From: Derek Atkins <warlord@MIT.EDU>
Date: Thu, 18 Jan 1996 00:52:05 +0800
To: pitz@onetouch.com
Subject: Re: pgp broken?
In-Reply-To: <9601162346.AA22192@toad.com>
Message-ID: <199601170016.TAA25341@toxicwaste.media.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain


Although there is always the possibility that PGP could be broken, it
is highly unlikely that the program as a whole has been broken.  I
would think that it would be much easier to attempt to guess someone's
passphrase than to brute-force the crypto in the program.

Also, if it is the DoD that is purporting this supposed break, I doubt
the public will ever hear about it.  It would be interesting to know
"how" PGP was supposedly broken.  Was a cryptographic routine broken,
or was it a user interface break?  I.e., was a signature forged or a
message decrypted?  Or was an old message replayed as a new one?

Also, it could be that a small PGP key has been broken.  A 384-bit PGP
key has already been broken by a factoring attack.  That is neither
surprising nor alarming to say the least.  Without more information it
really is impossible to analyze what happened.

-derek