This is the mail archive of the
mailing list for the Cygwin project.
Re: Patches for gnupg 1.0.7 / cygwin 1.3.10
- From: pgut001 at cs dot auckland dot ac dot nz (Peter Gutmann)
- To: chris dot polley at ieee dot org, quetschke at scytek dot de
- Cc: cygwin at cygwin dot com, gnupg-devel at gnupg dot org
- Date: Thu, 6 Jun 2002 20:34:30 +1200 (NZST)
- Subject: Re: Patches for gnupg 1.0.7 / cygwin 1.3.10
Chris Polley <firstname.lastname@example.org> writes:
>>I don't know how good the generated entropy is. This question goes to=20
>>the cygwin list. How generated? How good?
>It uses the MS-supplied CryptGenRandom call to generate the random bytes.
The CAPI generator is, um, of variable quality. I cover one version in
http://www.cryptoapps.com/~peter/06_random.pdf. Note that the code appears to
have changed over time, and is now considerably improved (the details will be
in the updated version of the above paper). I don't know in which versions of
Windows the improved versions appeared, or what the specific improvements over
time may have been.
(Basically, you're relying on the company which brought you ActiveX, Outlook,
Word macros, IIS, etc etc, to provide secure randomness. It's sort of odd
that you don't trust their Posix stuff (which is a matter of taste), but do
trust their randomness (which is a critical security issue) :-).
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html