key generation: paranoia mode - explicit random input

Hauke Laging mailinglisten at
Wed Feb 26 06:33:55 CET 2014

Am Mi 26.02.2014, 00:19:17 schrieb Daniel Kahn Gillmor:

> If i was an attacker who was compromising your software and i knew the
> software had this verification mode, i would make my modified
> software generate keys "correctly" when in this verification mode
> (clearly the software can tell when the entropy source is not
> /dev/random), and when it was not in this verification mode i would
> do my devious known-key "generation".

I thought about that when writing the mail but...

> So i don't see how this proposed change would let anyone sleep easier
> at night, unfortunately.

...I came to a conclusion quite different from yours: The aim is getting 
a non-compromised key. Whether the non-compromised key is generated by a 
compromised GnuPG is a different question and does not affect the 
security of the key itself!

Of course, damage can be caused later: Clean asymmetric crypto doesn't 
protect against compromised session keys e.g.

Thus such a feature should not be bound to key generation (would be even 
less work then). If this was a general "switch the entropy source" 
feature then checks could be applied to encryption and signing (not 
needed for RSA).

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140226/6b119ec9/attachment.sig>

More information about the Gnupg-users mailing list