A vulnerability exists in the way PGP5 generates random keying material, when used without user input. When a keypair is generated using: pgpk -g <DSS or RSA> <key-length> <user-id> <timeout> <pass-phrase> pgp will automatically generate the key without any user intervention. On systems which support /dev/random, it generates this key material by reading from this device in 1 byte increments: RandBuf = read(fd, &RandBuf, count); which it then feeds in to its random pool. Unfortunately, the above logic is flawed; read() returns the number of characters read. As count is always initialized to 1 in this case, RandBuf will always be assigned the value 1. This makes it easy to predict keys. RSA keys generated this way are predictable; DSA/ElGamal signature (DSA) keys are predictable, while encryption keys (ElGamal) vary. Users running pgp are not vulnerable provided one of the following are true: 1) They interactively generated the keys -- this would entail entering a large amount of...
A vulnerability exists in the way PGP5 generates random keying material, when used without user input. When a keypair is generated using: pgpk -g <DSS or RSA> <key-length> <user-id> <timeout> <pass-phrase> pgp will automatically generate the key without any user intervention. On systems which support /dev/random, it generates this key material by reading from this device in 1 byte increments: RandBuf = read(fd, &RandBuf, count); which it then feeds in to its random pool. Unfortunately, the above logic is flawed; read() returns the number of characters read. As count is always initialized to 1 in this case, RandBuf will always be assigned the value 1. This makes it easy to predict keys. RSA keys generated this way are predictable; DSA/ElGamal signature (DSA) keys are predictable, while encryption keys (ElGamal) vary. Users running pgp are not vulnerable provided one of the following are true: 1) They interactively generated the keys -- this would entail entering a large amount of random characters at the keyboard 2) They had a previous installation of PGP 5 which had been used, and had a pre-existing random seed file. 3) They're running a 2.x, 2.xi, 6.x or 6.xi distribution. 4) The platform they are using does not have a /dev/random device.
