jcb62281 at gmail.com
Mon Jan 24 04:38:44 CET 2022
Robert J. Hansen via Gnupg-users wrote:
>> When generating the key-pair with Re: pgp263iamulti06, the
>> "randomness" is obtained by user's keyboard input. Is it
>> then that the above applies only when the session key is
> No, the whole CSPRNG is (probably) compromised. PGP 2.6.3 used
> keyboard interrupts harvested directly from the hardware to get a
> collection of random bits which it then fed into the CSPRNG to be
> expanded out into a large quantity of randomish bits. It's just that
> when generating a new certificate it always replenished the CSPRNG's
> entropy -- when generating traffic it didn't, but the CSPRNG was still
> dependent on the randomness collected earlier.
> On Windows, you no longer have this direct access to hardware and
> there's almost certainly some determinism introduced by the HAL.
I remember using a Windows-95-native PGP years ago that also used
keyboard and mouse events to acquire entropy; presumably, there was not
that much determinism, or every PGP key generated on Windows is likely
to be weak.
>> the command-line build tools were still available). So is
>> the same (i.e., a problematic source of randomness when
>> generating the session key) likely to be the case
>> compiling/running 2.6.3iamulti06 under Linux today?
> I wouldn't say "almost definitely" the way I do for DOS, but I'd still
> say I'd find it a disturbing possibility I'd want to investigate and
> rule out before I used PGP 2.6.3 in a UNIX environment.
If it reads /dev/random, you are fine; the Linux kernel collects very
good entropy and GPG uses (and has always used) that source. If it does
something else, you probably have a problem, possibly a "Debian OpenSSL"
More information about the Gnupg-users