GnuPG is secure on what platforms ?

Gordon Worley redbird@rbisland.cx
Fri Aug 10 14:03:02 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:49 AM +0200 8/8/01, pplf wrote:

>What are the platforms in which the GnuPG source-code is really secure

>out-of-the-box (in terms of PRNG) ?


Not exactly related, but some of you may find it interesting what ent 
has to say about random_seed:

localhost% ent random_seed
Entropy = 7.704649 bits per byte.

Optimum compression would reduce the size
of this 600 byte file by 3 percent.

Chi square distribution for 600 samples is 214.93, and randomly
would exceed this value 95.00 percent of the times.

Arithmetic mean value of data bytes is 134.2000 (127.5 = random).
Monte Carlo value for Pi is 3.080000000 (error 1.96 percent).
Serial correlation coefficient is 0.000742 (totally uncorrelated = 0.0).

localhost% ent -b random_seed
Entropy = 0.999503 bits per bit.

Optimum compression would reduce the size
of this 4800 bit file by 0 percent.

Chi square distribution for 4800 samples is 3.31, and randomly
would exceed this value 10.00 percent of the times.

Arithmetic mean value of data bits is 0.5131 (0.5 = random).
Monte Carlo value for Pi is 3.080000000 (error 1.96 percent).
Serial correlation coefficient is -0.005693 (totally uncorrelated = 0.0).

I'm not sure just how it's used, so I included it both ways.  I think 
this makes it pretty clear that no-random-seed-file is probably a 
good thing to have in .gnupg/options unless your machine can't 
collect entropy for anything.

Also, last time I checked the entropy on Darwin it looked fine, but I 
did it myself using my own statistics software.  Now that I've got 
ent installed I want to try with it, but I can't remember for 
anything how I got access to the entropy pool of egd.  Any ideas 
(this would also help anyone on Unix test, so speak up if you know)?

I tried this:

localhost% egd.pl --debug-pool /tmp/entropy

which is supposed to print the pool, but the data it gives back is 
horrible and it's obvious that it's not no entropy gathering has gone 
on because there isn't the usually delay of waiting for entropy to be 
collected, sort of like when I run GnuPG to generate keys and it 
sucks egd dry and has to gather more.
- -- 
Gordon Worley                     `When I use a word,' Humpty Dumpty
http://www.rbisland.cx/            said, `it means just what I choose
redbird@rbisland.cx                it to mean--neither more nor less.'
PGP:  0xBBD3B003                                  --Lewis Carroll

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: keyserver http://pgpkeys.mit.edu:11371

iQA/AwUBO3PNDm7zd/e707ADEQKf1ACfcEgCAL0LfvSY346jnkrap3MqmZQAoN8M
jrtfmEK59kwROU8aLsinY99J
=fg0y
-----END PGP SIGNATURE-----