[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Commercial PGP: Verifying Trustworthiness




Here's a real simple way to verify the trustworthiness of the commercial
version of PGP.  It's a bidirectional comparison of outputs.

1) Have freeware PGP generate a set of keys.

2) Using keys from (1) encrypt several files using both conventional and
   public key encryption using freeware PGP _and_ commercial PGP, then
   compare the output byte-for-byte of both to see if they match up.

3) Have commercial PGP generate a set of keys.

4) Using keys from (3) encrypt several files using both conventional and
   public key encryption using freeware PGP _and_ commercial PGP, then
   compare the output byte-for-byte of both to see if they match up.

Basically, if both commercial PGP and freeware PGP produce exactly the
same encrypted files as output based on the same keys, and if you have
the source code and can trust freeware PGP, then it can be stated that
commercial PGP is secure.  I'm no expert on mathematical proofs, but the
above seems very logical to me.

I'm assuming the NSA will pressure ViaCrypt to put in a backdoor.  One
possible backdoor that can be placed inside the commercial PGP and still
allow it to pass the above test is if commericial PGP secretly writes all
keys and pass phrases to a block on your hard disk, and marks that
block as used to the file system.  In order to prevent you from scanning
your hard disk and finding that block, the information stored there could
be encrypted by a key which the NSA has in it's possession.

I would never use commercial PGP because I do not place inherent trust in
programs which come with no source code, and commercial PGP doesn't come
with source code.


Thug