Deterministic session keys

Paul Ashton paul at
Fri Jul 17 10:48:46 CEST 1998

I previously proposed this in sci.crypt some time ago, however
I didn't get a lot of response.

One way to validate another program is to write a second implementation
and compare the functionality. The problem with random session keys is
that the use of the second program cannot determine whether the first
did or didn't produce a bad or malicious session key. I'm sure the
first thing that people do when they want to covertly leak the key
in an encryption program is to tamper with the session key.

My proposal is to make the session key completely deterministic and
therefore remove the opportunity for someone to reduce it's
effectiveness. Since it is now deterministic, a recipient with a
"good" encryption program can determine whether the sender was using
a "bad" one, and a second encryption of known inputs would give 
comparable outputs.

It would be nice if this could be done whilst remaining compatible
with non-deterministic (not sure that's the right term) programs.
So with PGP you change make_random_ideakey() to be produce an IDEA
key that is MD5(file), say.

There are disadvantages that need to be overcome, but I would
like to hear peoples comments.

You can follow the original thread on dejanews at (if you are
interested :-)).


More information about the Gnupg-devel mailing list