key generation: paranoia mode - explicit random input

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Feb 26 06:19:17 CET 2014


On 02/26/2014 12:08 AM, Hauke Laging wrote:
> I suggest to add a new key generation mode. The only difference would be 
> that the random input is not read from /dev/random any more (and that 
> random_seed would not be used or newly initialized) but from an explicit 
> source: --random-source /path/to/file. With that (I guess very small) 
> change every GnuPG installation should generate the same key material 
> (of course, the timestamps would have to be given, too).
> 
> Then people who need a very high level of security could create a pool 
> of random data (e.g. by reading from /dev/random) and use this data and 
> the same timestamps with different Linux distros, even with Windows. ;-)
> 
> If the generated keys are exactly the same on all systems then it is 
> very improbable that the key generation has been compromised (or all is 
> lost anyway).
> 
> This would be much easier (and thus available to normal people) than 
> attempts to audit a distro.

If i was an attacker who was compromising your software and i knew the
software had this verification mode, i would make my modified software
generate keys "correctly" when in this verification mode (clearly the
software can tell when the entropy source is not /dev/random), and when
it was not in this verification mode i would do my devious known-key
"generation".

So i don't see how this proposed change would let anyone sleep easier at
night, unfortunately.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140226/10c49156/attachment-0001.sig>


More information about the Gnupg-users mailing list