From: Jiri Baum <jirib@sweeney.cs.monash.edu.au>
Date: Mon, 31 Jul 95 22:51:57 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: a hole in PGP
In-Reply-To: <9508010250.AA14743@all.net>
Message-ID: <199508010544.PAA07308@sweeney.cs.monash.edu.au>
MIME-Version: 1.0
Content-Type: text/plain


Hello fc@all.net (Dr. Frederick B. Cohen)
  and mab@crypto.com (Matt Blaze)
  and cypherpunks@toad.com

I'm afraid I missed the start of this thread, sorry if I'm repeating...

...
> The fact is, you seem to support the idea that PGP is secure without a
> reasonable basis, and when pushed a bit harder, agree that it probably
> is not secure. 

The problem is that "secure" is not really something that can be proved.
(I'm not sure if that's a theoretical or a practical fact, but it remains.)
For one thing, I'm not even sure the RSA algorithm itself is secure.
(At least I've never heard of a proof; have you?)

As long as I'm using PGP to send letters to grandma, the cost (to me) of
a successful attack is small. I therefore expend little effort to verify
that it is secure.

If/when I start to use it for more serious applications, I will read 
the source code. I might even modify it (eg. accord less entropy per
keystroke) if I'm not happy with it.

If circumstances warranted, I could re-implement it from the appropriate
RFC (is it out yet or still draft?). However, in such circumstances,
I very much suspect a one-time-pad would be used.

> This is how professionals deal with these sorts of questions:
> 
> 	If you do not believe it is secure, you should say why not.

I do not believe that it can be proven secure.

> 	In my case, I question its security and have given at least one
> 	example of how it could be insecure.

If you doubt the key-gen routine:
  * you are certainly free to make up your own keys any way you like,
  * write your own and argue that it's better, and/or
  * find a way to break the key-gen routine.

> 	If you do believe it is secure, you should be able to support
> 	your contention with more than reference to RFCs, vague
> 	comments, and claiming that you have read the code and didn't
> 	catch anything.

Adding to the list:
  * I've never heard of anyone catching anything (except the headers on
clearsigned messages problem).

> 	If you cannot specifically address my question, say so, tell us
> 	all that the security of PGP is an open question, and either
> 	leave it open or go after closing it.

The security of anything is an open question.

You shouldn't spend more on proving security than a breach would cost.


Hope I'm making sense...

Jiri
--
If you want an answer, please mail to <jirib@cs.monash.edu.au>.
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)