1992-12-04 - Weakness of the PGP scheme ?

Header Data

From: VANGUARD@gribb.hsr.no
To: cypherpunks@toad.com
Message Hash: cff39ca2f91a0419a22c98708f391bd1c5f60c9a43956760407eb25d5cd990ee
Message ID: <MAILQUEUE-101.921204152203.416@gribb.hsr.no>
Reply To: N/A
UTC Datetime: 1992-12-04 14:18:02 UTC
Raw Date: Fri, 4 Dec 92 06:18:02 PST

Raw message

From: VANGUARD@gribb.hsr.no
Date: Fri, 4 Dec 92 06:18:02 PST
To: cypherpunks@toad.com
Subject: Weakness of the PGP scheme ?
Message-ID: <MAILQUEUE-101.921204152203.416@gribb.hsr.no>
MIME-Version: 1.0
Content-Type: text/plain


To my knowledge there is done very little cryptographical anlysis on
the PGP protocol, and just recently I saw I possible weak point in
the PGP scheme.

The underlying security of the PGP scheme is based on two different
systems, the RSA asymetric cipher and the IDEA cipher. For standard
encryption the plaintext is encrypted with a IDEA using a "random"
key, then the key is communicated using RSA. Then we have two direct
ways of analysing a message, we might have a run a plaintext attack
on the ciphertext trying out all possible IDEA keys which will tak
a lot of effort, or we might break the RSA key to get the IDEA key.

But I propose an easier attack; Using a Encrypted Ciphertext together
with the public key used for encryption, It would be possible to run
a trial encrypting all possible IDEA keys using the RSA public key
and compare it with the encrypted IDEA key, if a match is found then
you have the IDEA key for this one message. Using an RSA chip that is
capable of performing exponetsiations VERY fast I dont think that
this would be unfeasable.

The most important factor in this attack is the length of the IDEA
key. But another concern is the generation of the IDEA key, is it
possible knowing the value of the RANDSEED to know all the subsequent
IDEA keys?, or would knowing the last IDEA key drastically reduce the
time needed to search for a subsequent one? So far I haven't studied
PGP enough to answer all these questions.





Thread