On 10 Aug 2004, at 5:16 AM, John Kelsey wrote:

So, how many people on this list have actually looked at the PGP key generation code in any depth? Open source makes it possible for people to look for security holes, but it sure doesn't guarantee that anyone will do so, especially anyone who's at all good at it.


<http://www.pgp.com/products/sourcecode.html>

The relevant key generation code can be found in:

libs2/pgpsdk/priv/crypto/pubkey/

(those are backslashes on Windows, of course). The RSA key generation, for example is in ./pgpRSAKey.c.

You might also want to look at .../crypto/bignum and .../crypto/random/ while you're at it.

There is also high-level code in .../crypto/keys/pgpKeyMan.c for public key generation.

Incidentally, none of the issues that lrk brought up (RSA key being made from an "easy to factor" composite, a symmetric key that is a weak key, etc.) are unique to PGP. This should be obvious, but I have to say it.

        Jon


--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to