key generation: paranoia mode - explicit random input
Hauke Laging
mailinglisten at hauke-laging.de
Wed Feb 26 06:33:55 CET 2014
Am Mi 26.02.2014, 00:19:17 schrieb Daniel Kahn Gillmor:
> If i was an attacker who was compromising your software and i knew the
> software had this verification mode, i would make my modified
> software generate keys "correctly" when in this verification mode
> (clearly the software can tell when the entropy source is not
> /dev/random), and when it was not in this verification mode i would
> do my devious known-key "generation".
I thought about that when writing the mail but...
> So i don't see how this proposed change would let anyone sleep easier
> at night, unfortunately.
...I came to a conclusion quite different from yours: The aim is getting
a non-compromised key. Whether the non-compromised key is generated by a
compromised GnuPG is a different question and does not affect the
security of the key itself!
Of course, damage can be caused later: Clean asymmetric crypto doesn't
protect against compromised session keys e.g.
Thus such a feature should not be bound to key generation (would be even
less work then). If this was a general "switch the entropy source"
feature then checks could be applied to encryption and signing (not
needed for RSA).
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140226/6b119ec9/attachment.sig>
More information about the Gnupg-users
mailing list