[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Further PGP Security Doubts



> 4) It's not too hard to build a test-suite for PGP to ensure it's
> implementation of IDEA is correct, and it's possible to check
> it's key generation/session key generation things. Of course
> key management isn't too big a deal either... Thus I don't
> think it requires too great an effort to trust ViaCrypt.
> And if not - buy their copy to stay legal and use the
> Source to be safe (:-).

I would be pleased to see some truly exhaustive efforts made to test
PGP's actual security.

I have been seeing yet more criticisms of PGP, this time from some
character calling himself "Raymond Paquin."  He claims to be a
professor of mathematics who has been working at an unnamed university
exclusively on cryptographics for the past twelve years.  He implies
that he is working for some government in a classified capacity and is
thus unable to either publish or discuss the matter openly.

He claims that PGP is fatally flawed, though the flaw is in niether
RSA or IDEA, but rather somewhere within the PGP part of the program.

Copping the "I can say no more!  I have said too much already!"
melodrama, no more detailed information is forthcoming.

Now, this tease seems to reek of a hoax, but Zimmermann himself claimed
no high degree of security for the program.  To my knowledge, no serious
or well-funded unclassified attempts have been made to crack PGP.  I
fear that we are putting our faith in snake oil, as Zimmermann puts it.

I am not a mathematician, but merely a former spear-carrier in the Cold
War with some fairly well-developed residual instincts about this sort
of thing, including a conviction that all security measures - physical,
electronic or cryptographic - can be compromised by a determined
opponent with extensive resources.  Once compromised, attacks thereafter
may often be trivially accomplished.