Re: PGP's +makerandom is broken (was: Re: Article on PGP flaws)

[timd@consensus.com (Tim Dierks)]

At 10:52 PM 4/20/96, Jeffrey I. Schiller wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>On April 16, 1996 jf_avon@citenet.net said:
>> I fed the result of
>> pgp +makerandom=2000 rnd.pgp
>> into noisesphere.exe
>>
>> Every times, it gives a distribution that looks like a zebra from the
>> top view.  Any comments?
>
>This is a bug in PGP. +makerandom doesn't work properly. I discovered
>this a few week ago myself when I needed some random numbers for
>another project. Due to a programming bug, the idea based random number
>generator doesn't get initialized (read: doesn't get seeded at all)
>when +makerandom is used. Note: +makerandom is an undocumented feature.
>
>IMPORTANT: Only +makerandom is effected. In normal use PGP properly
>generates random session keys as well as RSA public key pairs.
>
>                                -Jeff

As true as this may be, it doesn't explain the original posters problem;
unseeded IDEA should generate data that looks every bit as random as data
which was fully seeded (otherwise IDEA leaks information). This should
raise a question regarding the utility of any post-facto measurement of
entropy; the stream of bits generate by IDEA encrypting zero values in CBC
mode with a key of zero clearly has little, if any, entropy, but the data
generated should be indistinguishable from true random data by all
statistical and pattern-recognition tests. See the discussion on
coderpunks.

Basically, to get crypto-quality random numbers:
 1) Use a secure generator; any secure block cipher or hash function will do.
 2) Seed it well. This is entirely specific to your situation & platform,
and is unmeasurable for practical purposes.

 - Tim

Tim Dierks                                              timd@consensus.com
Consensus Development                             http://www.consensus.com