> Contributed by: Daniel R. Miessler
>  :: Open Content
> If you follow technology trends, you're probably aware of the two schools
> of thought with regard to security and/or cryptography. Does cryptography
> and security solutions become more secure as the number of eyes pouring
> over its source code increases or is a private solution which leverages
> security through obscurity provide a more secure environment?

Sometimes it is these "schools of thought" that provide the holes. PGP
cannot be "proven" secure because it is not. It is possible for a key
generator to find a value for N which is easy to factor. The probability
is very very very small but not actually zero.

None of the source I have looked thru checked to make sure N was not an
easy to factor number. And "group think" seems to trivialize any discussion
of ways to find the easy ones.

It is also possible to encode with PGP and get cyphertext which equals the
cleartext. Again, infinitesimally small probability, but not zero. Except
for M=0 or M=1, finding one of those compromises the key.

More dangerous is a key generator which deliberately produces keys which
are easy to factor by someone knowing a secret. These should be found
in open source but I suggest many reviewers could miss this and again the
"group think" would probably cause most not to even look.

If you use PGP and don't have the source, verify that the source actually
implements the algorithm correctly, verify you are using object code
actually representing that source, and have the capacity to understand the
possible holes in the process, you don't have actual security.

If you use PGP keys generated by someone else, you may have no security.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to