Cyphernomicon Top
Cyphernomicon 7.13

PGP -- Pretty Good Privacy:
Problems with PGP, Flaws, Etc.


   7.13.1. Speculations on possible attacks on PGP
           + There are periodically reports of problems, most just
              rumors. These are swatted-down by more knowledgeable
              people, for the most part. True flaws may exist, of course,
              as in any piece of software.
             - Colin Plumb acknowledged a flaw in the random number
                generation process in PGP 2.6, to be fixed in later
                versions.
           + spreading fear, uncertainty and doubt
             - rumors about security of PGP versions
             - selective prosecution of PGP users
             - death threats (a la against Bidzos)
           - sowing confusion in the user community
           - fragmenting it (perhaps via multiple, noninteroperable
              versions...such as we're beginning to see now?)
   7.13.2. What does the NSA know about flaws in PGP?
           - They're not saying. Ironically, this violates the part of
              their charter that deals with making commercial security
              stronger. Now that PGP is kosher, they should help to make
              it stronger, and certainly should not keep mum about
              weaknesses they know about. But for them to help strengthen
              PGP is not really too likely.
   7.13.3. The PGP timebomb
           - (As I've said elsewhere, it all gets very confusing. Many
              versions, many sites, many viewpoints, many tools, many
              shells, many other things. Fortunately, most of it is
              flotsam.)
           - I take no point of view--for various reasons--on avoiding
              the "timebomb" by using 2.6ui. Here's someone else's
              comment:  "I would like to take this time to encourage you
              to upgrade to 2.6ui which will overcome mit's timebomb and
              not exclude PGP 2.3a from decrypting messages.....DON'T USE
              MIT's 2.6, use PGP 2.6ui available from soda.berkeley.edu
              : /pub/cypherpunks/pgp" [Matrix at Cypherpunks, BLACK
              THURSAY!, alt.security.pgp, 1994-09-01]
           + can also be defeated with the "legal kludge":
             - ftp.informatik.uni-hamburg.de :
                /pub/virus/crypt/pgp/legal_kludge.txt
   7.13.4. Spoofing
           - "Suitable timing constraints, and in particular real-time
              constraints, can be used to hinder, and perhaps defeat,
              spoofing attacks.  But with a store-and-forward e-mail
              system (such as PGP is designed to work with) these
              constraints cannot, in general, be set." [Ken Pizzini ,
              sci.crypt, 1994-07-05]
   7.13.5. "How do we know that PGP doesn't have a back door or some
            other major flaw? After all, not all of us are programmers or
            cryptologists."
           - Yes, but many of us are. Many folks have analyzed the
              source code in PGP, have compiled the code themselves (a
              fairly common way to get the executable), and have examined
              the random number generators, the selection of primes, and
              all of the other math.
           + It would take only a single sharp-eyed person to blow the
              whistle on a conspiracy to insert flaws or backdoors. This
              has not been done. (Though Colin Plumb ackknowledged a
              slight weakness in the RNG of 2.6...being fixed.)
             - "While having source code available doesn't guarantee
                that the program is secure, it helps a lot.  Even though
                many users are not programmers or cryptographers, others
                are, and many of these will examine the code    carefully
                and publicly yell about weaknesses that they notice or
                think they notice.  For example, apparently there was a
                big discussion here about the xorbytes() bug in PGP 2.6.
                Contrast this with a commercial program, where such a bug
                might go undetected for years." [Paul Rubin,
                alt.security.pgp, 1994-09-06]
   7.13.6. "Can I run PGP on a machine I don't control, e.g., the campus
            computer system?"
           - Sure, but the sysops and others may then have access to
              your key and passphrase. Only machines the user directly
              controls, and that are adequately firewalled from other
              machines, offer reasonable amounts of security.  Arguing
              about whether 1024-bit keylengths are "enough" is rather
              moot if the PGP program is being run on a corportate
              computer, or a university network. The illusion of security
              may be present, but no real security. Too many people are
              kidding themselves that their messages are secure.  That
              their electronic identities cannot be spoofed.
           - I'm not interested in the various elm and emacs PGP
              packages (several such shells and wrappers exist). Any
              sysop can not only obtain your secret key, stored on
              hissystem, but he can also capture your passphrase as you
              feed it to the PGP program (assuming you do...many people
              automate this part as well). Since this sysop or one of his
              cronies can then compromise your mail, sign messages and
              contracts as "you," I consider this totally unacceptable.
              Others apparently don't.
           - What can be done? Many of us only run PGP on home machines,
              or on machines we directly control. Some folks who use PGP
              on such machines at least take steps to better secure
              things....Perry Metzger, for example, once described the
              multi-stage process he went through each day to reload his
              key material in a way he felt was quasi-safe.
           - Until the "Internet-in-a-box" or TIA-type products are more
              widespread, many people will be connecting home or office
              machines to other systems they don't control. (To put this
              in sharper focus: do you want your electronic money being
              run out of an account that your sysop and his friends can
              monitor? Not hardly. "Electronic purses," which may be
              smart cards, Newton-like PDAs, or dongle-like rings or
              pendants, are clearly needed. Another entire discussion.)
 

Next Page: 7.14 The Future of PGP
Previous Page: 7.12 Legal Issues with PGP

By Tim May, see README

HTML by Jonathan Rochkind