GnuPG PRNG insecure?
Werner Koch
wk at gnupg.org
Sun Feb 10 22:06:01 CET 2002
On Fri, 8 Feb 2002 23:39:46 +0100, Stefan Keller said:
> As I explained, on non /dev/random (or equivalent) systems there are often *much*
> more bytes put into the pool than requested. As soon as 2*POOLSIZE bytes have
> been put into the pool, the entropy collected with the first POOLSIZE bytes is
Okay, I did some tests on GNU/Linux (i383) to see how othen a mix_pool
is done. For all relevant cases a mix is done not later than when
~65% of the buffer is filled; this carries more than 212 bytes state
from one mix to the next. The usual case are mixes after 88 bytes
right after a fast poll.
But yes, the missing XOR is a serious bug which should be fixed in
libgcrypt as ASAP because there we don't have a one-shot use of the
application but might use the RNG under entirely different conditions.
To make the implementaion more robust I will also carry a hash from
the entrire pool between mixes.
Thanks again,
Werner
--
Werner Koch Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions -- Augustinus
More information about the Gnupg-devel
mailing list