GnuPG PRNG insecure?

Werner Koch wk at
Fri Feb 8 08:59:01 CET 2002

On Fri, 8 Feb 2002 19:10:18 +1300 (NZDT), Peter Gutmann said:

> (assuming it accurately implements the design in
> the output is only taken from

It should implement a CSPRNG as described in your 1998(?) paper. 

> Incidentally, this bug is identical to the PGP 2.x xorbytes bug, a web search
> for that name will find further discussion on this topic.  I think copying
> xorbytes is taking GPG's PGP compatibility a bit far :-).

What worries me most is that it needed *4 years* to figure this bug
out _and_ report it.  I'd have expected that some more people had a
close look at those critical things.  It is a very sad thing that
there is so less truth in the claim that bugs in Free Software are
figured out very fast - I have seen too many counterexamples :-(


Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus

More information about the Gnupg-devel mailing list