Mailing List Archive

I don't think implementing a strong RNG in Windows would be too difficult.
You can even use the built-in Microsoft Crypto API (CryptGenKey) to generate
good keys.

If you don't want to trust the Great Satan to generate the keys, however,
you can probably get enough entropy from using the a combination of:

- Content of mouse and keyboard messages ("bang you keyboard with your
mouse")
- Time between messages, measured using the high-resolution multimedia
timer
- Various system parameters (OS version, CPU type, etc)
- Name of the computer
- Name of the user
- The previous MD5'd string

Combine somehow (concatenate in a string) and mix thouroughly. MD5 to
taste. I think this would yield enough entropy to make most people happy.
Run though this data at least 10 times to yield the next 8 bytes of data.

I can help on this part if you need it.

/\/\att /\/\astracci mmastrac@acs.ucalgary.ca

"Toutes choses sont dites deja, mais comme personne n'ecoute, il faut
toujours recommencer."
-----Original Message-----
From: Dave Smith <dave@raystewart.com>
To: GNU Privacy Guard <g10@net.lut.ac.uk>
Date: Saturday, September 12, 1998 12:39 PM
Subject: Porting GNUPG


>
>Hi all...
>
>I recently ran across GNUPG in my search for a PGP replacement and was
>delighted by the functionality (and cost) :)
>
>I'm interested in porting a subset of the GNUPG program to Windoze. I can
>hear the questions already..."Why in the *world* do you want to port such a
>beautiful piece of software to such a ugly OS?!" :)
>
>Basically, I need to be able to decrypt/encrypt stuff on the Windoze OS.
Key
>generation will take place on a secured Linux box, so the RNG (or lack
>thereof in Windows) won't really be a big deal (will it!?). What I'd like
to
>do is keep the source modification to a minimum so that I can keep the two
>versions (Linux/Windows) in synch. I know there is currently a binary
>version of GNUPG for NT, but that is stamped for version 2.10 (which is a
>little old). Does anyone know who built that version? I could really use
the
>makefiles (or VC project files) that where used. I guess I could figure it
>out on my own, but it would be siginficantly more efficient to stand on
>someone else's shoulders... :)
>
>Thanks. :)
>
>D.
>
>
>

Moin,

>What I'd like to
>do is keep the source modification to a minimum so that I can keep the two
>versions (Linux/Windows) in synch. I know there is currently a binary
>version of GNUPG for NT, but that is stamped for version 2.10 (which is a
>little old). Does anyone know who built that version?

yes, with a cross compiler, based on - of course - gcc.
Get it at http://www.d.shuttle.de/isil/cpd/mingw32-cpd.html

The URL sounds familiar, doesn't it? :-)

Gruss,
Walter
--
Walter Koch Hochdahl am Neandertal
walterk@mail.dip.de ham:dg9ep@db0iz
http://home.pages.de/~dg9ep/ qrv:db0iz-9

Greetings...

I apologize if this email comes out wrapped funny. My mail client doesn't
seem to co-operate today. :)

I spent this afternoon toying around with the MINGW32 porting kit and trying
to the GNUPG to compile under it. It was..interesting. I realize that there
isn't a RNG under the Windows client, so it would seem kind of foolish to
bother porting GNUPG at all. However, I'm really only interested in using
the program for decryption and encryption. Do I understand correctly that
GNUPG does *not* use a RNG for those purposes??! More specifically, what
operations does GNUPG use the RNG for?

On a side note, assuming that all the code was capable of compiling for a
Windows install, how would I start it using MINGW32? I managed to get it to
work (kinda sorta) with the following command prompt:

./configure i386--mingw32

There didn't seem to be any clean instruction on how to jump start the
configure with MING.

I would prefer to use GNUPG on a Linux/GNU box, but my customers are all
based on the lovely Windows system. The big thing is getting the data I
generate for them to them securely. If all else fails, I could go with a
symmetric cipher (such as Blowfish) but I would prefer to use asymmetric
since it will allow me to ensure (relatively) that my competing customers
don't get the data mixed up. :)

If the only thing that's holding back the port of GNUPG to a Windows box is
the need for a RNG, I would be glad to start working on one...

Thanks. :)

D.

On Sun, 13 Sep 1998, Dave Smith wrote:
> the program for decryption and encryption. Do I understand correctly that
> GNUPG does *not* use a RNG for those purposes??! More specifically, what

I don't know exactly what GPG uses the RNG for, but ElGamal encryption and
DSS require a strong RNG as part of their definition, and their security
is heavily dependent on the strength of the RNG. The RSA cipher does not
use an RNG itself, but any standard implementation of it will use an RNG
to generate padding to protect against various known weaknesses. Any
block cipher chaining mode that needs an initialization vector should
preferably use a strongly-random initialization vector; I believe that
would apply to the Blowfish and similar ciphers included in GPG. I think
the OpenPGP format and protocols also mandate random padding in a number
of places for various security reasons. In short, trying to use GPG
without a strong random number generator is probably a bad idea, and is
certainly suicidally insecure for anything but "conventional" symmetric
encryption.

"Let me lose so beautifully http://www.islandnet.com/~mskala/
Let me lick the dew from the money tree Matthew Skala
Have the moms of the world all care about me Ansuz BBS
At suppertime" - Odds (250) 472-3169

Isn't the method PGP uses to generate random numbers sufficiently strong
for the purposes of GnuPG too? Is there some reason that method hasn't
been implemented, except for 'tuits?

--
-------------------------------------------------------------------------------
Paul D. Smith <psmith@baynetworks.com> Network Management Development
"Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
These are my opinions--Bay Networks takes no responsibility for them.

Dave Smith <dave@raystewart.com> writes:

> operations does GNUPG use the RNG for?

ElGamal needs a very strong RNG. Cryptographic strongs random numbers
are used in amyn places: As initialization vectors, for padding and
to create the session key.

> ./configure i386--mingw32

There is a section about cross-compiling in INSTALL.

./configure --target=i386--mingw32

should do it.

> I would prefer to use GNUPG on a Linux/GNU box, but my customers are all
> based on the lovely Windows system. The big thing is getting the data I
> generate for them to them securely. If all else fails, I could go with a
> symmetric cipher (such as Blowfish) but I would prefer to use asymmetric

Symmetric ciphers are more secure than asymmetric ciphers. One reason
is that you can more easily change the key.

What about adding a serial number to the key for each customer.

> If the only thing that's holding back the port of GNUPG to a Windows box is
> the need for a RNG, I would be glad to start working on one...

Please see Peter Gutmann's paper about "practically strong random
numbers"; this scheme should be used.


Werner

"Paul D. Smith" <psmith@BayNetworks.COM> writes:

> Isn't the method PGP uses to generate random numbers sufficiently strong
> for the purposes of GnuPG too? Is there some reason that method hasn't
> been implemented, except for 'tuits?

Measurement of key hit timings is not easy on a unix box and less
secure than what you can do under DOS. The Linux random number
generator is much better as a source for random number. In addition
to this GNUPG implements all requirements from RFC1750.


Werner

On Mon, 14 Sep 1998 09:00:43 +0200, Werner Koch wrote:
>"Paul D. Smith" <psmith@BayNetworks.COM> writes:
>
>> Isn't the method PGP uses to generate random numbers sufficiently strong
>> for the purposes of GnuPG too? Is there some reason that method hasn't
>> been implemented, except for 'tuits?
>
>Measurement of key hit timings is not easy on a unix box and less
>secure than what you can do under DOS. The Linux random number
>generator is much better as a source for random number. In addition
>to this GNUPG implements all requirements from RFC1750.

As far as I know no commercial Unix has a /dev/random. How does GPG
generate random numbers on those systems?

zw

Matthew Mastracci wrote:

> I don't think implementing a strong RNG in Windows would be too difficult.
> You can even use the built-in Microsoft Crypto API (CryptGenKey) to generate
> good keys.
>

How about implementing a strong RNG as a process running in the background.

Date: Sunday, September 13, 1998 9:26 PM
Subject: Re: Porting GNUPG


>Isn't the method PGP uses to generate random numbers sufficiently strong
>for the purposes of GnuPG too? Is there some reason that method hasn't
>been implemented, except for 'tuits?


Good point. At least one other GPL'd encryption project out there is based
loosely on the source from PGP 2.6 (if I remember correctly). That source
code is available, and since it's not a part of the RSA algo, there
shouldn't be any restrictions on it...

As for the El Gamal and DSS usage of the RNG...well, it just goes to show
the extent of my knowledge in such matters. :) But hey, I'm willing to
learn.

D.

Matthew Mastracci <mmastrac@ucalgary.ca> writes:

> - Various system parameters (OS version, CPU type, etc)
> - Name of the computer
> - Name of the user

This is static data which does not chnage and is easy to guess.

> - The previous MD5'd string

This does not add any entropy. You need a hardware source to add more
entropy; a interrupt can be considered as a hardware source. Don't
use the values of the keys the user hist but only the timings.

Mixing is not needed as the core random function already take care of
that. Peter gives good examples how to collect entropy on a DOS box.


Werner

Zack Weinberg <zack@rabi.columbia.edu> writes:

> As far as I know no commercial Unix has a /dev/random. How does GPG
> generate random numbers on those systems?

Not yet. There is only a faked random source and all keys are marked
with (INSECURE) and you will notice very load warnings.

Again, have a look into Peter Gutmann's paper or browse through
cryptlib (misc/rndunix.c).


Werner

%% Werner Koch <wk@isil.d.shuttle.de> writes:

wk> "Paul D. Smith" <psmith@BayNetworks.COM> writes:
>> Isn't the method PGP uses to generate random numbers sufficiently
>> strong for the purposes of GnuPG too? Is there some reason that
>> method hasn't been implemented, except for 'tuits?

wk> Measurement of key hit timings is not easy on a unix box and less
wk> secure than what you can do under DOS. The Linux random number
wk> generator is much better as a source for random number.

Certainly if your box contains a good system RNG that's ideal, but I
don't think we should restrict GnuPG to working only on such systems :)

wk> In addition to this GNUPG implements all requirements from
wk> RFC1750.

Not sure what this means? What does RFC1750 require? I suppose I can
go look it up myself... :)

--
-------------------------------------------------------------------------------
Paul D. Smith <psmith@baynetworks.com> Network Management Development
"Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
These are my opinions--Bay Networks takes no responsibility for them.

On Sun, 13 Sep 1998, Matthew Skala wrote:

> to generate padding to protect against various known weaknesses. Any
> block cipher chaining mode that needs an initialization vector should
> preferably use a strongly-random initialization vector; I believe that

That's wrong ;-) An IV doesn't need to be a strongly random sequence.
In CBC mode the IV should be unique in some other block chaining modes the
IV must be unique. An IV doesn't need to be secret.
A timestamp or a serial number is a perfect IV.


cu
Michael

%% pgut001@cs.auckland.ac.nz (Peter Gutmann) writes:

>>> If the only thing that's holding back the port of GNUPG to a
>>> Windows box is the need for a RNG, I would be glad to start
>>> working on one...

>> Please see Peter Gutmann's paper about "practically strong random
>> numbers"; this scheme should be used.

pg> This is already implemented in cryptlib,
pg> http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ , you can use that
pg> if you like. The only restriction is that I don't really want to
pg> place the code under the GPL since it's currently available on
pg> terms which are less restrictive than the GPL, and I don't want to
pg> tie it down with a more restrictive license than it currently has.

One option, if you're interested, would be to do what Larry Wall did
with Perl and use a dual license: say people could distribute it under
_either_ your license, or the GPL, whichever they preferred. You could
release _only_ the random number generation code under a dual license
like that, not all of cryptlib. Then GnuPG could use that part.

Just something to consider.

BTW, Warner et. al. keep mentioning your paper on practical strong
random numbers, but I don't believe anyone's posted a reference: is it
available on the web or somewhere? I did take a look through the
misc/rndunix.c code in cryptlib 2.1, so I think I get the idea, but it'd
be nice to see the doc.

--
-------------------------------------------------------------------------------
Paul D. Smith <psmith@baynetworks.com> Network Management Development
"Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
These are my opinions--Bay Networks takes no responsibility for them.

It would appear that I'm not getting all the messages from the list
server...I never recv'd anything from Peter Gutmann. I just checked the list
serv archives and found a whole heap of messages I never recvd...Hmm. :)

D.

%% pgut001@cs.auckland.ac.nz (Peter Gutmann) writes:

pg> That sounds reasonable. OK, the cryptlib random number code can
pg> be used in GnuPG under whatever terms are required (GPL I guess)
pg> on the understanding that it's not exclusively under the GPL, so I
pg> can keep using it and any updates to it as before (ie it's a dual
pg> license). I hope that's what's required.

I suppose to be official you might want to name the files in the
distribution you're discussing: misc/random.h, misc/rndunix.c (other
misc/rnd*.c?), and lib_rand.c? Or some subset?

Also, just to be clear: you can release your code under whatever license
you like, and change it at will (although you can't change
already-released licensing terms, of course); a license is only for
_other_ people. The author can do anything with the code, and is not
restricted by the license in any way.

So, you could release it under the GPL, and under your license, and
license it to other under completely different terms for any fees or
anything and that's all fine.

Many people do this sort of thing: for example, the Ghostscript folks
release proprietary versions first, then after a release or two the
older releases are put out under the GPL. So if you want the newest
stuff you buy it from them, but the older stuff is available free.

Anyway, there's all sorts of variations on the theme. Authors always
have complete control :)

pg> It's available via a link off my home page,

Thx, I'll check it out.

--
-------------------------------------------------------------------------------
Paul D. Smith <psmith@baynetworks.com> Network Management Development
"Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
These are my opinions--Bay Networks takes no responsibility for them.

Matthew Mastracci wrote:

> I don't think implementing a strong RNG in Windows would be too difficult.
> You can even use the built-in Microsoft Crypto API (CryptGenKey) to generate
> good keys.
>

that may not be a good idea.
maybe you should read what
peter gutmann has to say about it:

http://www.cs.auckland.ac.nz/~pgut001/

raf

Michael Roth <mroth@nessie.de> writes:

> I don't remember exactly but I believe I read something about a harddisk
> as random number generator in [1].

I beieve the experiment yields 1 or 2 bits per seconds. Anyway, you
have to do it in the kernel and I think you need a spare disk for
this.


Werner

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> That sounds reasonable. OK, the cryptlib random number code can be used in
> GnuPG under whatever terms are required (GPL I guess) on the understanding
> that it's not exclusively under the GPL, so I can keep using it and any
> updates to it as before (ie it's a dual license). I hope that's what's
> required.

Thanks Peter. You may want to consult Theodore Ts'o's /dev/random
driver for Linux and *BSD (linux/drivers/char/random.c) for a wording
example. I used this too for my Xircom Ethernet driver.


Werner

On Mon, 14 Sep 1998, Werner Koch wrote:

> This does not add any entropy. You need a hardware source to add more
> entropy; a interrupt can be considered as a hardware source. Don't
> use the values of the keys the user hist but only the timings.
>
> Mixing is not needed as the core random function already take care of
> that. Peter gives good examples how to collect entropy on a DOS box.

Another source is a harddisk in a computer. The idea is to read from and
write to varius tracks and record the timings. Of course you must make
sure that the cache don't fool you.
I don't remember exactly but I believe I read something about a harddisk
as random number generator in [1].
A friend did some experiments in the past on irix. The results looked a
little bit 'strange'. Most timing values were equale. Only a few were
different.
However, I believe harddisk timing is a secure source of random
data (really random spin differences) but using it correctly could be a
difficult task.

[1] Bruce Schneier: Applied Cryptography


cu
Michael

>>If the only thing that's holding back the port of GNUPG to a Windows box is
>>the need for a RNG, I would be glad to start working on one...

>Please see Peter Gutmann's paper about "practically strong random numbers";
>this scheme should be used.

This is already implemented in cryptlib,
http://www.cs.auckland.ac.nz/~pgut001/cryptlib/, you can use that if you
like. The only restriction is that I don't really want to place the code
under the GPL since it's currently available on terms which are less
restrictive than the GPL, and I don't want to tie it down with a more
restrictive license than it currently has.

Peter.

>One option, if you're interested, would be to do what Larry Wall did with
>Perl and use a dual license: say people could distribute it under _either_
>your license, or the GPL, whichever they preferred. You could release _only_
>the random number generation code under a dual license like that, not all of
>cryptlib. Then GnuPG could use that part.

That sounds reasonable. OK, the cryptlib random number code can be used in
GnuPG under whatever terms are required (GPL I guess) on the understanding
that it's not exclusively under the GPL, so I can keep using it and any
updates to it as before (ie it's a dual license). I hope that's what's
required.

>BTW, Warner et. al. keep mentioning your paper on practical strong random
>numbers, but I don't believe anyone's posted a reference: is it available on
>the web or somewhere? I did take a look through the misc/rndunix.c code in
>cryptlib 2.1, so I think I get the idea, but it'd be nice to see the doc.

It's available via a link off my home page,
http://www.cs.auckland.ac.nz/~pgut001/. It contains a number of diagrams so
it's done as a PDF file, at some point I'll get around to updating it and
adding more info (the current version is 15 pages exactly, which was the limit
for papers at the conference).

Peter.