7.13.1. Speculations on possible attacks on PGP
+ There are periodically reports of problems, most just
rumors. These are swatted-down by more knowledgeable
people, for the most part. True flaws may exist, of course,
as in any piece of software.
- Colin Plumb acknowledged a flaw in the random number
generation process in PGP 2.6, to be fixed in later
versions.
+ spreading fear, uncertainty and doubt
- rumors about security of PGP versions
- selective prosecution of PGP users
- death threats (a la against Bidzos)
- sowing confusion in the user community
- fragmenting it (perhaps via multiple, noninteroperable
versions...such as we're beginning to see now?)
7.13.2. What does the NSA know about flaws in PGP?
- They're not saying. Ironically, this violates the part of
their charter that deals with making commercial security
stronger. Now that PGP is kosher, they should help to make
it stronger, and certainly should not keep mum about
weaknesses they know about. But for them to help strengthen
PGP is not really too likely.
7.13.3. The PGP timebomb
- (As I've said elsewhere, it all gets very confusing. Many
versions, many sites, many viewpoints, many tools, many
shells, many other things. Fortunately, most of it is
flotsam.)
- I take no point of view--for various reasons--on avoiding
the "timebomb" by using 2.6ui. Here's someone else's
comment: "I would like to take this time to encourage you
to upgrade to 2.6ui which will overcome mit's timebomb and
not exclude PGP 2.3a from decrypting messages.....DON'T USE
MIT's 2.6, use PGP 2.6ui available from soda.berkeley.edu
: /pub/cypherpunks/pgp" [Matrix at Cypherpunks, BLACK
THURSAY!, alt.security.pgp, 1994-09-01]
+ can also be defeated with the "legal kludge":
- ftp.informatik.uni-hamburg.de :
/pub/virus/crypt/pgp/legal_kludge.txt
7.13.4. Spoofing
- "Suitable timing constraints, and in particular real-time
constraints, can be used to hinder, and perhaps defeat,
spoofing attacks. But with a store-and-forward e-mail
system (such as PGP is designed to work with) these
constraints cannot, in general, be set." [Ken Pizzini ,
sci.crypt, 1994-07-05]
7.13.5. "How do we know that PGP doesn't have a back door or some
other major flaw? After all, not all of us are programmers or
cryptologists."
- Yes, but many of us are. Many folks have analyzed the
source code in PGP, have compiled the code themselves (a
fairly common way to get the executable), and have examined
the random number generators, the selection of primes, and
all of the other math.
+ It would take only a single sharp-eyed person to blow the
whistle on a conspiracy to insert flaws or backdoors. This
has not been done. (Though Colin Plumb ackknowledged a
slight weakness in the RNG of 2.6...being fixed.)
- "While having source code available doesn't guarantee
that the program is secure, it helps a lot. Even though
many users are not programmers or cryptographers, others
are, and many of these will examine the code carefully
and publicly yell about weaknesses that they notice or
think they notice. For example, apparently there was a
big discussion here about the xorbytes() bug in PGP 2.6.
Contrast this with a commercial program, where such a bug
might go undetected for years." [Paul Rubin,
alt.security.pgp, 1994-09-06]
7.13.6. "Can I run PGP on a machine I don't control, e.g., the campus
computer system?"
- Sure, but the sysops and others may then have access to
your key and passphrase. Only machines the user directly
controls, and that are adequately firewalled from other
machines, offer reasonable amounts of security. Arguing
about whether 1024-bit keylengths are "enough" is rather
moot if the PGP program is being run on a corportate
computer, or a university network. The illusion of security
may be present, but no real security. Too many people are
kidding themselves that their messages are secure. That
their electronic identities cannot be spoofed.
- I'm not interested in the various elm and emacs PGP
packages (several such shells and wrappers exist). Any
sysop can not only obtain your secret key, stored on
hissystem, but he can also capture your passphrase as you
feed it to the PGP program (assuming you do...many people
automate this part as well). Since this sysop or one of his
cronies can then compromise your mail, sign messages and
contracts as "you," I consider this totally unacceptable.
Others apparently don't.
- What can be done? Many of us only run PGP on home machines,
or on machines we directly control. Some folks who use PGP
on such machines at least take steps to better secure
things....Perry Metzger, for example, once described the
multi-stage process he went through each day to reload his
key material in a way he felt was quasi-safe.
- Until the "Internet-in-a-box" or TIA-type products are more
widespread, many people will be connecting home or office
machines to other systems they don't control. (To put this
in sharper focus: do you want your electronic money being
run out of an account that your sysop and his friends can
monitor? Not hardly. "Electronic purses," which may be
smart cards, Newton-like PDAs, or dongle-like rings or
pendants, are clearly needed. Another entire discussion.)
By Tim May, see README
HTML by Jonathan Rochkind