[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: a hole in PGP

To: [email protected]
Subject: Re: a hole in PGP
From: "Patrick J. LoPresti" <[email protected]>
Date: Tue, 1 Aug 1995 12:55:30 -0400
In-Reply-To: [email protected]'s message of 1 Aug 1995 12:17:42 -0400
References: <[email protected]>
Reply-To: [email protected]
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "rjc" == Ray Cromwell <[email protected]> writes:

 rjc>   That's a neat metaphor, but it doesn't always apply. It
 rjc> shouldn't apply to algorithms which are primitive
 rjc> recursive. Elementary algorithms like multiprecision add, sub,
 rjc> multiply, divide, modmult, and modexp (the basis of public key
 rjc> encryption) are all provably correct and all terminate. (the
 rjc> basis is polynomial operators over a ring) It is possible to
 rjc> verify the implementation (assuming the correctness of the
 rjc> compiler). Now there could be a "factoring" trapdoor in RSA, but
 rjc> that's a trapdoor not in the implementation of PGP, but in the
 rjc> algorithm itself. RSA-in-4-lines-perl is probably provably
 rjc> correct.  To guard against trapdoors in PGP, you should verify
 rjc> the correctness of the PRNG, Key Generator, and that no private
 rjc> key bits or session key bits are leaked. I would suspect this
 rjc> could be difficult, but approximations could be determined to
 rjc> within a high degree of confidence.

As I suggested, you could 1) only use algorithms which are provably as
hard to break as known hard problems, and 2) only use implementations
which are proven correct.  PGP does neither.  In addition, the
complexity of the source makes #2 difficult even to approximate.

Now, we could certainly take care of #1 fairly easily by using a
different set of algorithms.  And as you suggest, #2 can be
approximated if the code is written cleanly.  But this would be a big
project, and it would not be PGP.

I personally would find such a project pointless, since I trust PGP
enough for my needs.  The availability of the source is a necessary
prerequisite for that trust, but it is by no means convincing.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.3beta, an Emacs/PGP interface

iQCVAwUBMB5cZHr7ES8bepftAQFtBwQA2qDiS0BpvkFBj9HRRd/83OxjSczna/jn
wj5eb+2KMSbj87SuD3ByUFcXQmWIqO6bNq5CkzoxmGvrk/y1futjAF/BeGcVlM1+
T4ClfmrIFbqwd/j7i1Qaw7ExN6rNjgQUdRYmo8Nlr1JVaAymCtx2f4GqKRuwP3oy
Tc/W8GXThM0=
=qdFB
-----END PGP SIGNATURE-----

References:
- Re: a hole in PGP
  - From: Ray Cromwell <[email protected]>

Prev by Date: Re: commerical busters
Next by Date: IEEE Symp on Security and Privacy - Call for papers
Prev by thread: Re: a hole in PGP
Next by thread: Re: a hole in PGP
Index(es):
- Date
- Thread