[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: About entropy gathering
|
From: |
Simon Josefsson |
|
Subject: |
[Help-gnutls] Re: About entropy gathering |
|
Date: |
Wed, 31 Jan 2007 12:58:45 +0100 |
|
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.93 (gnu/linux) |
devel <address@hidden> writes:
> Well,
> The problem is that without time limit a "machine operator"
> can not know if there is a "hardware problem". For example, my machine
> wait about >30seconds for 1024bits or random data, my machine has not
> Hardware RNG (Athlon64 X2) that runs a program slow that PentimIII with
> hw_rng module (<1second).
> On hard load of gathering entropy, a machine operator can not know that
> program is waiting for RNG data. The program, the machine, and the
> server could be slow because machine can not collect true random data.
>
> I think that function that collect entropy should exit,with error code,
> if a throught of bytes/sg can not be collected. Is my opinion.
If the time-limit is 30s, you then wouldn't be able to generate a
private key on your athlon64, while waiting longer would make that
possible. Deciding on the time-limit is difficult. On smaller
machines, generating the required entropy can take many minutes.
A process indicator might be useful, and if someone wants to work on
adding one -- just read one byte of randomness at a time and display
some progress to the user after each byte has been read -- I'd like to
integrate it.
However, when you talk about 'server', what do you mean? Generating
RSA/DSA private keys or DH parameters can block, but a GnuTLS server
should never (if I understand how we are using libgcrypt correctly).
If you are having a GnuTLS server block on randomness, please give
more details -- that shouldn't happen.
/Simon