GnuPG PRNG insecure?

Werner Koch wk at gnupg.org
Sun Feb 10 22:06:01 CET 2002


On Fri, 8 Feb 2002 23:39:46 +0100, Stefan Keller said:

> As I explained, on non /dev/random (or equivalent) systems there are often *much*
> more bytes put into the pool than requested. As soon as 2*POOLSIZE bytes have
> been put into the pool, the entropy collected with the first POOLSIZE bytes is

Okay, I did some tests on GNU/Linux (i383) to see how othen a mix_pool
is done.  For all relevant cases a mix is done not later than when
~65% of the buffer is filled; this carries more than 212 bytes state
from one mix to the next.  The usual case are mixes after 88 bytes
right after a fast poll.

But yes, the missing XOR is a serious bug which should be fixed in
libgcrypt as ASAP because there we don't have a one-shot use of the
application but might use the RNG under entirely different conditions.

To make the implementaion more robust I will also carry a hash from
the entrire pool between mixes.

Thanks again,

  Werner


-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus





More information about the Gnupg-devel mailing list