Robert J. Hansen via Gnupg-users wrote:
When generating the key-pair with Re: pgp263iamulti06, the
"randomness" is obtained by user's keyboard input. Is it
then that the above applies only when the session key is
generated?
No, the whole CSPRNG is (probably) compromised. PGP 2.6.3 used
keyboard interrupts harvested directly from the hardware to get a
collection of random bits which it then fed into the CSPRNG to be
expanded out into a large quantity of randomish bits. It's just that
when generating a new certificate it always replenished the CSPRNG's
entropy -- when generating traffic it didn't, but the CSPRNG was still
dependent on the randomness collected earlier.
On Windows, you no longer have this direct access to hardware and
there's almost certainly some determinism introduced by the HAL.
I remember using a Windows-95-native PGP years ago that also used
keyboard and mouse events to acquire entropy; presumably, there was not
that much determinism, or every PGP key generated on Windows is likely
to be weak.
the command-line build tools were still available). So is
the same (i.e., a problematic source of randomness when
generating the session key) likely to be the case
compiling/running 2.6.3iamulti06 under Linux today?
I wouldn't say "almost definitely" the way I do for DOS, but I'd still
say I'd find it a disturbing possibility I'd want to investigate and
rule out before I used PGP 2.6.3 in a UNIX environment.
If it reads /dev/random, you are fine; the Linux kernel collects very
good entropy and GPG uses (and has always used) that source. If it does
something else, you probably have a problem, possibly a "Debian OpenSSL"
problem...
-- Jacob
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
