Entropy in ascii-armored output?

Zeljko Vrba zvrba at globalnet.hr
Sat Jul 30 07:50:05 CEST 2005

Chris De Young wrote:
> some GPG encryption output (with -a, e.g. "QhRuM+W4xC9qnPvn") might be a good
> source of password material.
> It's random-looking to the untrained eye, but how random is it really?  It
1. I know that this isn't what you were asking but you can get the same
result by using

[zax:zvrba]$ openssl rand -base64 8

(8 is the number of random bytes). OpenSSL tries hard to use good
randomness sources. You can also take a look at a little program I've
written: Secure Password Generator.


2. Now to try to answer you question: it depends. If the message is
signed-only, then there is no security (because in the middle you have
your original, plaintext content). If you get a part of the encrypted
message, it should be good password. The output of a good encryption
algorithm is indistinguishable from truly random data. Again, if you
cut-paste a part of the OpenPGP header/footer, the quality is poor.

best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050730/f5c532c8/signature.pgp

More information about the Gnupg-users mailing list