Entropy in ascii-armored output?
Zeljko Vrba
zvrba at globalnet.hr
Sat Jul 30 07:50:05 CEST 2005
Chris De Young wrote:
> some GPG encryption output (with -a, e.g. "QhRuM+W4xC9qnPvn") might be a good
> source of password material.
>
> It's random-looking to the untrained eye, but how random is it really? It
>
1. I know that this isn't what you were asking but you can get the same
result by using
[zax:zvrba]$ openssl rand -base64 8
57YOqsXaSWk=
(8 is the number of random bytes). OpenSSL tries hard to use good
randomness sources. You can also take a look at a little program I've
written: Secure Password Generator.
http://freshmeat.net/projects/secpwgen/
2. Now to try to answer you question: it depends. If the message is
signed-only, then there is no security (because in the middle you have
your original, plaintext content). If you get a part of the encrypted
message, it should be good password. The output of a good encryption
algorithm is indistinguishable from truly random data. Again, if you
cut-paste a part of the OpenPGP header/footer, the quality is poor.
best regards,
Zeljko.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050730/f5c532c8/signature.pgp
More information about the Gnupg-users
mailing list