[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Validating a program



James A. Tunnicliffe wrote:
> >Adam Shostack <[email protected]> wrote (regarding PGP's security):
> >>      In short, if you're paranoid, feel free to look over the
> >>source.  But the fact that most people have never peeked under the
> >>hood is not a strike against pgp at all.

> Ed replies:
> >Maybe you missed my point, or I miss-communicated.  My question is as
> >follows:  If PGP and DES are as secure as thought to be, then why is it
> >not ruled illegal software, just as they do with silencers, narcotics,
> >certain type weapons, etc.....

[snippo]

> Why does it follow that these must be crackable, or the government would
> have outlawed them? Despite recent moves to limit encryption, there are
> currently NO domestic (U.S.) restrictions on crypto.  Nothing prohibits
> you from using a true One Time Pad, which is mathematically proven to be
> unbreakable, now and forever, even against infinite resources.  If this
> is not prohibited (and it isn't), doesn't that refute your argument?

This is a misleading challenge.  There's a helluva difference between the OTP and a
Public Key system.  If, for example, it can be proven that I can crank up PGP to its
most cryptic level, and send the OTP overseas with "absolute security", so that I
can now send messages with the OTP which was crunched with PGP's highest security,
then that would mean something.

Just so there's no misunderstanding:

1. The OTP is absolutely unbreakable. (if done correctly)
2. The OTP encryption cannot be decoded on the other end unless you can deliver the
   OTP to the person on the other end by a secure means.
3. PGP, which is not usually used at its highest level of security (for all bits in
   a message), *will* be used at its highest level of security to send the OTP to the
   person on the other end.
4. The OTP arrives on the other end, completely safe from snooping.

Now you see the problem.  #4 above can't be assured, and that is why Ed says that PGP
is not shut off "right now", because it's probably not "really secure".

I'm amused to think that, in a nation armed with 20,000 or so nukes, the paranoid of
paranoid nation-states as it were, some of the erstwhile intelligent citizens think
that the U.S. military are just sitting around wringing their hands over the "fact"
that the citizens have "unbreakable" crypto.

Bear in mind the Scientific American articles on Public Key crypto back in the 1970's.
The military knew the score back then, and if you think they just sat back and allowed
all this to happen, well, sorry, I don't believe in Santa Claus or the Easter Bunny.