Re: gnome-keyring Generating RSA keys from /dev/urandom
- From: Stef Walter <stefw collabora co uk>
- To: Nikos Mavrogiannopoulos <nmav gnutls org>
- Cc: "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
- Subject: Re: gnome-keyring Generating RSA keys from /dev/urandom
- Date: Sun, 12 Dec 2010 10:22:11 -0600
On 2010-12-09 10:28, Nikos Mavrogiannopoulos wrote:
> /dev/random is pretty useless for cryptographic (any) applications,
> unless there is an open time limit (i.e. wait 10 minutes until there is
> entropy enough to start a TLS session). Usually user's (like me) don't
> want to do that, thus /dev/urandom comes to play. There are not known
> weaknesses so far as long as there was gathered randomness at some point.
> A description and study of it can be seen at
> There are other (maybe better) alternatives to /dev/random algorithm
> that do not require blocking, but in linux that's all we have.
Interesting. Good to know.
I agree that that using /dev/random is basically completely unusable.
I'll disable the /dev/random usage in libgcrypt and use /dev/urandom
The way to use /dev/urandom in libgcrypt is like so:
gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
The only risk is that libgcrypt gives us very few guarantees about
what it's doing, and whether the behavior of that setting will change in
But I think this acceptable, and will post some code for PKCS#11 key
] [Thread Prev