From: edgar@spectrx.saigon.com (Edgar W. Swank)
To: Cypherpunks <cypherpunks@toad.com>
Message Hash: 81e9403b6658ffd968923e3e1f43ba7c0c8246e4746ce6b9ce9c96e85bd0e19a
Message ID: <66Licc4w165w@spectrx.saigon.com>
Reply To: N/A
UTC Datetime: 1993-11-05 00:37:41 UTC
Raw Date: Thu, 4 Nov 93 16:37:41 PST
From: edgar@spectrx.saigon.com (Edgar W. Swank)
Date: Thu, 4 Nov 93 16:37:41 PST
To: Cypherpunks <cypherpunks@toad.com>
Subject: Re: Allegations of PGP Weaknesses
Message-ID: <66Licc4w165w@spectrx.saigon.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
A few days ago, Victor Borisov posted here the following allegations
or rumors about "weaknesses" in PGP.
>He made same program (LanCrypto). That why, I hear only bad
>words from he. :) You can read about this program in
>cypherpunks. >From other KGB-men, I hear, that prophesor
>Sidelnicov (the well known cryptoanalisist from Russia) saw,
>that PGP has some weak places:
> - random number is`t "good" random number.
> - md5 has hole (but here man lapse into salence:( ).
> - PGP for DOS don`t have any anti-overloking tools.
>
>BTW: LanCrypto play on last weakness: thay wrote litle
>resident DOS program. This program crack PGP and than pgp
>sign (and check) only part of message. LanCrypto public
>this resalt in buziness newspaper and show program on the
>big computer-show. I think this is rough market, but it
>work well (as all, that KGB made:))!!!
Since then, I have checked with other members of the PGP development
team and here is a summary of what they (and I) say:
The random number handling in PGP was beefed up in the 2.2
release. We don't know if there were any real weaknesses before
that, but the improvements were added anyway. We suspect that if
there were any problems, they are gone now. The guy who
complained about it, Dr. Sidelnikov, never cooperated with
requests for details on what he found wrong with PGP. In fact, he
was pointedly uncooperative when contacted with questions asking
him for details.
If MD5 has a hole, we'd like to know about it. It would be
publishable in any crypto journal. At Eurocrypt93, someone did
find some slight weakness in MD5, but in realistic situations,
this would not be a significant weakness. Future versions of PGP
may use the SHA hash algorithm, instead of MD5. MD5 should be
kept around for backwards compatibility. MD5 is still a good hash
function, and the weaknesses found were not applicable to any
real-world uses of it.
An old version of PGP did not detect if material was appended to a
signed message. This was a bug that was fixed, around version
2.2, or maybe 2.1, I'm not sure which.
We're not quite sure what "anti-overlooking" tools are, but based
on Boris' example, we guess it would be code added 1) to insure
that the code is unmodified and 2) make analysis of the code (e.g.
with debugging tools & disassemblers) difficult.
Since PGP is distributed with source code, it's obviously open to
analysis and modification by anyone even moderately skilled in
programming. "Overlooking" attacks are easily countered by 1)
making sure you have a "clean" PGP.EXE by checking it against the
detached signature packed with it. 2)Running PGP with a freshly
booted MSDOS from a factory diskette. This is especially true if
you run into "suspicious" actions when running PGP in your normal
configuration. (Like you get back a copy of something you signed
which seems to have text added you don't remember).
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQCVAgUBLNeRXt4nNf3ah8DHAQE+0QP/csLY4hw6AHGTdkoZu2koETv2q/ohnVl8
yGDwR65VVeuuiSANHjSmhUbA2w7DcbOaIxamzi1PSY6OHosB1ve4d2hOHKzdMrv1
m38x0iQLPZdGuuX0mCxRqvIJ47W8xKj49CxXIB+Khrva0nn+pAmQF6+IYonPGSAE
7uRREQnIzCU=
=7ogP
-----END PGP SIGNATURE-----
--
edgar@spectrx.saigon.com (Edgar W. Swank)
SPECTROX SYSTEMS +1.408.252.1005 Cupertino, Ca
Return to November 1993
Return to “edgar@spectrx.saigon.com (Edgar W. Swank)”
1993-11-05 (Thu, 4 Nov 93 16:37:41 PST) - Re: Allegations of PGP Weaknesses - edgar@spectrx.saigon.com (Edgar W. Swank)