Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Date: Thu, 6 Jun 2002 20:34:30 +1200 (NZST)
Message-ID: <200206060834.UAA460269@ruru.cs.auckland.ac.nz>
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: chris.polley@ieee.org, quetschke@scytek.de
Subject: Re: Patches for gnupg 1.0.7 / cygwin 1.3.10
Cc: cygwin@cygwin.com, gnupg-devel@gnupg.org

Chris Polley <chris.polley@ieee.org> writes:

>>I don't know how good the generated entropy is. This question goes to=20
>>the cygwin list. How generated? How good?
>
>It uses the MS-supplied CryptGenRandom call to generate the random bytes.

The CAPI generator is, um, of variable quality.  I cover one version in
http://www.cryptoapps.com/~peter/06_random.pdf.  Note that the code appears to
have changed over time, and is now considerably improved (the details will be
in the updated version of the above paper).  I don't know in which versions of
Windows the improved versions appeared, or what the specific improvements over
time may have been.

(Basically, you're relying on the company which brought you ActiveX, Outlook,
 Word macros, IIS, etc etc, to provide secure randomness.  It's sort of odd
 that you don't trust their Posix stuff (which is a matter of taste), but do
 trust their randomness (which is a critical security issue) :-).

Peter.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/