key generation: paranoia mode - explicit random input

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Mar 1 09:40:56 CET 2014


On 02/28/2014 02:58 PM, Hauke Laging wrote:
> a) Maybe I was not clear enough about that but I do not suggest this as 
> a "Set the flag once (and do the other stuff) and after that you are 
> safe forever" feature. This feature would have to be used for every 
> encryption, too. (I guess it would be easily possible with RSA 
> signatures today i.e. without changes to GnuPG.)
> 
> Thus your "when you're not using that flag" point is never reached.

Asking the end users to routinely choose a novel high-entropy seed for
randomness *without* relying on OS-level feature like /dev/random or
/dev/urandom seems even worse than the case you're trying to defend against.

It reduces the problem of breaking the encryption to that of figuring
out what data was used as the seed for randomness.  How do you prevent
users from choosing the same seed multiple times?  How is the user
supposed to come up with this entropy?  In practice, i think this won't
happen reliably, and users will be exposed to all the usual attacks
possible against broken RNGs if they try to use this proposed feature.

	-dkg



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140301/da24919b/attachment.sig>


More information about the Gnupg-users mailing list