delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2002/06/06/06:14:50

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 6 Jun 2002 12:14:19 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Patches for gnupg 1.0.7 / cygwin 1.3.10
Message-ID: <20020606121419.G30892@cygbert.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <200206060834 DOT UAA460269 AT ruru DOT cs DOT auckland DOT ac DOT nz>
Mime-Version: 1.0
In-Reply-To: <200206060834.UAA460269@ruru.cs.auckland.ac.nz>
User-Agent: Mutt/1.3.22.1i 

On Thu, Jun 06, 2002 at 08:34:30PM +1200, Peter Gutmann wrote:
> Chris Polley <chris DOT polley AT ieee DOT org> writes:
> 
> >>I don't know how good the generated entropy is. This question goes to=20
> >>the cygwin list. How generated? How good?
> >
> >It uses the MS-supplied CryptGenRandom call to generate the random bytes.
> 
> The CAPI generator is, um, of variable quality.  I cover one version in
> http://www.cryptoapps.com/~peter/06_random.pdf.  Note that the code appears to
> have changed over time, and is now considerably improved (the details will be
> in the updated version of the above paper).  I don't know in which versions of
> Windows the improved versions appeared, or what the specific improvements over
> time may have been.
> 
> (Basically, you're relying on the company which brought you ActiveX, Outlook,
>  Word macros, IIS, etc etc, to provide secure randomness.  It's sort of odd
>  that you don't trust their Posix stuff (which is a matter of taste), but do
>  trust their randomness (which is a critical security issue) :-).

Typically I don't take that "Microsoft is evil" stuff serious but
the above sentence contains an error.  It's not that we don't trust
the Microsoft POSIX stuff but it's not that useable nor complete.

The original reason to create Cygwin was to have a framework in which
gcc and friends will work and which doesn't create licensing trouble
for Cygnus.  Every further improvement and extension to Cygwin is
just driven by the will of volunteers.

When I created the /dev/random and /dev/urandom stuff, I decided that
the /dev/random is best implemented by using the OS capabilities and
I still stand to that decision.  The /dev/urandom is implemented the
same way but allows falling back to a simple pseudo random number
generator which isn't possible for /dev/random.

By and large I don't see any need to change /dev/random just to support
peoples paranoia.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019