1995-08-01 - Re: a hole in PGP? NOT!

Header Data

From: Derek Atkins <warlord@ATHENA.MIT.EDU>
To: fc@all.net (Dr. Frederick B. Cohen)
Message Hash: 13bcb62d6dbf45134877b5a2eb99baeb90162f7fdcd0f6575e68fe41cc5bb3ee
Message ID: <199508010658.CAA18603@charon.MIT.EDU>
Reply To: <9508010250.AA14743@all.net>
UTC Datetime: 1995-08-01 06:59:00 UTC
Raw Date: Mon, 31 Jul 95 23:59:00 PDT

Raw message

From: Derek Atkins <warlord@ATHENA.MIT.EDU>
Date: Mon, 31 Jul 95 23:59:00 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: a hole in PGP?  NOT!
In-Reply-To: <9508010250.AA14743@all.net>
Message-ID: <199508010658.CAA18603@charon.MIT.EDU>
MIME-Version: 1.0
Content-Type: text/plain

This might seem a bit long, and I'd like to apologize to the real
cypherpunks for my ranting.

> > Because you seem to be pointing a finger at specific people.  Your
> > recent messages imply (to me, at least) that you think one or more
> > members of the MIT PGP project may have deliberately tampered with
> > some of the PGP code.
> I don't believe I actually said any such thing.  Perhaps you are not
> reading (or I am not writing) carefully enough.  All I think I did was
> ask why I should believe they have not when they or those like them have
> done it before. 

You have.  I doubt it was intentional, but you have, continually.
Here are some snipets of things you've said.  First, you say that it
is a rational concern since PGP was taken over by us:

> The term paranoid is inappropriate in this context.  Paranoia refers to
> an irrational fear, while I am expressing a rational concern over a
> system that has been taken over by a (partially) government funded
> university and which has not been properly verified.  The history of
> cryptography (as they say) is (quite literally) littered with the dead
> bodies of people killed because somebody else thought a cryptosystem was
> good enough when it was not. 

Then you talk about the MIT version as if it were the original thing:

> 	Why (specifically) do you think the MIT version of PGP has no
> backdoors and is not subject to attacks such as the one outlined in my
> previous posting?

PGP 2.0 was released in September, 1992, from Europe, and many many
people have been examining it ever since.  I truly belive that there
are no backdoors.  Does that mean the program is completely bug-free?
Hardly.  Does it mean that some attack against PGP wont be discovered
in the future?  I dont know, I'm not a diviner, I cannot forsee the
future, and I have no idea what technology will come in the future.
For all I know, someone will prove that P=NP and all this will be for

Anyways, to get back to my claims of your hurtful statements:

> Why (specifically) do you think so? Because you claim it? Because the
> MIT maintainer claims it? You say MIT is not associated with the NSA,
> but they have historically been funded by the NSA and other federal
> agencies for work on information security.  Do you really think that the
> only information protected by PGP is dirty pictures? Do you somehow
> think that MIT and the NSA are above that sort of thing? All you have to
> do is look at history, and it should be clear that this appeal to
> authority is often used by those trying to cover things up.  If you know

that, I cannot BELIEVE you would have the Balls to say that the NSA
has bought me.  Go re-read what you've said.  You have just said that
the MIT PGP team, through MIT, is bound to be covering something up
because of historical fact.  

I have never said "Believe me when I said PGP is secure".  I have
continually asked for you to check on the security yourself.  But you
have continually refused to do that, and asked why it is secure!  So,
you refuse to look for yourself, and you refuse to believe it when you
are told.  So, what the hell do you want?  Do you want a line-by-line
examination of the code????  Sheesh!

> It cannot be safely assumed that any program is clean or that any one
> person or group is not involved with intentionally subverting security.
> That violates the fundamental principles of information protection.

You're right, which is why the source code is publically available.  I
would wholeheartedly agree with you if only binaries are shipped, but
the source is available.  Anyone can look through and verify the code.
Anyone can try to find weaknesses.  In fact, everyone is encouraged to
do so.  I don't see how _this_ "violates the fundamental principles of
information protection".

> You might be, but even if you are not, that doesn't mean there are no
> back doors.  Your inability to detect a backdoor gives me little
> confidence, since this is at least an NP-complete problem and, with all
> due respect, today, nobody can prove that PGP is free of backdoors

I think I've finally figured out where you are completely confused!!!
You are confusing "back door" with "bug".  FYI: A back door is usually
a means to make it easy for someone to get into a system.  For
example, if I put in code so that I could read every PGP message by
typing the passphrase "Setec Astronomy", that would be a backdoor.
The fact that httpd was exploitable, or sendmail holes, or etc. are
BUGS, not Back doors.

Your problem is that you are using these terms interchangably.  THEY
ARE NOT THE SAME.  Putting in a backdoor has the connotation of
intent.  A bug is an accidental occurrance that was a side effect of
poor coding, a typo, carelessness, confusion, inconsistency, etc.  A
back door, on the other hand, is a DELIBERATE ATTEMPT TO REDUCE OR

> "...Choosing random quantities to foil a resourceful and motivated
> adversary is surprisingly difficult.  ...recommends the use of truly
> random hardware techniques and shows that the existing hardware on many
> systems can be used for this purpose."
> PGP does not use "truly random hardware techniques"

Oh?  It doesnt?  How can you say that?  In what way does it not do
this?  The RFC states, in your quote, that "existing hardware on many
systems can be used" for truly random hardware techniques.  Please,
substantiate your claim that PGP does not do this.  Show me code
segments which show it does not.  Show me an analysis that goes
contrary to the RFC.

> But the RFC acknowledges that these methods are highly suspect and should
> not be trusted.

You're right, it should not be blindly trusted.  Go read the code and
examine the algorithms to prove to yourself that it is secure.  I've
done that to the extent that I wish, and I believe it is secure.  But
you wont take my word for it, so go ahead and check!  Oh, wait, you
wont do that either.  Sorry.  I forgot.

> How is it "unscholarly, unprofessional, needlessly personal, and just
> plain insulting" to question the idea that hundreds of thousands of
> people are trusting their freedom to software that is probably not
> secure? I think it is highly unprofessional to try to claim that PGP is
> secure and to try to bolster that position by claiming that some
> "Request for Comments" supports it when that same said RFC refutes it.

Show me some proof that PGP is "probably not secure"?  Come on, there
is a finite probability that I can walk through a wall!  The laws of
quantum probablility give me this finite probability!  But I'd be hard
pressed to show you that I can walk through the wall.  It looks good
on paper, but it just ain't gonna happen.

As for the RFC, it does not refute that PGP is secure.  In fact, PGP
pretty much follows the RFCs guidelines.  You clearly have selective
reading.  A useful skill -- I should learn it.

> It has been my general impression that "scholarly" means, among other
> things, questioning the status quo and finding out where the generally
> accepted ideas break down.  I am a professional in the field of
> information protection, and I consider it highly unprofessional in this
> field to assume that systems are secure without ample evidence to
> support it.

Dont forget that you have to run PGP in some OS.  Please show me a
secure OS!  Given that the OS cannot be secure (using your logic it is
intuitively obvious that this is true) then how can you ask to see a
program any more secure than the enviornment in which it runs?  PGP
tries to be as secure as possible given the environment in which it is
being run.

> So far, I see no ample evidence to support the security of PGP's key
> generation algorithm relative to the concerns I have expressed.  Those
> concerns are fairly specific as far as I am concerned, but if you feel I
> have to demonstrate a specific attack that works in order to question
> the adequacy of protection, I think you have it backwards.

No, your concerns have been utterly vague.  The closest you've come to
being at all specific is some vague notion of analyzing keystrokes.
In every message I've responded to, I've asked you to expand upon what
you mean.  What kind of analysis do you mean?  How do you propose to
analyze keystroke timings?  Even if you have a probabalistic model of
keystroke timings, all you can possibly do is compare two different
probabilities to see if they are the same.  But that doesn't help you
limit the search on keys.

> If the people at MIT feel personally insulted because I have questioned
> their previously accepted ideas, it's just too bad.  I didn't say they

I'm not insulted that you are questioning PGP.  I am insulted because
in every message you have sent, you have postulated some conspiracy
with the government or postulated some intentional weakening of PGP.
Your statements could almost be construed as libelous, which is why I
feel insulted.  I feel extremely comfortable with people questioning
the security of PGP.  What I dont like is someone stating that it is
not secure, slaiming some sort of back door (which connotes some
intent to reduce the security) and does not back up the claim with any

> 	In my case, I question its security and have given at least one
> 	example of how it could be insecure.

And I've asked to you explain your conjecture, which you have
constantly either refused to do or intentionally ignored.

> 	If you do believe it is secure, you should be able to support
> 	your contention with more than reference to RFCs, vague
> 	comments, and claiming that you have read the code and didn't
> 	catch anything.

No matter what, PGP's security is based upon the security of RSA,
which in turn is based upon the difficult of factoring, which has
never been proven to be hard.  Therefore, there is always the
possibility that someone will find a polynomial factoring algorithm
which would completely destroy any security in PGP.

> 	If you cannot specifically address my question, say so, tell us
> 	all that the security of PGP is an open question, and either
> 	leave it open or go after closing it.

Ok.  Please explain what kind of keystroke timing analysis you
propose, and I will attempt to answer that, or concede your point.

> 	OR come up with another alternative that doesn't ignore my question,
> 	doesn't avoid the issue, doesn't appeal to authority that fails to
> 	adequately support your contentions, and doesn't claim that I an
> 	somehow unprofessional or scholarly for questioning an unproven
> 	contention.

Have you heard the thought experiment of putting a back-door in login
by modifying the C compiler to modilgy the C compiler to modify login?
Think about that in terms of the security of PGP -- you are always
going to be limited in security to the security of the system on which
you are running.

I only believe you are being unscholarly because you are making claims
without any supporting evidence.  _THAT_ is unscholarly!  

Now, if you are asking if PGP is completely bug free, I will be the
first to admit that it is not.  I am certain that there are latent
bugs in the code (and there are many that have been fixed since the
2.6.2 release).  However that has not been your statement nor your
questions.  You have asked about back doors, an intentional act to
reduce the security, and to that I vehemently say that there are none.

How do I know that you haven't been infected by a computer virus?
Perhaps there was a computer virus that flashed subliminal messages on
your screen to make you think you were L. Detweiler and think that
Desert Storm was the greatest thing since sliced bread?  Improbable?
Perhaps, but prove to me that this didn't happen!  How do you know
that Microsoft Windows doesn't send all your keystrokes to Bill Gates
for him to peruse?  Prove to me that we landed on the moon!  Some have
contended that it was all a hoax.  Prove to me that the universe
existed before I was concious of it.  How do I know that you exist?
Perhaps all this is a dream -- and if so, I sure hope to god I wake up

Good night.