1994-07-04 - Re: Question for PGP Gurus

Header Data

From: Derek Atkins <warlord@MIT.EDU>
To: tcmay@netcom.com (Timothy C. May)
Message Hash: b9f96d76ea90259fbca49c1e3f515bfb2cbb1d48a9e8eaedb23d5828ed979070
Message ID: <9407042153.AA28890@toxicwaste.media.mit.edu>
Reply To: <199407041851.LAA17276@netcom5.netcom.com>
UTC Datetime: 1994-07-04 21:49:10 UTC
Raw Date: Mon, 4 Jul 94 14:49:10 PDT

Raw message

From: Derek Atkins <warlord@MIT.EDU>
Date: Mon, 4 Jul 94 14:49:10 PDT
To: tcmay@netcom.com (Timothy C. May)
Subject: Re: Question for PGP Gurus
In-Reply-To: <199407041851.LAA17276@netcom5.netcom.com>
Message-ID: <9407042153.AA28890@toxicwaste.media.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain

> Someone has told me that pre-MIT versions of PGP may have compromised
> security because "the session key is hashed solely from the
> plaintext."
> Is this true? What's the significance? Is there any weakness?

This is not true.  The session key is based upon random input (key
timings from the passphrase, and other sources of random input) as
well as the randseed.bin file, which was generated by random
keypresses at key generation.  (It may also include other sources of
randomness as well; I do not recall).

This is only for the random session keys.  If you use conventional
crypto mode (pgp -c), then the IDEA key is based solely on the hash of
the passphrase, and I believe the IV is not random (maybe it should be
a random IV?)

Hope this helps, Tim.