Henry Bremridge wrote: > On Wed, Nov 29, 2006 at 08:20:06PM +1030, Alphax wrote: > >> That advice is seriously flawed. You do *not* want to copy the >> random-seed file! >> > Just out of interest: why? >
As someone a lot smarter than me pointed out in a message I can't find when I suggested "just copy the .gnupg directory" (and with a bit of background info thrown in, and I'm not a cryptographer and haven't really studied the GnuPG internals so I might be wrong): GPG is a hybrid cryptosystem; messages are (symmetrically) encrypted to "random" session keys, which are then (asymmetrically) encrypted to a number of recipient public keys. Part of the security of the system is that the session key is "random" or as close to it as possible; because GPG will work on many different and varying systems, there is no guarantee of a system-wide random data source, so you can't just read from /dev/random or /dev/urandom every time you want a bit of random data, because it might not exist (and these have their own problems). So, GPG has it's own internal pseudorandom number generator. In order to speed things up a bit, it normally has an internal seed of pooled random data - which it stores in .gnupg/random_seed while it's not using it. When GPG decides it wants some random data, it generates it using this file as the seed - so if you know what the random seed file was, it's (somewhat) easier to predict what the next lot of random data is going to be. So, you don't want two installations of GPG to have the same random_seed, because you're going to start producing deterministic output... -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users