home *** CD-ROM | disk | FTP | other *** search
-
- ALT.2600
- Subj : On 'cracking' PGP...
-
- Ok. There has been alot of discussion on this topic as of late,
- and I feel it is time to clarify a few things. This information
- will be, in future, available from the ole .plan, so direct
- inqueries there.
-
-
- Cracking PGP Myth Banishment Notes
-
- by Route
-
- PGP is a hybrid cryptosystem. It contains 4 crytpographic elements,
- each of which is subject to a different type of cryptographic
- attack. It contains a symmetric cipher, an asymmetric cipher, a
- one-way hash, and a random number generator.
-
-
- -- The symmetric cipher --
-
- IDEA, finalized in 1992 by Lai and Massey is strong. It is the
- toughest block cipher known of today. There have be no advances
- in the cryptanalysis of standard IDEA that are publically known.
- (I know nothing of what the NSA has done, nor does most anyone.)
- The best method of attack, therefore, is brute force. As we all
- know the keyspace of IDEA is 128-bits. To recover a particular
- key, one must, on average, search half the keyspace. That is 127
- bits. Fine. If you, for the sake of argument, had 1 billion
- machines that could try 1 billion keys/sec. It would still take
- all these machines longer than the universe as we know has existed
- and then some, to find the key. Not a likely event. IDEA, as far
- as present technology goes, not vulnerable to attack, pure and
- simple.
-
-
- -- The asymmetric cipher --
-
- RSA, the first *full fledged* public key cryptosystem was designed
- by Rivest, Shamir, and Adleman. It has withstood *years* of
- *intense* cryptographic scrutiny. RSA gets it's security from
- the apparent difficulty in factoring very large composites.
- However, nothing has been proven with RSA. It is not *proven*
- that factoring the public modulous is the only (best) way to
- factor RSA. It is also not proven that factoring *has* to be
- as hard as it is. There exists the possiblity that an advance in
- number theory may lead to the discovery of polynomial time factoring
- algorithm. But, none of these things has happened, and nothing
- points in that direction. However, 3 things that *are* happening
- and *will* continue to happen are the advances in: factoring
- technique and computing power, and the decrease in the cost of
- computing hardware. These things, esp. the first one, work against
- the security of RSA. However, as computing power increases, so
- does the ability to generate larger keys. It is *much* easier to
- multiply very large primes than it is to factor the resulting
- composite.
- So, as it stands now, the best way to crack RSA is through factoring
- the public modulus. This, as far as we know, is not an easy task,
- if the public modulous is large enough (there are numerous examples
- of smaller keys falling to concerted effort). Using the General
- Number Field Sieve, a 1024-bit key would likely require 3E11 MIPS
- years to factor. 20 years from now (assuming no breakthoughs in
- factoring technology) this keyspace will likely be insecure. Today,
- it is not. But, the ultra-conservative will opt for 2048-bit
- keys, which is not a bad idea in my opinion.
- It is very difficult to make predictions in this area of computing/
- cryptography. Arjen Lenstra the most succesful factorer will not
- make predictions oast 10 years.
- To sum it up: RSA is vulnerable to factoring. --DON'T LET ANYONE
- WITHOUT A PHD IN THEORECTICAL MATH TELL YOU OTHERWISE-- If you use
- a large enough public key, all the worlds computers cannot factor
- your key (using present factoring technology). RSA would not have
- lastest this long if it was as fallible as some crackpots would
- like you to believe.
-
-
- -- The one-way hash --
-
- MD5 is the hash used to hash the passphrase into the IDEA key and
- to sign documents. Message Digest 5 was designed by Rivest. It's
- output is four 32-bit blocks, which form a 128-bit hash of the
- input. MD5 has no known practical security weaknesses. It has a
- weakness in the compression function, allowing for collisions, but
- this does not allow for any practical attack. There are two attacks
- against MD5 (or any hash function). The first is to find a another
- input that will hash to same value. Not very practical or likely.
- Remember the output is 128-bits. That's a BIG number. The other
- attack, the birthday attack, trys to find two random messages that
- hash to the value. This is also impractical (although not as much
- as the first one).
- Since English has 1.3 bits of information per character, and IDEA
- uses a 128-bit key, a passphrase of about 100 characters will
- maximize the randomness of the resulting hash. How many of you
- use 100 character passphrases?
-
-
- -- The PRNG --
-
- I do not have enough info on the PSNG used by PGP as of yet. This
- section under construction.
-
- --
- ----| Infinity / Route / daemon9 |--------|------------------|--------------
- --| Founding member: The 0x47 0x75 0x69 0x6C 0x64 | Finger for information |--
- [RSADSALUCGARGOYLEIDEADESLUCIFERLOKIFEALSHAMD5HAVALSNEFRU]
- Business wants to make money, Government wants to have control.
- Our privacy is at stake. Use strong cryptography.
-
