[Gnuk-users] Security of NeuG?
micah
micah at riseup.net
Mon Feb 16 19:59:39 UTC 2015
Jonathan Schleifer <js-gnuk-users at webkeks.org> writes:
> Am 16.02.2015 um 03:24 schrieb NIIBE Yutaka <gniibe at fsij.org>:
>
>> On 02/16/2015 12:30 AM, Jonathan Schleifer wrote:
>>> Thus I'm wondering: Is NeuG "secure enough" for long term keys?
>>
>> I think that a standard practice would be mixing multiple entropy
>> sources (if available), even if one (or many) of sources is/are not
>> trusted. I'd rather recommend not to stop your HAVEGED.
>
> I didn't want to run HAVEGED and rngd, as I feared that the two would have a race which HAVEGED might win, resulting in never getting randomness from NeuG (both only add randomness if they think there isn't enough).
My understanding of haveged's functionality is that if havged wakes up
and finds the kernel pool needs to be filled it will dominate the pool
and fill it ALL itself. It will usually be the one that wakes up first,
because it will get the kernel call faster (because rngd has its own
loop).
Haveged does this: 1. gets the current pool size; 2. writes the
remaining random data to the pool in a single ioctl.
The way rngd works is it is careful about dominating the pool by having
a random step function to fill it. This means that haveged dominates and
results in zero mixing because when rngd wakes up, it sees that the pool
is filled and doesn't have to do anything.
Someone with some C knowledge could do us all a favor and make haveged
use a step function to make it more safe!
micah
More information about the gnuk-users
mailing list