Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 6 Jun 2002 20:34:30 +1200 (NZST)
Message-ID: <200206060834.UAA460269@ruru.cs.auckland.ac.nz>
From: pgut001 AT cs DOT auckland DOT ac DOT nz (Peter Gutmann)
To: chris DOT polley AT ieee DOT org, quetschke AT scytek DOT de
Subject: Re: Patches for gnupg 1.0.7 / cygwin 1.3.10
Cc: cygwin AT cygwin DOT com, gnupg-devel AT gnupg DOT org

Chris Polley <chris DOT polley AT ieee DOT org> writes:

>>I don't know how good the generated entropy is. This question goes to=20
>>the cygwin list. How generated? How good?
>
>It uses the MS-supplied CryptGenRandom call to generate the random bytes.

The CAPI generator is, um, of variable quality.  I cover one version in
http://www.cryptoapps.com/~peter/06_random.pdf.  Note that the code appears to
have changed over time, and is now considerably improved (the details will be
in the updated version of the above paper).  I don't know in which versions of
Windows the improved versions appeared, or what the specific improvements over
time may have been.

(Basically, you're relying on the company which brought you ActiveX, Outlook,
 Word macros, IIS, etc etc, to provide secure randomness.  It's sort of odd
 that you don't trust their Posix stuff (which is a matter of taste), but do
 trust their randomness (which is a critical security issue) :-).

Peter.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/