gnome-keyring Generating RSA keys from /dev/urandom

From: Stef Walter <stefw collabora co uk>
To: "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
Cc: Nikos Mavrogiannopoulos <nmav gnutls org>
Subject: gnome-keyring Generating RSA keys from /dev/urandom
Date: Tue, 07 Dec 2010 10:25:18 -0600

I'm working on RSA key generation in gnome-keyring PKCS#11 stuff.

I'd also like to generate a single RSA 2048-bit key per user, which will
be used to sign and encrypt their PKCS#11 store. The reason for using PK
signing instead of a simple HMAC is so that we can verify things in the
store (like trust exceptions) without unlocking it, but then require an
unlock in order to modify it. Such a key would be generated at or around
the first login time.

In gnome-keyring we use libgcrypt. libgcrypt by default uses /dev/random
as a random source to generate the key. However this blocks for
unacceptable amounts (minutes to hours) of time when generating a 2048
bit RSA key.

GnuTLS, OpenSSL, NSS all use /dev/urandom to generate their RSA keys.
I'd like to make gnome-keyring also have this behavior. We can do this
easily by setting a flag for libgcrypt. But I want to make sure I get
appropriate feedback before doing this.

Any comments?

Cheers,

Stef

Follow-Ups:
- Re: gnome-keyring Generating RSA keys from /dev/urandom
  - From: Nikos Mavrogiannopoulos

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]