1993-11-05 - Re: Allegations of PGP Weaknesses

Header Data

From: edgar@spectrx.saigon.com (Edgar W. Swank)
To: Cypherpunks <cypherpunks@toad.com>
Message Hash: 81e9403b6658ffd968923e3e1f43ba7c0c8246e4746ce6b9ce9c96e85bd0e19a
Message ID: <66Licc4w165w@spectrx.saigon.com>
Reply To: N/A
UTC Datetime: 1993-11-05 00:37:41 UTC
Raw Date: Thu, 4 Nov 93 16:37:41 PST

Raw message

From: edgar@spectrx.saigon.com (Edgar W. Swank)
Date: Thu, 4 Nov 93 16:37:41 PST
To: Cypherpunks          <cypherpunks@toad.com>
Subject: Re: Allegations of PGP Weaknesses
Message-ID: <66Licc4w165w@spectrx.saigon.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

A few days ago, Victor Borisov posted here the following allegations
or rumors about "weaknesses" in PGP.

    >He made same program (LanCrypto).  That why, I hear only bad
    >words from he.  :)  You can read about this program in
    >cypherpunks.  >From other KGB-men, I hear, that prophesor
    >Sidelnicov (the well known cryptoanalisist from Russia) saw,
    >that PGP has some weak places:

    > - random number is`t "good" random number.
    > - md5 has hole (but here man lapse into salence:( ).
    > - PGP for DOS don`t have any anti-overloking tools.
    >
    >BTW:  LanCrypto play on last weakness:  thay wrote litle
    >resident DOS program.  This program crack PGP and than pgp
    >sign (and check) only part of message.  LanCrypto public
    >this resalt in buziness newspaper and show program on the
    >big computer-show.  I think this is rough market, but it
    >work well (as all, that KGB made:))!!!

Since then, I have checked with other members of the PGP development
team and here is a summary of what they (and I) say:

    The random number handling in PGP was beefed up in the 2.2
    release.  We don't know if there were any real weaknesses before
    that, but the improvements were added anyway.  We suspect that if
    there were any problems, they are gone now.  The guy who
    complained about it, Dr.  Sidelnikov, never cooperated with
    requests for details on what he found wrong with PGP.  In fact, he
    was pointedly uncooperative when contacted with questions asking
    him for details.

    If MD5 has a hole, we'd like to know about it.  It would be
    publishable in any crypto journal.  At Eurocrypt93, someone did
    find some slight weakness in MD5, but in realistic situations,
    this would not be a significant weakness.  Future versions of PGP
    may use the SHA hash algorithm, instead of MD5.  MD5 should be
    kept around for backwards compatibility.  MD5 is still a good hash
    function, and the weaknesses found were not applicable to any
    real-world uses of it.

    An old version of PGP did not detect if material was appended to a
    signed message.  This was a bug that was fixed, around version
    2.2, or maybe 2.1, I'm not sure which.

    We're not quite sure what "anti-overlooking" tools are, but based
    on Boris' example, we guess it would be code added 1) to insure
    that the code is unmodified and 2) make analysis of the code (e.g.
    with debugging tools & disassemblers) difficult.

    Since PGP is distributed with source code, it's obviously open to
    analysis and modification by anyone even moderately skilled in
    programming.  "Overlooking" attacks are easily countered by 1)
    making sure you have a "clean" PGP.EXE by checking it against the
    detached signature packed with it.  2)Running PGP with a freshly
    booted MSDOS from a factory diskette.  This is especially true if
    you run into "suspicious" actions when running PGP in your normal
    configuration. (Like you get back a copy of something you signed
    which seems to have text added you don't remember).

-----BEGIN PGP SIGNATURE-----
Version: 2.3a      

iQCVAgUBLNeRXt4nNf3ah8DHAQE+0QP/csLY4hw6AHGTdkoZu2koETv2q/ohnVl8
yGDwR65VVeuuiSANHjSmhUbA2w7DcbOaIxamzi1PSY6OHosB1ve4d2hOHKzdMrv1
m38x0iQLPZdGuuX0mCxRqvIJ47W8xKj49CxXIB+Khrva0nn+pAmQF6+IYonPGSAE
7uRREQnIzCU=
=7ogP
-----END PGP SIGNATURE-----

--
edgar@spectrx.saigon.com (Edgar W. Swank)
SPECTROX SYSTEMS +1.408.252.1005  Cupertino, Ca






Thread