Page MenuHome GnuPG
Create Task
Maniphest T1217

VERY_STRONG RNG seed initialization is problematic if only few bytes needed
Closed, ResolvedPublic
Actions

Description

Hi,

I am trying to use gcrypt RNG for generating volume key.
In principle, it is long-term key, so GCRY_VERY_STRONG_RANDOM should be used.

I cannot use seed file - RNG is called during system installation.
So the libgcrypt must initialise random pool for very strong RNG.

But initialisation _requires_ POOLSIZE/2 (300 bytes) reads from /dev/random.

In fact, I need only 256/512bits key from here(64bytes).

So seeding 300 bytes from /dev/random is required for 64 bytes output...

The problem is, that on most systems this takes very long time
because there is not enough entropy sources for so many random data.

Easy to see problem even with benchmark:

time tests/benchmark strongrandom

random 30ms

real 1m45.888s
user 0m0.035s
sys 0m0.037s

Isn't possible to add some pool limiting function which will require
adequate seed reads from /dev/random if application needs only exact amount
of very strong RNG data?

Event Timeline

gmazyland added projects: Feature Request, libgcrypt.Apr 26 2010, 5:30 PM
gmazyland added a subscriber: gmazyland.
werner added a subscriber: werner.Apr 27 2010, 4:06 PM

No, this would violate the design of the RNG. It is already hard enough to come
up with good random and we don't want to weake it anymore.

werner added a project: Won't Fix.Apr 27 2010, 4:06 PM
gmazyland added a comment.Apr 27 2010, 4:33 PM

I understand (and exactly it is why I do not want use some weak RNG but use
something robust in crytsetup).

But seeding 300 bytes to read 64 of random is simply not acceptable and it will
not work on most systems for me because of long (and completely unnecessary)
time for gathering entropy.

Why pool is exaclty 600 bytes? Why poolblocks is fixed at 30?

So ligcrypt RNG is simply not usable here. It is a pity, because it is very nice
and small crypto library, perfectly fits the cryptsetup use case in other aspects.

werner added a comment.Feb 21 2011, 2:54 PM

FWIW, I started to work on another random backend which uses /dev/random
directly. It is not yet finished, though.

werner added a comment.Mar 18 2013, 9:02 AM

1.6 (current master) now has a feature to switch to a pure /dev/random based RNG.

werner closed this task as Resolved.Mar 18 2013, 9:02 AM
werner claimed this task.