[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Allegations of PGP Weaknesses

To: Cypherpunks <[email protected]>
Subject: Re: Allegations of PGP Weaknesses
From: [email protected] (Edgar W. Swank)
Date: Thu, 04 Nov 93 16:06:52 PST
Comments: Liberty!
Organization: SPECTROX SYSTEMS (408)252-1005 Cupertino, Ca

-----BEGIN PGP SIGNED MESSAGE-----

A few days ago, Victor Borisov posted here the following allegations
or rumors about "weaknesses" in PGP.

    >He made same program (LanCrypto).  That why, I hear only bad
    >words from he.  :)  You can read about this program in
    >cypherpunks.  >From other KGB-men, I hear, that prophesor
    >Sidelnicov (the well known cryptoanalisist from Russia) saw,
    >that PGP has some weak places:

    > - random number is`t "good" random number.
    > - md5 has hole (but here man lapse into salence:( ).
    > - PGP for DOS don`t have any anti-overloking tools.
    >
    >BTW:  LanCrypto play on last weakness:  thay wrote litle
    >resident DOS program.  This program crack PGP and than pgp
    >sign (and check) only part of message.  LanCrypto public
    >this resalt in buziness newspaper and show program on the
    >big computer-show.  I think this is rough market, but it
    >work well (as all, that KGB made:))!!!

Since then, I have checked with other members of the PGP development
team and here is a summary of what they (and I) say:

    The random number handling in PGP was beefed up in the 2.2
    release.  We don't know if there were any real weaknesses before
    that, but the improvements were added anyway.  We suspect that if
    there were any problems, they are gone now.  The guy who
    complained about it, Dr.  Sidelnikov, never cooperated with
    requests for details on what he found wrong with PGP.  In fact, he
    was pointedly uncooperative when contacted with questions asking
    him for details.

    If MD5 has a hole, we'd like to know about it.  It would be
    publishable in any crypto journal.  At Eurocrypt93, someone did
    find some slight weakness in MD5, but in realistic situations,
    this would not be a significant weakness.  Future versions of PGP
    may use the SHA hash algorithm, instead of MD5.  MD5 should be
    kept around for backwards compatibility.  MD5 is still a good hash
    function, and the weaknesses found were not applicable to any
    real-world uses of it.

    An old version of PGP did not detect if material was appended to a
    signed message.  This was a bug that was fixed, around version
    2.2, or maybe 2.1, I'm not sure which.

    We're not quite sure what "anti-overlooking" tools are, but based
    on Boris' example, we guess it would be code added 1) to insure
    that the code is unmodified and 2) make analysis of the code (e.g.
    with debugging tools & disassemblers) difficult.

    Since PGP is distributed with source code, it's obviously open to
    analysis and modification by anyone even moderately skilled in
    programming.  "Overlooking" attacks are easily countered by 1)
    making sure you have a "clean" PGP.EXE by checking it against the
    detached signature packed with it.  2)Running PGP with a freshly
    booted MSDOS from a factory diskette.  This is especially true if
    you run into "suspicious" actions when running PGP in your normal
    configuration. (Like you get back a copy of something you signed
    which seems to have text added you don't remember).

-----BEGIN PGP SIGNATURE-----
Version: 2.3a      

iQCVAgUBLNeRXt4nNf3ah8DHAQE+0QP/csLY4hw6AHGTdkoZu2koETv2q/ohnVl8
yGDwR65VVeuuiSANHjSmhUbA2w7DcbOaIxamzi1PSY6OHosB1ve4d2hOHKzdMrv1
m38x0iQLPZdGuuX0mCxRqvIJ47W8xKj49CxXIB+Khrva0nn+pAmQF6+IYonPGSAE
7uRREQnIzCU=
=7ogP
-----END PGP SIGNATURE-----

--
[email protected] (Edgar W. Swank)
SPECTROX SYSTEMS +1.408.252.1005  Cupertino, Ca

Prev by Date: ViaCrypt PGP has arrived
Next by Date: unsubscribe
Prev by thread: Re: ViaCrypt PGP has arrived
Next by thread: PGP BUG/FEATURE: multi-platform keys
Index(es):
- Date
- Thread