[Pkg-gnutls-maint] Bug#475168: certtool --generate-dh-params is ridiculously wasteful of entropy
sacrificial-spam-address at horizon.com
sacrificial-spam-address at horizon.com
Wed Apr 9 12:34:45 UTC 2008
Package: gnutls-bin
Version: 2.2.2-1
"/usr/bin/certtool --generate-dh-params --bits 384" performs 25
120-byte reads (3000 bytes, or 24 kbits total) from /dev/urandom,
even though its output is only 384 bits, and doesn't even need to
be cryptographically secure in the first place.
I have gotten lost trying to figure out where the waste is actually
ocurring, so the problem may be in libgcrypt11-1.4.0, but in general
the number of bits of seed entropy required is equal to the security
parameter of the key being generated. E.g. 80 for a 1024-bit public
key, and 128 for a 3072-bit public key. Applying a small fudge factor
(like 2x) to that minimum is reasonable, but this is ridiculous.
Basically NOTHING, including generating long-lived public keys, should
require reading more than 256 bits (32 bytes) from /dev/{u,}random.
(There are about 10^80 = 2^266 protons, and about 2e9 times as many
(2^297) photons, in the visible universe. Those are the smallest needles
and largest haystacks that we can sensibly talk about.)
I can understand being lazy and just reading n bits to generate an n-bit
public key rather than implementing your own cryptographic PRNG, but
that doesn't apply in this case.
In addition to being wasteful, reading more that indicates that the author
of the code in question doesn't know much about cryptography.
More information about the Pkg-gnutls-maint
mailing list