Series of minor questions about OpenPGP 5

Philipp Gühring pg at
Thu Jan 29 01:35:49 CET 2009


>> I wonder because I'd to test the used source with this
>> so is there perhaps some function in gpg

> That are plainstupid tests.  

Yes, I agree. I haven't discovered any intelligent algorithms yet, only
statistical tests seem to be available.
If anyone knows better tests, please let me know.
(I am currently working to add better statistical tests, but they will
still be statistical tests, nothing groundbreaking)

> It does no make any sense at all to run
> statistically tests on the output of a hash digest.

We have successfully discovered a weak RNG, notified the vendor and got
the vendor to actually fix the product. So I would say that it actually
makes sense to do it, to detect weak RNGs.

An actual counter-example to this claim is the Debian-OpenSSL bug.
OpenSSL processed the random numbers through a hash, but it still showed
statistical weaknesses on the hash digest output.

Best regards,
Philipp Gühring

More information about the Gnupg-users mailing list