[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

weak point of PGP implementation

To: [email protected]
Subject: weak point of PGP implementation
From: Eric Hughes <[email protected]>
Date: Tue, 26 Jan 93 19:27:40 -0800
In-Reply-To: The Phantom's message of Tue, 26 Jan 1993 16:15:48 -0800 (PST) <[email protected]>

Matt mentions three potential weaknesses in PGP: RSA key length, the
IDEA cypher, the pass phrase.  Let me add:

4. The random number generator used to make session keys.  If this is
weak, then an opponent might be able to guess them feasibly.  This attack
does not require breaking the underlying cryptography.

5. Weak random numbers for RSA key generation.  If the numbers in the
random number pool are not as random as they should be, then one might
simply simulate the prime generation algorithm and compile a table of
potential PGP primes.  Simply running trial division on this list
versus a storehouse of public keys might reveal common factors.  Even
running Euclid's algorithm to find g.c.d.'s on a such a storehouse
versus itself might produce factorizations.

From my quick reading of genprime.c, the PGP key generation algorithm
searches sequentially from a random starting point.  Thus it will tend
to find primes that are preceded by large blocks of composite numbers.
This alone reduces the search space some, possibly considerably.

Has anybody measured how good the keystroke timings are, anyway?

Eric

Follow-Ups:
- Re: weak point of PGP implementation
  - From: [email protected]

References:
- weak point of PGP implementation
  - From: The Phantom <[email protected]>

Prev by Date: Remailer Changes
Next by Date: Computerized OTP (was 5th AMENDMENT & DECRYPTION)
Prev by thread: weak point of PGP implementation
Next by thread: Re: weak point of PGP implementation
Index(es):
- Date
- Thread