[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

weak point of PGP implementation



Matt mentions three potential weaknesses in PGP: RSA key length, the
IDEA cypher, the pass phrase.  Let me add:

4. The random number generator used to make session keys.  If this is
weak, then an opponent might be able to guess them feasibly.  This attack
does not require breaking the underlying cryptography.

5. Weak random numbers for RSA key generation.  If the numbers in the
random number pool are not as random as they should be, then one might
simply simulate the prime generation algorithm and compile a table of
potential PGP primes.  Simply running trial division on this list
versus a storehouse of public keys might reveal common factors.  Even
running Euclid's algorithm to find g.c.d.'s on a such a storehouse
versus itself might produce factorizations.

From my quick reading of genprime.c, the PGP key generation algorithm
searches sequentially from a random starting point.  Thus it will tend
to find primes that are preceded by large blocks of composite numbers.
This alone reduces the search space some, possibly considerably.

Has anybody measured how good the keystroke timings are, anyway?

Eric