gnupg for windows
Carlos Colombo
CarlosC@tyssa.com.ar
Fri, 19 May 2000 19:03:54 -0300
First of all, I would like to thank L. Sassaman and Sam Simpson for their
answer to my previos question [DSA vs RSA]. I've read the article
http://www.scramdisk.clara.net/pgpfaq.html and I higly recomend it.
Now, I have questions about the security and the usability of gnupg under
x86 with Win95/98, WinNT and Win2000.
I have read the following and I understand I should get gpg 1.0.2:
>[...]
>Yes it will [run]. However, the current versions have some problems with
the
>random generator. We still have to check out why.
>
>gpg 1.0.2 will run on W2000
>[...]
Also, as I am using gpg 1.0.1, I took a look at the README.W32 file.
It says :
>This is an alpha release of GnuPG for MS-Windows and WNT.
>The random number generator should now work but has not undergone
>a thorough testing, so we won't say anything about the quality of
>the generated key [...]
I know now (thanks to Sam's recomended article) that a good random source is
completely critical in the DSS signature process.
>Need for "good" randomness. The random value "k" in DH/DSS needs to be both
unique & unpredictable. If
>an adversary either obtains 2 messages encrypted with the same "k" or
recovers "k" then they can obtain the >private key [Sch96a] - this is a
really catastrophic failure.
My conclussion is that gpg for windows does not fit my requeriments, as the
forgery of electronic signed messages could have serious [legal]
consecuences.
Therefore I am considering other options for the windows workstations.
I may be loosing some points in my analysis. I am new to this subject and
and I'll appreciate recomendations...
One option is buying PGP from Computer Associates. Price should not be a
problem. (I haven't contacted them yet...-:)
--Hey it's Friday night... I'm running out of here!
Please tell me what do you think, all comments are welcome.
Carlos Colombo
+54 (11) 43201485
Buenos Aires, Argentina