key generation: paranoia mode - explicit random input

Hauke Laging mailinglisten at hauke-laging.de
Fri Feb 28 15:58:12 CET 2014


Am Do 27.02.2014, 10:28:10 schrieb Doug Barton:
> Someone else made this argument already, which I thought should have
> shut down the thread, but it didn't, so I'll try repeating it. :)

Thanks for paying attention and thinking about this but I already 
explained why I consider the argument you (probably) refer to as valid 
in general but invalid in the special case I am talking about. I am not 
simply ignoring well-meant advice.


> If I am Mal, I am going to make sure that my implementation does the
> right thing when you add the --verify-my-binary-is-safe flag. But when
> you're not using that flag I'm still free to do whatever I want with
> your stuff.

That is correct. But your argument does not cover two important cases:

a) Maybe I was not clear enough about that but I do not suggest this as 
a "Set the flag once (and do the other stuff) and after that you are 
safe forever" feature. This feature would have to be used for every 
encryption, too. (I guess it would be easily possible with RSA 
signatures today i.e. without changes to GnuPG.)

Thus your "when you're not using that flag" point is never reached.


b) This is not a problem if you just receive encrypted data. In that 
case you just must be sure that your key is clean. (The sender obviously 
has the problem how to be "sure" that his system is non-compromised.)


> In other words, we're right back to the same thread we had about 6
> weeks ago. You cannot "Trust" a binary, for sufficiently "Secure"
> definitions of "Trust."

Sure. Thus I don't claim absolute security for my case but "only" that 
an attacker has to compromise more systems. Or central components 
(Kernel, GnuPG itself). I don't even have the slightest idea how safe 
the key is which signs the GnuPG packages... If I were the NSA then I 
would consider the software which Werner(?) uses for calculating the 
digests a valuable target... ;-)


> ... and BTW, if you think I'm being paranoid or exaggerating the
> problem on the OS side

Not at all. After all most people would even consider my proposal 
paranoid, wouldn't they?


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140228/e725c350/attachment.sig>


More information about the Gnupg-users mailing list