Hello,

I've had a look at the code, the main problems I see are side-channel
attacks. The implementation is pretty standard, strong primes, proper
fields etc, however no salt!

Key generation, or more so the process of key generation should be
unique every time regardless of how unique the parameters being passed
into the process are.

I think a few months ago a student from the weizmann inst.
http://www.wisdom.weizmann.ac.il/~tromer/acoustic/ proposed analysis
of cpu noise as a side channel attack, the test code was PGP's key
generation.

That said acoustic attacks are not the only method for side channel
attacks, you have power and timing attacks, in theory if you could
sample these 3 channels you could be in much better position than if
you were only sampling one of the channels.


In short updates should be made to add salt to the calculations, simple random operations being randomly added during the generation process will suffice to eliminate the possibility for any of the above attacks.

Other than that PGP is pretty much standard, and unless tomorrow
someone comes up some really wacked-out number theory that will
prove futile many of the principles of the mathematics behind the
crypto systems of today I wouldn't worry too much.... ;)




Arash Partow

__________________________________________________
Be one who knows what they don't know,
Instead of being one who knows not what they don't know,
Thinking they know everything about all things.
http://www.partow.net



Jon Callas wrote:
On 10 Aug 2004, at 5:16 AM, John Kelsey wrote:

So, how many people on this list have actually looked at the PGP key generation code in any depth? Open source makes it possible for people to look for security holes, but it sure doesn't guarantee that anyone will do so, especially anyone who's at all good at it.


<http://www.pgp.com/products/sourcecode.html>

The relevant key generation code can be found in:

libs2/pgpsdk/priv/crypto/pubkey/

(those are backslashes on Windows, of course). The RSA key generation, for example is in ./pgpRSAKey.c.

You might also want to look at .../crypto/bignum and .../crypto/random/ while you're at it.

There is also high-level code in .../crypto/keys/pgpKeyMan.c for public key generation.

Incidentally, none of the issues that lrk brought up (RSA key being made from an "easy to factor" composite, a symmetric key that is a weak key, etc.) are unique to PGP. This should be obvious, but I have to say it.

    Jon


--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to