[Announce] Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-6316]

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Aug 18 13:13:55 CEST 2016

Werner Koch <wk at gnupg.org> writes:

>Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology
>found a bug in the mixing functions of Libgcrypt's random number generator:
>An attacker who obtains 4640 bits from the RNG can trivially predict the next
>160 bits of output.  This bug exists since 1998 in all GnuPG and Libgcrypt

Are any more details on what the problem is available?  This predates my
Usenix Security paper that looked at various PRNGs, and the Kelsey, Schneier,
Wagner and Hall PRNG paper didn't look at GPG either.  Others looked mostly at
one specific generator, often /dev/random, but also the Windows and OpenSSL

(OK, I'm downloading an older source archive now, let's see if I can find the
flaw before Werner posts a reply :-).


More information about the Gnupg-users mailing list