads more than 256 bits (32 bytes) from the kernel random pool per invocation, or per reasonable reseed interval (not less than one minute), that should be taken as a sign that its cryptography is not skilfully implemented. Recently when generating a 2048-bit key, I got a message that GPG needed 280 *bytes* more entropy. This is far more than 256 bits. I am not an expert in cryptography, so I am in no position to pass judgement on GPG or on /dev/random; however, it seems to me that GPG's implementation disagrees with /dev/random's manpage. Can anyone shed any light on this? Why does GPG use more entropy than /dev/random says it should? (I've written down these thoughts in more detail at http://rhebus.posterous.com/why-does-gpg-need-so-much-entropy -- sadly, this link will expire in a month when posterous shuts down) Phil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why does gpg use so much entropy from /dev/random?
Am So 31.03.2013, 10:45:54 schrieb Philip Potter: GPG uses /dev/random as its entropy source. It pulls a lot of entropy from this source. More entropy, in fact, than the linux /dev/random manpage suggests it should. Quoting from the manpage: I don't know the gpg source, the following (3) is just a guess. Recently when generating a 2048-bit key, I got a message that GPG needed 280 *bytes* more entropy. This is far more than 256 bits. 1) If you don't do anything special then two keys are generated (mainkey and subkey). 2) A 2048 bit RSA key is supposed to be as secure as a 112 bit symmetric key. I don't know whether you can map a 112 bit symmetric key directly to RSA key values. You need find primes after all. Maybe the algorithm to do that consumes additional entropy. 3) Who knows how random the /dev/random output really is? I guess that the entropy quality can be increased by consuming more (make one good bit from 16 bad bits). strace -e trace=open,read gpg --armor --gen-random 0 16 [...] open(/dev/urandom, O_RDONLY) = 3 read(3, \332\376J\314\1[\357\n7ee\303\372\3555h, 16) = 16 strace -e trace=open,read gpg --armor --gen-random 1 16 [...] open(/dev/urandom, O_RDONLY) = 3 read(3, \3471=\307+n\3656\204\31!\232\270\303\324[, 16) = 16 (Strange. Werner, have I found a bug? :-) ) strace -e trace=open,read gpg --armor --gen-random 2 16 [...] open(/dev/random, O_RDONLY) = 4 read(4, \1\362P\231.., 300) = 128 read(4, +7m\2314|\353.., 172) = 128 read(4, \233\272~\237\.., 44) = 44 So we see: If high quality entropy is required then gpg reads (128+128+44)/16.75 times as much entropy from /dev/random as demanded. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users