1995-07-31 - a hole in PGP

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: warlord@MIT.EDU (Derek Atkins)
Message Hash: 195ea314a2358f172cf5b6711c87933ced68714c3756dd00bd8827fc7bd5ff6b
Message ID: <9507312253.AA27941@all.net>
Reply To: <199507311925.PAA28281@toxicwaste.media.mit.edu>
UTC Datetime: 1995-07-31 22:59:19 UTC
Raw Date: Mon, 31 Jul 95 15:59:19 PDT

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Mon, 31 Jul 95 15:59:19 PDT
To: warlord@MIT.EDU (Derek Atkins)
Subject: a hole in PGP
In-Reply-To: <199507311925.PAA28281@toxicwaste.media.mit.edu>
Message-ID: <9507312253.AA27941@all.net>
MIME-Version: 1.0
Content-Type: text

> Hey, Doc...
> > The term paranoid is inappropriate in this context.  Paranoia refers to
> > an irrational fear, while I am expressing a rational concern over a
> > system that has been taken over by a (partially) government funded
> > university and which has not been properly verified.  The history of
> > cryptography (as they say) is (quite literally) littered with the dead
> > bodies of people killed because somebody else thought a cryptosystem was
> > good enough when it was not. 
> If you are concerned that someone put a whole or backdoor in PGP, then
> go grab the source and take a look for yourself.  Thats why the code
> is available.  If you can't understand it, then you probably have no
> real right to complain!  However if you are still paranoid (and yes, I
> do believe this is an irrational fear, being the person who maintains
> the MIT PGP development sources) then go find someone who can
> understand it and ask them.
> As a side note, PGP does not go out of its way to choose "good" primes
> over other primes.  Take a look at genprime.c and read the comment
> near the top of the file.  It explains why.

My assertion regarding weakness of the key generation algorithm was not
related to the response you gave.  As a result, it appears that you are
avoiding the issue.  This looks bad if you are, as you claim, maintaining
a legitimate algorithm.  Perhaps you would be better served by addressing
the specifics of my comments - to wit: What makes you think PGPs method
of getting seeds does not lead to a limited key space that is within the
realm of modern computers to search?

	Your assertion that I could find the backdoor by inspecting the
program is the wrong tactic for secure programs.  If you want people to
believe that a program is secure, you had better come up with good
reasons that it is secure, and not hide behind "if you can't find any
holes, it must be secure".

	Clever back doors are not accomplished by an obvious program
change, but rather by the subtle use of some technique that appears to
do one thing when it actually does something else.  As a good example, a
subtle interation with the rest of the environment could modify the key
generation algorithm after it is loaded.  Unfortunately, PGP is too
large to verify against such back doors, so I ask again:

	Why (specifically) do you think the MIT version of PGP has no
backdoors and is not subject to attacks such as the one outlined in my
previous posting?

-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236