Patches for gnupg 1.0.7 / cygwin 1.3.10

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Jun 6 11:34:01 CEST 2002


Chris Polley <chris.polley at ieee.org> writes:

>>I don't know how good the generated entropy is. This question goes to=20
>>the cygwin list. How generated? How good?
>
>It uses the MS-supplied CryptGenRandom call to generate the random bytes.

The CAPI generator is, um, of variable quality.  I cover one version in
http://www.cryptoapps.com/~peter/06_random.pdf.  Note that the code appears to
have changed over time, and is now considerably improved (the details will be
in the updated version of the above paper).  I don't know in which versions of
Windows the improved versions appeared, or what the specific improvements over
time may have been.

(Basically, you're relying on the company which brought you ActiveX, Outlook,
 Word macros, IIS, etc etc, to provide secure randomness.  It's sort of odd
 that you don't trust their Posix stuff (which is a matter of taste), but do
 trust their randomness (which is a critical security issue) :-).

Peter.




More information about the Gnupg-devel mailing list