RNG bug in GnuPG/Libgcrypt

Werner Koch wk at gnupg.org
Sat Aug 20 11:34:41 CEST 2016


Hi,

Let's see how DSA and Elgamal keys are impacted by the RNG bug in GnuPG
2 (but not in GnuPG 1.4).  Here is how random is used for the former
default of 2048 bit DSA + Elgamal key.

  #RNG(12952) stats: bytes: 8 (8 + 0) (1 + 0) #

  8 bytes for the passphrase protection salt.

  #RNG(12952) stats: bytes: 16 (16 + 0) (2 + 0) #

  8 bytes to initialize the nonce generator (triggered by the
  Rabin-Miller prime test)

  #RNG(12952) stats: bytes: 48 (16 + 32) (2 + 1) #

  32 bytes for the DSA secret parameter x.

  #RNG(12952) stats: bytes: 80 (48 + 32) (3 + 1) #

  32 bytes for the DSA parameter k to test the key.

  gpg: writing self signature
  #RNG(12952) stats: bytes: 112 (80 + 32) (4 + 1) #

  32 bytes for the DSA parameter k to create the self-signature.

  gpg: DSA/SHA256 signature from: "E2EA1593 [?]"

  #RNG(12952) stats: bytes: 155 (80 + 75) (4 + 2) #

  43 bytes for the Elgamal secret parameter x.

  #RNG(12952) stats: bytes: 198 (123 + 75) (5 + 2) #

  43 bytes for the Elgamal parameter k to test the key.

  #RNG(12952) stats: bytes: 454 (379 + 75) (6 + 2) #

  256 bytes for the Elgamal parameter k to test the key.

  gpg: writing key binding signature
  #RNG(12952) stats: bytes: 486 (411 + 75) (7 + 2) #

  32 bytes for the DSA parameter k to create the key binding signature
  of the public key

  gpg: writing key binding signature
  #RNG(12952) stats: bytes: 518 (443 + 75) (8 + 2) #

  32 bytes for the DSA parameter k to create the key binding signature
  of the secret key

Thus we have not reached the critical bytes 580..599.  So we are safe for
the defaults.  Further, the secret parameters x for both keys are
created early enough to never get created from the critical bytes, even
with 3072 DSA and 4096 Elgamal keys.

My original doubts where based on the idea that the public primes for
DSA and Elgamal are created from the regular RNG.  However, with
Libgcrypt 1.3 (2007) this was changed to use the nonce generator.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160820/fc7a728c/attachment.sig>


More information about the Gnupg-devel mailing list