1993-08-26 - Commercial PGP: Verifying Trustworthiness

Header Data

From: thug@phantom.com (Murdering Thug)
To: cypherpunks@toad.com
Message Hash: a3d34b87ccb473de7fc3d6d62829d7e1ec57996e8840da6811bd120264e395b1
Message ID: <m0oVliI-0009G0C@mindvox.phantom.com>
Reply To: N/A
UTC Datetime: 1993-08-26 18:05:47 UTC
Raw Date: Thu, 26 Aug 93 11:05:47 PDT

Raw message

From: thug@phantom.com (Murdering Thug)
Date: Thu, 26 Aug 93 11:05:47 PDT
To: cypherpunks@toad.com
Subject: Commercial PGP: Verifying Trustworthiness
Message-ID: <m0oVliI-0009G0C@mindvox.phantom.com>
MIME-Version: 1.0
Content-Type: text



Here's a real simple way to verify the trustworthiness of the commercial
version of PGP.  It's a bidirectional comparison of outputs.

1) Have freeware PGP generate a set of keys.

2) Using keys from (1) encrypt several files using both conventional and
   public key encryption using freeware PGP _and_ commercial PGP, then
   compare the output byte-for-byte of both to see if they match up.

3) Have commercial PGP generate a set of keys.

4) Using keys from (3) encrypt several files using both conventional and
   public key encryption using freeware PGP _and_ commercial PGP, then
   compare the output byte-for-byte of both to see if they match up.

Basically, if both commercial PGP and freeware PGP produce exactly the
same encrypted files as output based on the same keys, and if you have
the source code and can trust freeware PGP, then it can be stated that
commercial PGP is secure.  I'm no expert on mathematical proofs, but the
above seems very logical to me.

I'm assuming the NSA will pressure ViaCrypt to put in a backdoor.  One
possible backdoor that can be placed inside the commercial PGP and still
allow it to pass the above test is if commericial PGP secretly writes all
keys and pass phrases to a block on your hard disk, and marks that
block as used to the file system.  In order to prevent you from scanning
your hard disk and finding that block, the information stored there could
be encrypted by a key which the NSA has in it's possession.

I would never use commercial PGP because I do not place inherent trust in
programs which come with no source code, and commercial PGP doesn't come
with source code.


Thug




Thread