1995-08-01 - Re: a hole in PGP

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: mab@crypto.com (Matt Blaze)
Message Hash: 8611b44347587ce06ecfd5861ffba664e7959c629e19d7fceee9b7fb0085e4d3
Message ID: <9508010120.AA07073@all.net>
Reply To: <199508010112.VAA26078@crypto.com>
UTC Datetime: 1995-08-01 01:26:47 UTC
Raw Date: Mon, 31 Jul 95 18:26:47 PDT

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Mon, 31 Jul 95 18:26:47 PDT
To: mab@crypto.com (Matt Blaze)
Subject: Re: a hole in PGP
In-Reply-To: <199508010112.VAA26078@crypto.com>
Message-ID: <9508010120.AA07073@all.net>
MIME-Version: 1.0
Content-Type: text

> It's true that, in general, the "burden" of demonstrating whether a
> system is secure should fall primarily on those who claim it is rather
> than on those who claim it isn't.  It's also true that PGP, for
> whatever reason, is treated with a degree of reverence that is,
> perhaps, unwarranted.  I, for one, would be much happier to see
> greater vetting of widely-used programs like PGP.

Excellent assessment - I wholely agree with it.

>  But that does not
> mean that one can expect to be taken seriously by simply throwing
> darts and seeing where they land.  That would mean that essentially no
> hardware, software, algorithm or protocol could ever be considered
> trustworthy by anyone for any purpose.  There is a difference between
> raising specific concerns and making vague, wild, unsupported claims,
> which is how what you wrote below reads to me.

A reasonable response.  My question is: Why do you think that the key
generation algorithm used by PGP is secure? Specifically, how do we know
there is no subtle back door that reduces the problem of testing the
typical key space to a solvable problem in today's technology?

I don't believe I made ANY "vague, wild, unsupported claims" however,
that is certainly a matter of opinion.

> >Why (specifically) do you think so? Because you claim it? Because the
> >MIT maintainer claims it? You say MIT is not associated with the NSA,
> >but they have historically been funded by the NSA and other federal
> >agencies for work on information security.  Do you really think that the
> >only information protected by PGP is dirty pictures? Do you somehow
> >think that MIT and the NSA are above that sort of thing? All you have to
> >do is look at history, and it should be clear that this appeal to
> >authority is often used by those trying to cover things up.  If you know
> >something about PGPs security that you aren't telling us, don't beat
> >around the bush about it.  Come out and say it.  Tell us that you have
> >proven that PGP has no backdoors and what method you used to do that. 
> >Tell us that you have hand verified all the code and that none of it
> >overwrites the key generation process and tell us how you verified it.
> No one knows how "prove" anything substantial, much less the absence
> of backdoors, for anything but the most trivial software and
> algorithms.

Excellent - have you looked at the white paper describing the secure
"get-only" W3 server available under What's New at http://all.net? I
think that this is a step in the right direction toward demonstrating
more about a program than that it runs most of the time and seems to
give reasonable answers.  Perhaps someone would like to make similar
demonstrations for PGP.

> >It cannot be safely assumed that any program is clean or that any one
> >person or group is not involved with intentionally subverting security.
> >That violates the fundamental principles of information protection.
> Your attempt to cast a near-defamatory shadow of suspicion over the
> individuals and institutions who wrote the software, without raising
> even a single specific concern about something you've observed about
> the code, invites more questions about your own motives than those of
> MIT or its staff.  It seems reasonable to ask you to put up or shut
> up.

Under what analysis do you construe "It cannot be safely assumed" as

I don't know you any more than you know me.  We are both just mail
sources on the Internet.  Why do you consider it reasonable to assume
that we should all trust statements made by people we do not know and
have not met based on their assertion that they think a cryptosystem is
safe and free of back doors?  If I add a PGP signature, does it make
me any more trustworthy?

> Disclaimer: I also give away cryptographic source code, in connection
> with my job as a research scientist for a company that has even closer
> ties to the spook community than you seem to think MIT has...

And I should trust you to tell me that PGP is safe for me to use?

-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236