Linux – gnupg 2.1.16 blocks waiting for entropy

encryptiongpglinux-kernel

Releases of gnupg from 2.1.16 (currently 2.1.17) block waiting for entropy only on first invocation.

Note: this isn't an attempt to generate a key, just to decrypt a file and start the agent.

The first time gpg-agent is started, either directly with gpg2 file.gpg or using an application like pass, pinentry appears and once I enter my passphrase and hit Enter it hangs for around 15s.

All subsequent calls, within the window of the default-cache-ttl, are executed immediately.

Running in --debug-all mode, the period where the hang occurs prints¹:

gpg: DBG: chan_6 <- S PROGRESS need_entropy X 30 120
gpg: DBG: chan_6 <- S PROGRESS need_entropy X 120 120
gpg: DBG: chan_6 <- S PROGRESS need_entropy X 30 120
gpg: DBG: chan_6 <- S PROGRESS need_entropy X 120 120
gpg: DBG: chan_6 <- S PROGRESS need_entropy X 30 120
...

I installed rng-tools to supplement the entropy pool:

cat /proc/sys/kernel/random/entropy_avail 
4094

and compared with a machine with the same version of gnupg that did not have rng-tools or haveged installed, that exhibits no delay:

cat /proc/sys/kernel/random/entropy_avail
3783

So there appears to be sufficient entropy in the pool. This was tested on kernels 4.8.13 and 4.9.

Does gpg use a different pool? How can I provide sufficient entropy, or otherwise eliminate the 15s delay when starting the agent?

^{1. The full debug log.}

Best Answer

I think I know what's going on. In gnupg's agent/gpg-agent.c, this function processes messages from libgcrypt.

/* This is our callback function for gcrypt progress messages.  It is
   set once at startup and dispatches progress messages to the
   corresponding threads of the agent.  */
static void 
agent_libgcrypt_progress_cb (void *data, const char *what, int printchar,
                             int current, int total)
{
  struct progress_dispatch_s *dispatch;
  npth_t mytid = npth_self ();

  (void)data;

  for (dispatch = progress_dispatch_list; dispatch; dispatch = dispatch->next)
    if (dispatch->ctrl && dispatch->tid == mytid)
      break;
  if (dispatch && dispatch->cb)
    dispatch->cb (dispatch->ctrl, what, printchar, current, total);

  /* Libgcrypt < 1.8 does not know about nPth and thus when it reads
   * from /dev/random this will block the process.  To mitigate this
   * problem we take a short nap when Libgcrypt tells us that it needs
   * more entropy.  This way other threads have chance to run.  */
#if GCRYPT_VERSION_NUMBER < 0x010800 /* 1.8.0 */
  if (what && !strcmp (what, "need_entropy"))
    npth_usleep (100000); /* 100ms */
#endif
}

That last part with npth_usleep was added between 2.1.15 and 2.1.17. Since this is conditionally compiled if libgcrypt is older than 1.8.0, the straightforward fix would be recompiling gnupg against libgcrypt 1.8.0 or later… unfortunately that version doesn't seem to exist yet.

The weird thing is, that comment about libgcrypt reading /dev/random is not true. Stracing the agent reveals it's reading from /dev/urandom and using the new getrandom(2) syscall, without blocking. It does however send many need_entropy messages, causing npth_usleep to block. Deleting those lines fixes the issue.

I should mention that npth seems to be some kind of cooperative multitasking library, and npth_usleep is probably its way to yield, so it might be better to just significantly reduce that delay, just in case libgcrypt decides to block some day. (1ms is not noticeable)

Key IDs

The man page seems pretty clear on where these values are coming from. The key IDs are a portion of the SHA-1 fingerprint.

The key Id of an X.509 certificate are the low 64 bits of its SHA-1 fingerprint. The use of key Ids is just a shortcut, for all automated processing the fingerprint should be used.

All these values are hex, the notation allows for either a number to be prefixed with 0x, a 0, or to simply begin with a non-zero value.

NOTE: Using key IDs is inherently a bad idea since they're essentially taking a portion of the fingerprint to identify a given key. The problem arises in that it's somewhat trivial to generate collisions among key IDs. See this article for more on this issue, titled: Short key IDs are bad news (with OpenPGP and GNU Privacy Guard).

excerpt

Summary: It is important that we (the Debian community that relies on OpenPGP through GNU Privacy Guard) stop using short key IDs. There is no vulnerability in OpenPGP and GPG. However, using short key IDs (like 0x70096AD1) is fundementally insecure; it is easy to generate collisions for short key IDs. We should always use 64-bit (or longer) key IDs, like: 0x37E1C17570096AD1 or 0xEC4B033C70096AD1.

TL;DR: This now gives two results: gpg --recv-key 70096AD1

Fingerprints

Whereas the fingerprints:

This format is deduced from the length of the string and its content or the 0x prefix. Note, that only the 20 byte version fingerprint is available with gpgsm (i.e. the SHA-1 hash of the certificate).

When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key and not to try and calculate which primary or secondary key to use.

The best way to specify a key Id is by using the fingerprint. This avoids any ambiguities in case that there are duplicated key IDs.

I'd suggest taking a look at the wikipedia page titled: Public key fingerprint. It details how fingerprints are generated. Here's summary:

excerpt

A public key (and optionally some additional data) is encoded into a sequence of bytes. To ensure that the same fingerprint can be recreated later, the encoding must be deterministic, and any additional data must be exchanged and stored alongside the public key. The additional data is typically information which anyone using the public key should be aware of. Examples of additional data include: which protocol versions the key should be used with (in the case of PGP fingerprints); and the name of the key holder (in the case of X.509 trust anchor fingerprints, where the additional data consists of an X.509 self-signed certificate).

The data produced in the previous step is hashed with a cryptographic hash function such as MD5 or SHA-1.

If desired, the hash function output can be truncated to provide a shorter, more convenient fingerprint.

This process produces a short fingerprint which can be used to authenticate a much larger public key. For example, whereas a typical RSA public key will be 1024 bits in length or longer, typical MD5 or SHA-1 fingerprints are only 128 or 160 bits in length.

When displayed for human inspection, fingerprints are usually encoded into hexadecimal strings. These strings are then formatted into groups of characters for readability. For example, a 128-bit MD5 fingerprint for SSH would be displayed as follows:
   43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8

References

Fingerprint (computing)

Best Answer

Related Solutions

Directory Encryption – How to Encrypt Directory with GnuPG

GnuPG : representations of key IDs and fingerprints

Key IDs

Fingerprints

References

Related Question