4

Looking at the strace output of GPG on my box seems to show that it uses /dev/urandom when encrypting a message without any access to /dev/random even when --no-random-seed-file is specified.

Are messages at risk of being encrypted with a low entropy session key? If so then how does one instruct GPG to not behave like this?

EDIT: I believe this is a different question than the possible duplicate which deals with more ephemeral data. My gpg encrypted messages will have a long lifetime and are easily subject inspection by an adversary.

CoderBrien
  • 149
  • 4
  • 3
    [This](http://stackoverflow.com/questions/3690273/did-i-understand-dev-urandom) suggests that isn't a likely problem. – etherealflux Aug 04 '15 at 16:41
  • Sorry, but it is a problem. "As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver". Supposing I have high security requirements I would like to ensure a proper source of randomness is used. – CoderBrien Aug 04 '15 at 16:50
  • It's *theoretically* vulnerable, yes. It's also theoretically possible to guess your session key! Thomas's answer explains why urandom is practically always the better choice – etherealflux Aug 04 '15 at 16:54
  • You're free to have your opinions. Clearly gpg is in fact vulnerable to weak session keys if /dev/urandom is used. My question stands. How do I get gpg to use a strong random source (/dev/random)? – CoderBrien Aug 04 '15 at 17:04

2 Answers2

14

On a general basis:

  • /dev/urandom is no less secure than /dev/random. In fact they both use the same algorithms and the same seeds. Occasionally, /dev/random just stops because someone, someday, read something about entropy, did not understand it, and now thinks that randomness is something that is burned upon usage and must be refilled regularly.

    (This page makes a rather nice job explaining things on that subject.)

  • There can be situations where there is not enough available entropy in the whole system. These situations do not occur with normal Linux distributions because they generate and save a random seed at boot time, to be used for the next boot, effectively ensuring that /dev/urandom is cryptographically secure all along. To get into one of these situations, you have to either play some weird games with VM snapshots, or use not a PC but some very limited embedded system; this is quite far from the contexts where you would use GnuPG.

  • It is very noteworthy that in the case of VM snapshots, the "entropy estimate" of /dev/random will gleefully report that it is full of the stuff, which is, in this case, very wrong. That is, not only does the blocking behaviour of /dev/random is scientifically unsubstantiated, but it also totally fails to be triggered in the one practical case (VM snapshots) were entropy loss could be feared.

  • Also remember that contexts where /dev/urandom is inappropriate are also contexts where /dev/random is inappropriate. Using /dev/random will not make things "more random"; at best, it will refuse to work instead of generating a key of theoretically lower security ("theoretically" because none of this has ever resulted in a practical break, even as a demonstration in lab-controlled conditions). As explained above, this is really an "at best" and it won't actually work that way with VM snapshots and reset.

    Fortunately, all the activity involved by a boot implies collection of enough entropy to achieve cryptographic security (for arbitrarily long /dev/urandom outputs, even). See this article for more analysis. GnuPG key generation is not done by the kernel in the early boot steps; it occurs much later, during normal operation, when the PRNG has been properly seeded.

None of this prevents some people from insisting on some ritual dancing with entropy. Apparently, the GnuPG authors are part of that specific theological interpretation -- either because they believe it or because they yield under the market pressure.

Summary: using /dev/urandom instead of /dev/random is not weak for GnuPG. GnuPG is used in a context where /dev/urandom is properly seeded and will achieve all the required unpredictability, and /dev/random will do no better (not in practice, not in theory either). In the one situation (VM snapshots) where the output of /dev/urandom could be inadequate for GnuPG, the output of /dev/random will be equally inadequate for the same reasons, and the blocking mechanism of /dev/random will not be triggered. The conclusion is that switching from /dev/urandom to /dev/random for GnuPG is completely useless.

... that is, from a technical point of view. Using /dev/random instead of /dev/urandom could induce some blocking that can help in persuading the weakly-minded that "serious cryptography is happening". It won't make things more secure, but it may make the user feel safer.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 1
    Wow, that's a whole lot of text which really just distracts from the issue. What you are arguing is that most of the time using /dev/urandom doesn't matter, but you must conceded that shortly after boot time there may not be enough entropy available. Do you have a source for your claim that /dev/random will not block? That would be suprising. – CoderBrien Aug 04 '15 at 18:11
  • 2
    How would it be surprising ? `/dev/random` blocks based on its internal "entropy counter". If you snapshot the machine, you snapshot the whole machine, including that counter. – Thomas Pornin Aug 04 '15 at 18:14
  • cold boot linux with no seed file. no entropy available. /dev/random blocks. /dev/urandom does not. gpg your sensitive data and it is not secure. apparently you don't think this is a problem. i prefer to be able to trust that my tools will make intelligent decisions regardless of how unlikely you claim the scenario is. – CoderBrien Aug 04 '15 at 18:18
  • 6
    @CoderBrien Are you interested in an answer, or in ranting at people who don't share your opinion? Thomas makes some excellent points: 1) GPG is a user program, meaning that it can only ever run _after_ boot, by which time both `/dev/randam` and `/dev/urandom` will have lots of entropy, and 2) none of this has ever been broken, even by researchers in a lab setting. Your data is fine. – Mike Ounsworth Aug 04 '15 at 18:20
  • so step 1. assume we have entropy in the system. step 2. use /dev/urandom. to each his own. – CoderBrien Aug 04 '15 at 18:23
  • @CoderBrien "cold boot linux with no seed file." -- maybe you should tell us what your threat model is. Are you expecting an attacker to have physical access to your machine _before_ and _while_ you are GPG-encrypting your important file? If so, this whole debate is moot because the answer is "better physical security". – Mike Ounsworth Aug 04 '15 at 18:25
  • here's one. broken distro package that breaks rng seed file. subtle enough so that it won't break other software and likely to remain unnoticed. you seem to have already decided to "not worry about it" so i'm sure my example won't sway you but i prefer defense in depth. – CoderBrien Aug 04 '15 at 18:29
  • [Law of security #10:](https://technet.microsoft.com/en-us/library/hh278941.aspx) "Technology is not a panacea". If you dig deep enough, any system can be broken. Similarly, there are always more things you can do to harden a system, with the only limit being your time and money. From your question, it sounds like you have control over the machine that GPG is being run on, so make sure you do some high-entropy stuff before running GPG. If that does not solve your problem, then I think we need more details in the question. – Mike Ounsworth Aug 04 '15 at 18:39
  • technology need not be a panacea to behave reasonably. it is entirely possible for gpg to avoid creating crackable messages under what is hopefully an unlikely circumstance. in fact, i believe they have under 2.0. are you seriously recommending i remember to shake my mouse around and cross my fingers before using gpg??? – CoderBrien Aug 04 '15 at 19:01
  • @CoderBrien keep in mind that the fact that `/dev/random/` blocks leaks information to the attacker about the use of randomness on the system. Compared to the theoretical attacks on `/dev/urandom` (which only work theoretically if the PRNG used to generate that stream has significant cryptographic weaknesses!), one could even argue that using `/dev/random` gives an attacker *more* information. – Rens van der Heijden Aug 04 '15 at 20:02
  • Rens- could you please expand on how blocking on /dev/random leaks information. are you referring to a sidechannel attack to someone who has access to the machine? – CoderBrien Aug 04 '15 at 20:03
  • @CoderBrien well, a side channel attack would exploit that information leak, but is (at least, I assume, I haven't checked) equally theoretical. However, if you use `/dev/random` for every message, I suspect it's quite easy to get a good estimate of how much messages are generated at this machine. This isn't horrible for GPG, maybe, but if you think of mix networks (things like TOR, I2P and so on), that has been a practical attack vector on anonymity. I mean, practical in the sense that a cryptographer would use it, but still. – Rens van der Heijden Aug 04 '15 at 20:08
  • @CoderBrien by the way, what I said only applies when you want GPG to access `/dev/random` for every message. For key generation, the issue you raise *could* be of theoretical concern, which is why `random(4)` recommends using `/dev/random` for long term keys (and nothing else). The difference with your case is not in lifetime, as you suggest, but in the amount of messages encrypted with the key (versus the amount of messages encrypted with a session key or IV). – Rens van der Heijden Aug 04 '15 at 20:11
  • 1
    @CoderBrien I just find it odd that you come to a Question & Answer site, and then argue with anybody who gives you an answer. I also find it odd that you are trying to label things as "100% Good" or "100% Bad" without considering the broader context of these security concerns. I mean, given an all-access attacker, any software ever written is "100% Bad", this should not be surprising. Anyway, this is now a 2-person rant-off, so I'm done with this thread. – Mike Ounsworth Aug 04 '15 at 20:20
  • Mike, I'm here responding to you because this is my question... which I wound up answering myself (see FIPS mode). The answers that were given did not address my question. – CoderBrien Aug 04 '15 at 20:32
  • 2
    He answered the first part, which is: No, using `/dev/urandom` does not in any plausible scenario result in the generation of weak GPG keys. In fact, systems like OS X and FreeBSD have gone as far as completely doing away with the distinction between either, where `/dev/random` is now just a symlink to `/dev/urandom`. – Stephen Touset Aug 05 '15 at 02:48
  • 2
    Hell, read the [scathing comments by DJB, Thomas Pornin, and Thomas Ptacek](http://www.2uo.de/myths-about-urandom/#experts) on the debate (ironically, one of these people has already answered your question in this exact thread). – Stephen Touset Aug 05 '15 at 02:51
-5

Answering my own question:

Eureka: FIPS mode causes /dev/random to be used for the session key and enables lots of other sane decisions to be made. Although it does look like Fedora may have decided to do away with it. So despite my stack being nearly overflowed by those who say settle for "good enough" there is actually a viable alternative.

CoderBrien
  • 149
  • 4
  • Yeah I'm annoyed myself at Debian's default. Lots of programs rely on using `gpg` greater than version 1. So I rename `/usr/bin/gpg` to `/usr/bin/gpgv1`, and create a symlink for `/usr/bin/gpg` that poings to gpgv2. – RoraΖ Aug 04 '15 at 17:27
  • 2
    Do you have a reference for your statement that ```messages are vulnerable to a low entropy session key (with GPG 1.4)```? AFAIK, there is no low entropy attack on 1.4. See Thomas's answer. – mikeazo Aug 04 '15 at 18:46