[gnutls-dev] Re: Feature request: not really random session keys

Werner Koch wk at gnupg.org
Tue Jan 31 10:29:12 CET 2006


On Mon, 30 Jan 2006 17:51:01 +0100, Simon Josefsson said:

> Should we write a simple daemon 'grngd', based on libgcrypt, and start
> to use it?  That should be simple.  It should likely register two

I already talked about this.  The problem is that we can't be sure
that no traces of the random bytes are left in internal kernel
buffers.  

That won't be a problem for me if it is about session keys but for
long term keys I'd hesitate to use an IPC mechanism to get the key
material to the application.

All what is actually needed is to make sure that Libgcrypts saves and
restores its own random pool realiable without producing random zero
length files (which is easy to fix).  And not using
GCRY_VERY_STRONG_RANDOM.


Shalom-Salam,

   Werner





More information about the Gnutls-devel mailing list