GnuPG PRNG insecure?

Werner Koch wk at
Sun Feb 10 22:06:01 CET 2002

On Fri, 8 Feb 2002 23:39:46 +0100, Stefan Keller said:

> As I explained, on non /dev/random (or equivalent) systems there are often *much*
> more bytes put into the pool than requested. As soon as 2*POOLSIZE bytes have
> been put into the pool, the entropy collected with the first POOLSIZE bytes is

Okay, I did some tests on GNU/Linux (i383) to see how othen a mix_pool
is done.  For all relevant cases a mix is done not later than when
~65% of the buffer is filled; this carries more than 212 bytes state
from one mix to the next.  The usual case are mixes after 88 bytes
right after a fast poll.

But yes, the missing XOR is a serious bug which should be fixed in
libgcrypt as ASAP because there we don't have a one-shot use of the
application but might use the RNG under entirely different conditions.

To make the implementaion more robust I will also carry a hash from
the entrire pool between mixes.

Thanks again,


Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus

More information about the Gnupg-devel mailing list