Can NSA crack PGP?

[karn@qualcomm.com (Phil Karn)]

There is only one cipher that is provably secure: the one-time-pad.
All other ciphers are, at best, only "practically secure". That is,
they could, in theory, be cracked given enough time and computer
power, but in practice your enemy (even the NSA) *is* limited in his
resources.

There are several ways that NSA might crack PGP. Although I think it
relatively unlikely that they are true, there is nonetheless no way to
prove it. These include:

1. Attacking the RSA cryptosystem. This is a very well studied problem
in civilian cryptography, but it is always possible that NSA has found
a breakthrough in factoring that is still unknown to the civilian
world.

2. Attacking the IDEA conventional cipher. IDEA is based on a
relatively new (and different) design technique than DES.  It has not
had nearly the attention of the civilian cryptographic community that
has been spent on RSA and DES.

3. Attacking the random number generators. This is often the weakest
part of many conventional cryptosystems, but the techniques now used
in PGP are thought to be pretty good. Lest people think that timing
keystrokes is a poor way to generate random numbers, I should say that
I once watched somebody key a STU-III (NSA-designed secure phone). At
one point the phone prompted him to hit the "*" key 20 times. It
didn't say why, of course, but it was pretty obvious to me.  And if
it's good enough for NSA...

4. Attacking the PGP implementation itself. A "black bag job" that
modifies the victim's PGP executable to store or transmit pass
phrases, or gives the spooks a chance to search the disk's free list
for old temporary files, is almost certainly the easiest way to attack
PGP.  Don't forget that all computer security ultimately rests, at
some level, on physical security.

Phil