7.13.1. Speculations on possible attacks on PGP + There are periodically reports of problems, most just rumors. These are swatted-down by more knowledgeable people, for the most part. True flaws may exist, of course, as in any piece of software. - Colin Plumb acknowledged a flaw in the random number generation process in PGP 2.6, to be fixed in later versions. + spreading fear, uncertainty and doubt - rumors about security of PGP versions - selective prosecution of PGP users - death threats (a la against Bidzos) - sowing confusion in the user community - fragmenting it (perhaps via multiple, noninteroperable versions...such as we're beginning to see now?) 7.13.2. What does the NSA know about flaws in PGP? - They're not saying. Ironically, this violates the part of their charter that deals with making commercial security stronger. Now that PGP is kosher, they should help to make it stronger, and certainly should not keep mum about weaknesses they know about. But for them to help strengthen PGP is not really too likely. 7.13.3. The PGP timebomb - (As I've said elsewhere, it all gets very confusing. Many versions, many sites, many viewpoints, many tools, many shells, many other things. Fortunately, most of it is flotsam.) - I take no point of view--for various reasons--on avoiding the "timebomb" by using 2.6ui. Here's someone else's comment: "I would like to take this time to encourage you to upgrade to 2.6ui which will overcome mit's timebomb and not exclude PGP 2.3a from decrypting messages.....DON'T USE MIT's 2.6, use PGP 2.6ui available from soda.berkeley.edu : /pub/cypherpunks/pgp" [Matrix at Cypherpunks, BLACK THURSAY!, alt.security.pgp, 1994-09-01] + can also be defeated with the "legal kludge": - ftp.informatik.uni-hamburg.de : /pub/virus/crypt/pgp/legal_kludge.txt 7.13.4. Spoofing - "Suitable timing constraints, and in particular real-time constraints, can be used to hinder, and perhaps defeat, spoofing attacks. But with a store-and-forward e-mail system (such as PGP is designed to work with) these constraints cannot, in general, be set." [Ken Pizzini , sci.crypt, 1994-07-05] 7.13.5. "How do we know that PGP doesn't have a back door or some other major flaw? After all, not all of us are programmers or cryptologists." - Yes, but many of us are. Many folks have analyzed the source code in PGP, have compiled the code themselves (a fairly common way to get the executable), and have examined the random number generators, the selection of primes, and all of the other math. + It would take only a single sharp-eyed person to blow the whistle on a conspiracy to insert flaws or backdoors. This has not been done. (Though Colin Plumb ackknowledged a slight weakness in the RNG of 2.6...being fixed.) - "While having source code available doesn't guarantee that the program is secure, it helps a lot. Even though many users are not programmers or cryptographers, others are, and many of these will examine the code carefully and publicly yell about weaknesses that they notice or think they notice. For example, apparently there was a big discussion here about the xorbytes() bug in PGP 2.6. Contrast this with a commercial program, where such a bug might go undetected for years." [Paul Rubin, alt.security.pgp, 1994-09-06] 7.13.6. "Can I run PGP on a machine I don't control, e.g., the campus computer system?" - Sure, but the sysops and others may then have access to your key and passphrase. Only machines the user directly controls, and that are adequately firewalled from other machines, offer reasonable amounts of security. Arguing about whether 1024-bit keylengths are "enough" is rather moot if the PGP program is being run on a corportate computer, or a university network. The illusion of security may be present, but no real security. Too many people are kidding themselves that their messages are secure. That their electronic identities cannot be spoofed. - I'm not interested in the various elm and emacs PGP packages (several such shells and wrappers exist). Any sysop can not only obtain your secret key, stored on hissystem, but he can also capture your passphrase as you feed it to the PGP program (assuming you do...many people automate this part as well). Since this sysop or one of his cronies can then compromise your mail, sign messages and contracts as "you," I consider this totally unacceptable. Others apparently don't. - What can be done? Many of us only run PGP on home machines, or on machines we directly control. Some folks who use PGP on such machines at least take steps to better secure things....Perry Metzger, for example, once described the multi-stage process he went through each day to reload his key material in a way he felt was quasi-safe. - Until the "Internet-in-a-box" or TIA-type products are more widespread, many people will be connecting home or office machines to other systems they don't control. (To put this in sharper focus: do you want your electronic money being run out of an account that your sysop and his friends can monitor? Not hardly. "Electronic purses," which may be smart cards, Newton-like PDAs, or dongle-like rings or pendants, are clearly needed. Another entire discussion.)
Next Page: 7.14 The Future of PGP
Previous Page: 7.12 Legal Issues with PGP
By Tim May, see README
HTML by Jonathan Rochkind