Question about random number generation

Vikram Ravindran ravindr@ecf.utoronto.ca
Sun Sep 29 17:12:01 2002


Hello,

Recently, I was looking at the different methods that gnupg used for
random number generation. There is the linux module, which uses
/dev/random, the unix and win32 modules, which use miscellaneous system
numbers for randomness, and the egd module, which uses a perl script to
collect random data on its behalf.

In PGP, on the other hand, the program asks the user to type on the
keyboard, and PGP times the interval between keystrokes and uses that to
generate random numbers. This seems to be a more portable way of going
about things, as the current set of modules assumes that certain files
will be located in certain places, so if you compile gnupg on a platform
which does not support any other random module, you end up with a "lame
duck" copy of gnupg which tags all your keys as "INSECURE" due to lack of
randomness. PGP, on the other hand, can even run under DOS, where there is
no easy way to automatically generate randomness (as far as I can tell).

Is there available a random module that generates entropy based on user
keyboard timings? Was the idea considered and rejected for security or
other reasons? I tried looking for this question in the FAQ, and could not
find it.

Thank you,
Vikram Ravindran