Security Basics: Re: Hack PGP

[Dan Margolis <dmargoli+secbasics () af0 net>]

On Tue, Jan 18, 2005 at 09:55:40PM +0000, Nazareno Vicente Feito wrote:
> would not trust berkeley center, cause the same thing they're doing with 
> seti () home they can do with pgp keys, but anyway, paranoia aside, the thing 
> with pgp keys it's that there's a rumour (I've heard this back in 2000/2001) 
> that the M.I.T guys did have a reverse algorithm tool, quite difficult since 
> the keys are randomly generated by events on the host computer, but that 
> rumour spreaded and some people stoped trusting pgp and started thinking on 
> gpg, which is pretty similar but not the same, besides the algorithm 
> restrictions that imposes on non American Computers about the amount of bit 
> encryptions, Europe it's quite different about this regulations.
As far as I know, the same algorithms used in GPG are available in PGP
(DSA, RSA, and el Gamal). So the question you are presenting is; is the
PGP implementation secure (do we trust PGP)? Granted, there may be some
higher level of trust in GPG, since it's open source, but I haven't
looked at it--have you?

As for there being methods of breaking RSA (or similar), I sorta doubt
it. For instance, in 1973, a British mathematician working for one of
the British Military Intelligence services developed something akin to
RSA, and the British kept it top-secret (who wouldn't want to?). But
only 5 years later, R, S, and A came up with their own system and
released it publicly. With all the potential fame, fortune, and glory to
be gained from publicly breaking RSA, I find it hard to imagin that
someone would have done so and kept it secret--and that nobody else
would also have done so. 

Finally, regarding seti () home, there is a similar project for this very
purpose, distributed.net. However, there's a really huge difference
between breaking DES and breaking a standard-length RSA key. 

-- 
Dan