1993-05-26 - PGP-RSAREF rumors

Header Data

From: ““L. Detweiler”” <ld231782@longs.lance.colostate.edu>
To: cypherpunks@toad.com
Message Hash: bf5b791eb6dbc391dc4244faad25e10423103f7463028d334be4365099c44f87
Message ID: <9305260323.AA26837@longs.lance.colostate.edu>
Reply To: N/A
UTC Datetime: 1993-05-26 03:23:12 UTC
Raw Date: Tue, 25 May 93 20:23:12 PDT

Raw message

From: ""L. Detweiler"" <ld231782@longs.lance.colostate.edu>
Date: Tue, 25 May 93 20:23:12 PDT
To: cypherpunks@toad.com
Subject: PGP-RSAREF rumors
Message-ID: <9305260323.AA26837@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain


Nothing has appeared on this list on this subject since the initial
flurry sparked by PGP-RSAREF negotiations.  I thought I would just post
a few short comments based on inside sources and speculations for all
the cypherpunks waiting on the edge of their consoles to hear some
word.  In no way should this be construed to be representative of
positions on either side.  I just hope to give members a little current
insight and encouraging glimpse, but also show how the difficulties
involved in the negotiations mean this is not as simple as Bidzos and
Zimmerman shaking hands without snarling (although that's certainly part of it).

A rather serious obstacle to RSAREF integration into PGP is that the
RSAREF routines only `ostensibly' allow RSA encryption of DES session
keys. For novices on the list, the background for this is that RSA is
too slow to use to encode an entire message, so that one uses RSA to
encode a randomly generated key for each session (hence the name) that
is contained in the transmission. The remainder of the transmission
includes the message encrypted under the private-key algorithm (e.g.
DES) with the generated session key.  Since the key is shorter than the
message and the private-key algorithm faster than the public-key
approach, this scheme results in a net gain of speed, but with security
only `as strong' as the private key algorithm.

Because of suspected weaknesses in DES, Zimmerman chose to use the
Swiss IDEA algorithm for the session keys, and for obvious reasons
prefers to continue to do so. However, the RSAREF routines have a
`published interface' that only permits the system using a DES key. 
There are `low level' routines that do pure unadulterated RSA
encryption of arbitrary data, crucial to PGP functions, but by the
terms of the license the programmer is *not* allowed to call them!

The reason for this restriction is presumably that a high-degree of
backward-compatibility is required of the library, so that a strict
adherence to use through `official' entry points must be preserved. 
However, this `hamstring connected' means that by no stretch of the
imagination can RSAREF be considered a `general purpose RSA
cryptography library' (in fact, it appears to be designed solely for
meeting the PEM standard).  It also means that the cryptographic
security of RSAREF is quite curiously limited to that of DES.

Rumor has it that Mark Riordan got permission to put in triple DES into
RSAREF for RIPEM but so far it is unclear if Zimmerman and Bidzos
can/will/have hammer(d) out something that allows the current PGP IDEA
cipher.  The backward compatibility of all previous PGP versions, and
ultimately the integration of RSAREF into PGP, is at stake. Rumor has
it that even Rivest (the R in RSA!) may be helping forge something
favorable to everyone.

Another complication of RSAREF that most on this list are probably
familiar with is that it is not permitted to be used outside the U.S. 
Hence parallel versions of PGP must be maintained even if RSAREF would
allow an IDEA implementation.

One other complication is that Mr. Zimmerman, while apparently never
directly profiting from PGP use, has before publicly `reserved the
right' to attempt to gain some kind of compensation for his Herculean
efforts on PGP, for which he has `a life sentence' and finds that it
takes major amounts of his time and commitment, although he is also
firm in his promise to keep it free. Of course, the position is not
wholly compatible with RSA interests.

Finally, I hear that negotiations are on pause while currently Mr.
Zimmerman is in the middle of his May 19 - Jun 9 `PRZ EuroCrypt Tour'
and is meeting PGP fanatics, groupies, and developers all over Europe!
In fact, here's an excerpt from a message that made the rounds among
some PGP contributors:

>From 27 May until maybe 30 May, more or less, I'll be traveling
>by train from Bergan, Norway, through Oslo, then on down to Copenhagen,
>down to Hamburg, and over to Amsterdam.  I'll be stopping along the way to
>see some sights, having never been to Europe before.
>
>From 30(?) May til 6 June, I'll be hanging around Amsterdam and the 
>surrounding area, to see some things from something other than a train seat.
>
>From 6 June to 9 June, I'll be in Washington DC, giving a talk at the
>7 June CPSR conference in DC.  Then I'm going home.
>
>If any of you want to pass this on to the PGP fans in Europe, who are
>fanatical enough to meet me over there in my travels, feel free.  If I
>play my cards right, I'll never have to buy lunch while I'm in Europe.

Maybe with enough encouragement and hospitality he'll make it through
the subsequent negotiations without strangling anyone or being strangled  :)

(You may be able to reach PRZ at prz@acm.org.)





Thread