insecure random number generator
Lars Hecking
lhecking@nmrc.ucc.ie
Wed, 17 May 2000 16:29:20 +0100
I have now recompiled gpg 1.0.1e on Solaris to use Andreas Meier's
random device (cf. recent thread on -devel ;)
Now, when trying to encrypt a file, it tells me
Enter the user ID: lhecking
gpg: skipped: public key already set with --encrypt-to
gpg: WARNING: using insecure random number generator!! <--
The random number generator is only a kludge to let <--
it run - it is in no way a strong RNG! <--
DON'T USE ANY DATA GENERATED BY THIS PROGRAM!!
Is there a real problem, or is this just a platform-specific precaution
as Solaris generally has no random device?
I am pretty certain that this binary of gpg knows about /dev/random,
whereas the previous version doesn't:
$ strings gpg | grep '/dev/[ur]'
/dev/random
/dev/urandom
$ strings /usr/local/bin/gpg | grep '/dev/[ur]'
$