key generation: paranoia mode - explicit random input

Hauke Laging mailinglisten at
Wed Feb 26 06:08:41 CET 2014


I just got asked: "How do I know that GnuPG in distro XY is not 

The answer to this question is long and unpleasant.

Thinking about that I had an idea – once more I can just hope it's new.

One of the worst problems is that key generation might be compromised. I 
think this is the worst case because THEY would not even have to steal 
your key any more. And clever modifications to random data are hard to 

I suggest to add a new key generation mode. The only difference would be 
that the random input is not read from /dev/random any more (and that 
random_seed would not be used or newly initialized) but from an explicit 
source: --random-source /path/to/file. With that (I guess very small) 
change every GnuPG installation should generate the same key material 
(of course, the timestamps would have to be given, too).

Then people who need a very high level of security could create a pool 
of random data (e.g. by reading from /dev/random) and use this data and 
the same timestamps with different Linux distros, even with Windows. ;-)

If the generated keys are exactly the same on all systems then it is 
very improbable that the key generation has been compromised (or all is 
lost anyway).

This would be much easier (and thus available to normal people) than 
attempts to audit a distro.

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140226/c72d7195/attachment.sig>

More information about the Gnupg-users mailing list