Robert J. Hansen rjh at
Sun Jan 23 21:23:51 CET 2022

> When generating the key-pair with Re: pgp263iamulti06, the
> "randomness" is obtained by user's keyboard input. Is it
> then that the above applies only when the session key is
> generated?

No, the whole CSPRNG is (probably) compromised.  PGP 2.6.3 used keyboard 
interrupts harvested directly from the hardware to get a collection of 
random bits which it then fed into the CSPRNG to be expanded out into a 
large quantity of randomish bits.  It's just that when generating a new 
certificate it always replenished the CSPRNG's entropy -- when 
generating traffic it didn't, but the CSPRNG was still dependent on the 
randomness collected earlier.

On Windows, you no longer have this direct access to hardware and 
there's almost certainly some determinism introduced by the HAL.

> the command-line build tools were still available). So is
> the same (i.e., a problematic source of randomness when
> generating the session key) likely to be the case
> compiling/running 2.6.3iamulti06 under Linux today?

I wouldn't say "almost definitely" the way I do for DOS, but I'd still 
say I'd find it a disturbing possibility I'd want to investigate and 
rule out before I used PGP 2.6.3 in a UNIX environment.

More information about the Gnupg-users mailing list