Jacob Bachmeyer jcb62281 at
Mon Jan 24 04:38:44 CET 2022

Robert J. Hansen via Gnupg-users wrote:
>> When generating the key-pair with Re: pgp263iamulti06, the
>> "randomness" is obtained by user's keyboard input. Is it
>> then that the above applies only when the session key is
>> generated?
> No, the whole CSPRNG is (probably) compromised.  PGP 2.6.3 used 
> keyboard interrupts harvested directly from the hardware to get a 
> collection of random bits which it then fed into the CSPRNG to be 
> expanded out into a large quantity of randomish bits.  It's just that 
> when generating a new certificate it always replenished the CSPRNG's 
> entropy -- when generating traffic it didn't, but the CSPRNG was still 
> dependent on the randomness collected earlier.
> On Windows, you no longer have this direct access to hardware and 
> there's almost certainly some determinism introduced by the HAL.

I remember using a Windows-95-native PGP years ago that also used 
keyboard and mouse events to acquire entropy; presumably, there was not 
that much determinism, or every PGP key generated on Windows is likely 
to be weak.

>> the command-line build tools were still available). So is
>> the same (i.e., a problematic source of randomness when
>> generating the session key) likely to be the case
>> compiling/running 2.6.3iamulti06 under Linux today?
> I wouldn't say "almost definitely" the way I do for DOS, but I'd still 
> say I'd find it a disturbing possibility I'd want to investigate and 
> rule out before I used PGP 2.6.3 in a UNIX environment.

If it reads /dev/random, you are fine; the Linux kernel collects very 
good entropy and GPG uses (and has always used) that source.  If it does 
something else, you probably have a problem, possibly a "Debian OpenSSL" 

-- Jacob

More information about the Gnupg-users mailing list