> > Contributed by: Daniel R. Miessler > :: Open Content > > If you follow technology trends, you're probably aware of the two schools > of thought with regard to security and/or cryptography. Does cryptography > and security solutions become more secure as the number of eyes pouring > over its source code increases or is a private solution which leverages > security through obscurity provide a more secure environment?
Sometimes it is these "schools of thought" that provide the holes. PGP cannot be "proven" secure because it is not. It is possible for a key generator to find a value for N which is easy to factor. The probability is very very very small but not actually zero. None of the source I have looked thru checked to make sure N was not an easy to factor number. And "group think" seems to trivialize any discussion of ways to find the easy ones. It is also possible to encode with PGP and get cyphertext which equals the cleartext. Again, infinitesimally small probability, but not zero. Except for M=0 or M=1, finding one of those compromises the key. More dangerous is a key generator which deliberately produces keys which are easy to factor by someone knowing a secret. These should be found in open source but I suggest many reviewers could miss this and again the "group think" would probably cause most not to even look. If you use PGP and don't have the source, verify that the source actually implements the algorithm correctly, verify you are using object code actually representing that source, and have the capacity to understand the possible holes in the process, you don't have actual security. If you use PGP keys generated by someone else, you may have no security. -- [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]