If person1 has a signed and encrypted email to person 2, but which
used IDEA and MD 5, and now wants to decrypt, and re-encrypt and
sign, and send to person 2, who will then destroy the original
email, why shouldn't they be allowed to know if this is safe.
They *are* allowed. Th
On 1/29/2022 at 11:02 PM, "Robert J. Hansen" wrote:> Please
comment if this is adequate, or there is still a problem with
> Disastry's Linux Version.
Why?
I've been trying to get people to move to OpenPGP for literally a
quarter-century, Vedaal. I'm not going to suddenly switch gears
Ok, you made me actually look at pgp263iamulti06. :-)
I almost feel like I should apologize.
However, the entropy gathering seems overly optimistic:
*wince*
That's quite a bit worse than I remember. (I haven't looked at 2.6.3
source code in probably 25 years.)
So,
On 2022-01-23 at 15:23 -0500, Robert J. Hansen wrote:
> > When generating the key-pair with Re: pgp263iamulti06, the
> > "randomness" is obtained by user's keyboard input. Is it
> > then that the above applies only when the session key is
> > generated?
Would you be able to suggest the version to use in "portable" mode?
GnuPG 1.4, but I'd honestly prefer to run a bootable Linux distro.
Portable apps are a monstrous security hazard if they're used on
computers beyond your control. USB malware is a very real thing.
__
from r...@sixdemonbag.org...:
...
I wouldn't say "almost definitely" the way I do for DOS, but I'd still
say I'd find it a disturbing possibility I'd want to investigate and
rule out before I used PGP 2.6.3 in a UNIX environment.
Thank you very much for your comments.
Would you be able to s
I remember using a Windows-95-native PGP years ago that also used
keyboard and mouse events to acquire entropy; presumably, there was not
that much determinism, or every PGP key generated on Windows is likely
to be weak.
Win95 still allowed direct access to underlying hardware. In the
XP-and
Robert J. Hansen via Gnupg-users wrote:
When generating the key-pair with Re: pgp263iamulti06, the
"randomness" is obtained by user's keyboard input. Is it
then that the above applies only when the session key is
generated?
No, the whole CSPRNG is (probably) compromised.
Is this also used when generating symmetric keys? Or only used by secret
key generation? If the last is the case, then existing keys generated on
DOS (or Linux?) might be safe (apart from a possibly short key length).
Existing certificates would be unaffected, but since the CSPRNG is used
for a
On 23-01-2022 21:23, Robert J. Hansen via Gnupg-users wrote:
> No, the whole CSPRNG is (probably) compromised. PGP 2.6.3 used keyboard
> interrupts harvested directly from the hardware to get a collection of
> random bits which it then fed into the CSPRNG to be expanded out into a
> large quantit
When generating the key-pair with Re: pgp263iamulti06, the
"randomness" is obtained by user's keyboard input. Is it
then that the above applies only when the session key is
generated?
No, the whole CSPRNG is (probably) compromised. PGP 2.6.3 used keyboard
interrupts harveste
from r...@sixdemonbag.org...:
The CSPRNG is almost certainly broken.
Thank you!
When generating the key-pair with Re: pgp263iamulti06, the
"randomness" is obtained by user's keyboard input. Is it
then that the above applies only when the session key is
generated?
PGP
Are there known, documented security deficiencies in it?
The CSPRNG is almost certainly broken.
PGP 2.6.3 was a DOS program, which meant it could easily get direct
access to hardware. That meant it could use the uncertainty of the
physical world as a key factor in the CSPRNG.
But ever sinc
I know those that still use pgp263iamulti06 [*] from removable media,
without "installation".
Are there known, documented security deficiencies in it? Any better
alternative for those that need to use pgp/gpg in "portable" mode?
---
* archive file pgp263iam
14 matches
Mail list logo
