insecure random number generator

Lars Hecking lhecking@nmrc.ucc.ie
Wed, 17 May 2000 16:29:20 +0100


 I have now recompiled gpg 1.0.1e on Solaris to use Andreas Meier's
 random device (cf. recent thread on -devel ;)

 Now, when trying to encrypt a file, it tells me

Enter the user ID: lhecking
gpg: skipped: public key already set with --encrypt-to
gpg: WARNING: using insecure random number generator!! <--
The random number generator is only a kludge to let    <--
it run - it is in no way a strong RNG!                 <--

DON'T USE ANY DATA GENERATED BY THIS PROGRAM!!

 Is there a real problem, or is this just a platform-specific precaution
 as Solaris generally has no random device?

 I am pretty certain that this binary of gpg knows about /dev/random,
 whereas the previous version doesn't:

$ strings gpg | grep '/dev/[ur]'
/dev/random
/dev/urandom
$ strings /usr/local/bin/gpg | grep '/dev/[ur]'
$