I've had a look at the code, the main problems I see are side-channel attacks. The implementation is pretty standard, strong primes, proper fields etc, however no salt!
Key generation, or more so the process of key generation should be unique every time regardless of how unique the parameters being passed into the process are.
I think a few months ago a student from the weizmann inst. http://www.wisdom.weizmann.ac.il/~tromer/acoustic/ proposed analysis of cpu noise as a side channel attack, the test code was PGP's key generation.
That said acoustic attacks are not the only method for side channel attacks, you have power and timing attacks, in theory if you could sample these 3 channels you could be in much better position than if you were only sampling one of the channels.
In short updates should be made to add salt to the calculations, simple random operations being randomly added during the generation process will suffice to eliminate the possibility for any of the above attacks.
Other than that PGP is pretty much standard, and unless tomorrow someone comes up some really wacked-out number theory that will prove futile many of the principles of the mathematics behind the crypto systems of today I wouldn't worry too much.... ;)
__________________________________________________ Be one who knows what they don't know, Instead of being one who knows not what they don't know, Thinking they know everything about all things. http://www.partow.net
Jon Callas wrote:
On 10 Aug 2004, at 5:16 AM, John Kelsey wrote:
So, how many people on this list have actually looked at the PGP key generation code in any depth? Open source makes it possible for people to look for security holes, but it sure doesn't guarantee that anyone will do so, especially anyone who's at all good at it.
The relevant key generation code can be found in:
(those are backslashes on Windows, of course). The RSA key generation, for example is in ./pgpRSAKey.c.
You might also want to look at .../crypto/bignum and .../crypto/random/ while you're at it.
There is also high-level code in .../crypto/keys/pgpKeyMan.c for public key generation.
Incidentally, none of the issues that lrk brought up (RSA key being made from an "easy to factor" composite, a symmetric key that is a weak key, etc.) are unique to PGP. This should be obvious, but I have to say it.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]