1995-08-01 - Re: a hole in PGP

Header Data

From: “Patrick J. LoPresti” <patl@skyclad.lcs.mit.edu>
To: perry@panix.com (“Perry E. Metzger”)
Message Hash: 5abef3839db1534a95ce2e8909a1c011d06e419d6189528ce4ce28b38e6c0968
Message ID: <199508011634.MAA00496@skyclad.lcs.mit.edu>
Reply To: <199508011542.LAA23817@panix4.panix.com>
UTC Datetime: 1995-08-01 16:34:31 UTC
Raw Date: Tue, 1 Aug 95 09:34:31 PDT

Raw message

From: "Patrick J. LoPresti" <patl@skyclad.lcs.mit.edu>
Date: Tue, 1 Aug 95 09:34:31 PDT
To: perry@panix.com ("Perry E. Metzger")
Subject: Re: a hole in PGP
In-Reply-To: <199508011542.LAA23817@panix4.panix.com>
Message-ID: <199508011634.MAA00496@skyclad.lcs.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain


>>>>> "perry" == "Perry E Metzger" <perry@panix.com> writes:

 perry> "Patrick J. LoPresti" writes:

 >> I find it surprising that people so familiar with public key
 >> cryptography would be reassured by the argument, "Here, this
 >> algorithm has been examined by thousands and nobody has found a
 >> trap door."  Public key cryptography demonstrates that it is
 >> possible, in principle, to construct an algorithm with a trap door
 >> that nobody else is *ever* going to find.

 perry> This is not correct as you have phrased it.

On the contrary, it is *precisely* correct as I have phrased it.

 perry> Although it is not possible to find a decision proceedure for
 perry> any non-trivial property of programs in general (whether it
 perry> halts, for example) in practice well written code can be well
 perry> understood and cannot conceal very much at all.

Check my phrasing again.  Note the use of "in principle".

Whether the principle applies in practice is certainly a matter for
debate.  I would point out that 1) PGP is hardly well written code,
and 2) many current cryptographic algorithms make ideal places for
concealing all sorts of things.

 perry> In order to use public key cryptography to obfuscate a program
 perry> as you suggest, you'd have to include huge tables of large
 perry> numbers in it. Any idiot can observe the existance of such
 perry> mysterious tables.

Sorry, I can't resist.  From "md5.c" in the PGP distribution:

 * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
 * initialization constants.
void MD5Init(struct MD5Context *ctx)

(Note: Of course I don't think that MD5 has a back door, but that has
more to do with my trust of Rivest than the fact the algorithm is

 perry> Trying to conceal anything in cleanly written code is an
 perry> enormous challenge, and one that has nothing to do with public
 perry> key crypto per se.

By "cleanly written code", I presume you mean code which is either
formally proven to be a correct implementation, or code which is so
transparent that it is "obviously" a correct implementation.  PGP's
random number generator is neither.

Moreover, as I precisely mentioned, the algorithms themselves can
conceal back doors.  This has plenty to do with public key
cryptography.  A reduction proof from a known hard problem would make
this virtually impossible, but there is no such proof for PGP's random
number generator.  (Nor for any other algorithm used by PGP, although
I admit RSA comes close.)

Version: 2.6.2
Comment: Processed by Mailcrypt 3.3beta, an Emacs/PGP interface