When is the blocking RNG called?

Enzo Michelangeli em at who.net
Fri Nov 24 09:59:42 CET 2000 

----- Original Message -----
From: "Werner Koch" <wk at gnupg.org>
To: <gnupg-devel at gnupg.org>
Sent: Thursday, November 23, 2000 3:42 PM
Subject: Re: When is the blocking RNG called?


> Fo key generation we make sure to get better entropy by requiring 2
> things: The pool must have been filled up to 50% with /dev/random
> stuff _and_ we put at least so much /dev/random bytes into the pool
> as we are going to retrieve for key generation.  This is somewhat
> optimized by keeping a pool_balance counter which is inncremented
> for ever new byte from /dev/random and decremented for every byte of
> random we exract from the pool (either quality 1 or 2).

This will work, but I tend to see it as overkill. I'm pretty happy with a
PRNG for just every task, as long as two conditions be satisfied:

1) It must be impossible to guess its future output without knowing its
internal state
(which implies: 1.1 It must be impossible to guess its internal state from
its output)
2) The PRNG is initially seeded with a sufficient amount of entropy

In this case, the generator is as good as a true RNG. It may be prudent to
be more conservative because the condition 1) is difficult to ascertain, but
under the theoretical point of view it is impossible to "deplete the entropy
pool" of a good PRNG by just extracting bits, because entropy is only
reduced when information on the internal state is gained, and that's
excluded by 1.1 .

The most serious problem is the initial seeding required by 2): it can only
be ensured efficiently if the generator is run as a separate daemon process.
I would favour a third type of pseudo-device, say /dev/xrandom, behaving
like /dev/random until it had gathered enough entropy, then changing its
behaviour to emulate /dev/urandom. That could be also implemented in EGD.

> I'd really like to have some cheap hardware RNG to improve this a
> bit. I am currently thinking of building such a thing combined with
> the Dallas 2480 driver chip which is used to access iButtons and it
> should fit well into a serial or USB adapter.

The new Java iButton DS1957 (USD 27. a piece) has a built-in PRNG, which
also allows it to generate keys internally (a plus for security). Dallas for
it has serial, parallel and USB adapters at very reasonable prices (USD 5.),
and free PKCS#11 drivers.

Enzo





---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.209 / Virus Database: 99 - Release Date: 11/2/2000

More information about the Gnupg-devel mailing list