[Gnuk-users] Security of NeuG?
NIIBE Yutaka
gniibe at fsij.org
Fri Feb 20 00:31:57 UTC 2015
Hello, Diego,
Thanks for your insight.
On 02/19/2015 07:57 PM, NdK wrote:
> The machine where you use crypto *must* be "secure enough", as told many
> times on gnupg-users ml. If it isn't, you've already lost!
I basically agree. I support your opinion here on our computer
systems, in general.
Well, I think that it would be interesting to remember our history a
bit, in a different context. On an occasion of GNU 30th Anniversary,
I translated GNU Manifesto (into Japanese), as existing multiple
translations were not good for me. And I learned (once again), we had
lost completely for our computing. But, we were not defeated in 1984,
and we are still alive.
> And IIRC entropy is needed just when generating keys (except for the
> primary key, the others can be generated on the token, mitigating many
> possible attacks) and when signing.
Right. Please note that it's not only for the keys of public key
cryptography. We need some entropy when we communicate even if it's
non-encrypted-channel (for TCP sequence number, for example). If it's
encrypted channel or when we encrypt a file by gpg, we need session
keys (of symmetric crypto), which also require some entropy. For
digital signature, it requires nonce, which also requires some
entropy.
These days, people care about encryption. We see many sites are now
use https. The consumption of entropy would be huge.
My concern here is that:
Are we generating enough entropy to feed those systems?
(if we consider it's "consumption".)
Well, this is a kind of religious, I know. Some parts of random
number things are inevitable to be religious, perhaps.
You'd accuse me that S/N ratio of my messages are not good. If so,
you can take advantage of it for your entropy source. :-)
--
More information about the gnuk-users
mailing list