Robert J. Hansen
rjh at sixdemonbag.org
Sun Jan 23 02:47:41 CET 2022
> Are there known, documented security deficiencies in it?
The CSPRNG is almost certainly broken.
PGP 2.6.3 was a DOS program, which meant it could easily get direct
access to hardware. That meant it could use the uncertainty of the
physical world as a key factor in the CSPRNG.
But ever since August 2001 and the release of Windows XP, DOS programs
no longer get direct access to hardware. Everything is abstracted away
through the Windows Hardware Abstraction Layer (HAL) or other similar
The core assumption of the PGP 2.6.3 CSPRNG ("we can use direct access
to hardware to sample entropy from the physical world") no longer holds
and hasn't been valid for more than twenty years.
More information about the Gnupg-users