-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since nobody has answered my mail (see below), I have decided to treat this possible security issue seriously and not to use /dev/random anymore in the future gnupg releases.
Port Notes: - ----- version 1.4.9-2 ----- * gnupg does not use /dev/random anymore but the builtin entropy gatherer for W32 (rndw32.c). Possible security issue, see: http://en.wikipedia.org/w/index.php?title=CryptGenRandom&oldid=190115987 Package location: ================= wget \ http://home.arcor.de/thuffir/cygwin/gnupg/gnupg-1.4.9-2-src.tar.bz2 \ http://home.arcor.de/thuffir/cygwin/gnupg/gnupg-1.4.9-2.tar.bz2 Signatures: =========== wget \ http://home.arcor.de/thuffir/cygwin/gnupg/gnupg-1.4.9-2-src.tar.bz2.sig \ http://home.arcor.de/thuffir/cygwin/gnupg/gnupg-1.4.9-2.tar.bz2.sig; \ gpg --keyserver subkeys.pgp.net --recv-keys FD65117B 1CE0C630; \ gpg --verify gnupg-1.4.9-2-src.tar.bz2.sig; \ gpg --verify gnupg-1.4.9-2.tar.bz2.sig Build: ====== mkdir gnupg-1.4.9-2-build; \ cd gnupg-1.4.9-2-build; \ tar xjvf ../gnupg-1.4.9-2-src.tar.bz2; \ cygport gnupg-1.4.9-2 all Cheers Gergely Budai > -----Original Message----- > From: cygwin-apps > On Behalf Of Gergely Budai > Sent: Freitag, 28. März 2008 17:51 > To: cygwin-apps > Subject: gnupg and /dev/random > > > Dear Community! > > It appears to me that gnupg has always been using /dev/random > on cygwin since it's first release (1.0.7-1). AFAIK cygwin is using > CryptGenRandom() for this device. According to Wikipedia, > several "significant weaknesses" had been found recently in > the Windows > 2000 and XP implementation of that function. According to > that same Wikipedia article, Microsoft is planning to fix > that bug with > the release of SP3 for XP, but not planning (at least did not > tell to do so) to fix it for Windows 2000. > > Since the presence of a strong cryptographical random > function is the prerequisite of cryptography and some of us > are sill going to > use Cygwin on Windows 2000 in the future, my question is the > following: > Would not it be better to configure the future gnupg cygwin > releases not to use /dev/random, but the builtin and specially for > windows developped randomness entropy gatherer (rndw32.c)? > > Looking forward to your kind oppinions, > Gergely Budai > > Sources: > http://en.wikipedia.org/wiki/CryptGenRandom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) iEYEARECAAYFAkf1DPwACgkQ15iwsP1lEXveWwCfdP6tjFvXDm58C+yQWpmmgcAf KK4An1Zy+UrnbigkIUeusKkYa1ktUdxk =G9Zb -----END PGP SIGNATURE-----