RNG requirements
Jakob Bohm
jb-gnumlists at wisemo.com
Fri Mar 7 02:36:33 CET 2025
Dear Mr. Backmeyer,
First, notice that Mr. Schweikle explained that their issue is being forced
to use 3rd party builds of GnuPG because 3rd party software suites use those
builds to /verify/ signatures, not make them.
Secondly, at least one of those suites (GIT) happens to also use their
private build for signing stuff, so (only) for those things are still
relevant.
Thirdly your rant would be much more helpful if you bothered to check
(and report) if the relevant ECDSA countermeasures. This is for you
to check as you are the one claiming to know about GnuPG internals.
On 3/5/2025 05:49:42, Jacob Bachmeyer via Gnupg-users wrote:
> On 3/4/25 08:59, Thomas Schweikle via Gnupg-users wrote:
>> Am 04.03.2025 um 10:12 schrieb Werner Koch via Gnupg-users:
>> [...]
>>> Further, and more important: We have never done an analysis of such a
>>> build regarding the random number generator.
>> This shouldn't be a point here, since in all cases gpg is used to sign
>> binaries build before packaging for Windows. [...]
>
> Some signature schemes require random numbers and, if I remember
> correctly, can *leak* *the* *private* *key* if the RNG has
> insufficient entropy. This is one of the more severe weaknesses in
> Schnorr-type signatures, which include DSA.
>
> Newer implementations avoid the problem by using deterministic nonces,
> computed using a hash of the message and private key or similar.
> EdDSA specifies this approach and some ECDSA implementations also use
> it. (DSA was thoroughly obsolete due to its fixed 1024-bit key size
> before deterministic nonces were introduced.)
>
>>> Take care not to run into something like the OpenSSL RNG problem
>>> Debian once had.
>> As long as you generate your keys only with one of them, this should not
>> matter.
>
> It would matter very much if the one you happened to pick for key
> generation happened to be the one with the bad RNG! (And see above
> for the possibility of leaking private keys by using a bad RNG while
> making a signature.)
>
> The only operation that is definitely safe is signature verification.
> Decryption is safe against a bad RNG, but PGP message encryption needs
> a good RNG for the session key---a weak RNG could make the session key
> guessable and completely bypass the public key algorithm for an attacker.
>
>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the Gnupg-users
mailing list