gnupg for windows

Carlos Colombo CarlosC@tyssa.com.ar
Fri, 19 May 2000 19:03:54 -0300


First of all, I would like to thank L. Sassaman and Sam Simpson for their
answer to my previos question [DSA vs RSA]. I've read the article
http://www.scramdisk.clara.net/pgpfaq.html and I higly recomend it.

Now, I have questions about the security and the usability of gnupg under
x86 with Win95/98, WinNT and Win2000.

I have read the following and I understand I should get gpg 1.0.2:

>[...]
>Yes it will [run]. However, the current versions have some problems with
the
>random generator. We still have to check out why.
>
>gpg 1.0.2 will run on W2000
>[...]
Also, as I am using gpg 1.0.1, I took a look at the README.W32 file. It says :
>This is an alpha release of GnuPG for MS-Windows and WNT.
>The random number generator should now work but has not undergone
>a thorough testing, so we won't say anything about the quality of
>the generated key [...]
I know now (thanks to Sam's recomended article) that a good random source is completely critical in the DSS signature process.
>Need for "good" randomness. The random value "k" in DH/DSS needs to be both
unique & unpredictable. If
>an adversary either obtains 2 messages encrypted with the same "k" or
recovers "k" then they can obtain the >private key [Sch96a] - this is a really catastrophic failure. My conclussion is that gpg for windows does not fit my requeriments, as the forgery of electronic signed messages could have serious [legal] consecuences. Therefore I am considering other options for the windows workstations. I may be loosing some points in my analysis. I am new to this subject and and I'll appreciate recomendations... One option is buying PGP from Computer Associates. Price should not be a problem. (I haven't contacted them yet...-:) --Hey it's Friday night... I'm running out of here! Please tell me what do you think, all comments are welcome. Carlos Colombo +54 (11) 43201485 Buenos Aires, Argentina