There's a hole in your crypto, dear Eliza dear Eliza...
-----BEGIN PGP SIGNED MESSAGE----- Alright, here's my 2 cents worth for this petty flamewar... Once upon a time, there was PGP 2.3. MIT had nothing to do with it. The population of the net that used the program was fairly small. In addition to being small, they were all (mostly) computer literate people. These people were confident in the security of PGP because the had read and understood the source code. It was checked and declared good. Then, in stepped MIT. I, and a few others, raised concerns about a possible conflict of interest with MIT distributing the code, and encouraged everyone to double check the code for back doors and other NSA nasties. It was checked and declared good. Now, we are in the present. MIT is still part of the equation. However, the demographics of the net have chaged. Fewer people are here that (by percentage) are computer literate to the level to do source code investigations. A few question why they shoudl trust PGP when they don't know it's secure. We, those who have grown up with PGP, point out that it is good, yet that really isn't a great reason to trust it. So the question is, why shoudl non-technical people believe that PGP is good? They don't have the skills to check it for themselves, and you have to admit that the associations of MIT with various TLAs are at the very least concerning. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.2 iQCVAwUBMB2F0DokqlyVGmCFAQGhpgP9EIaGx3cHG78pFic0poPsgI/Yo1UNn6SY gRG9kfx3M1XzWITND5m2ywUx1B9n48hGoPfgP9ISvGoXDd5/yHgsY6uEjzZCGaLU tXzace1PvdjL5htH9prvh5GMoghCi34B9cDh01d1U2hKXEypj1pTRA+z+xWUfnGT teMJ9uEaOu0= =2aWA -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu \ /__ Finger for Geek Code Info <=> Finger for PGP Public Key \/ / -=-=-=-=-=- -=-=-=-=-=- \/ http://krypton.mankato.msus.edu/~hayden/Welcome.html -----BEGIN GEEK CODE BLOCK----- Version: 3.0 GED/J d-- s:++>: a-- C++(++++) ULU++ P+! L++ E---- W+(-) N++++ K+++ w--- O- M+ V-- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++ G++++>$ e++ h r-- y++** ------END GEEK CODE BLOCK------
Why are the arguments on either side so emotional? Because the alleged possible hole is located in the random number generator portion of the code. Random number generation (or more precisely, strong PRNG procedures) are one of the "hot" buttons of this list in general: no matter how strong the mechanism is, someone can postulate "a weakness in the code" that produces "weak" PRN's or gigabuck NSA computers that can reproduce arbitrary PRN streams. And noone can disprove anything. Because nothing, really, can be "proved" to be random; it's that darn halting problem again. All we have are "reasonable" expectations, which aren't reasonable for a subset of the intended user group. Okay... sometime this week I'll take a long look at the prng routines in what PGP source code I have. I'm doing this in order to keep an open mind, _not_ because I expect to find anything. Other than the labeled PRNG/RNG routines, what needs to be looked at? Phil
How do I know PGP IS secure? I don't. That doesn't mean I don't use it or don't trust it. PGP was designed and written by a human, who by it's nature is NOT infallable. The name says it all.... PRETTY GOOD; not REALLY GREAT or UNCRACKABLE, just pretty good. I think the simple fact that I am not in jail (Knock on wood....) attests to the fact that the algorythm, RNG, works Pretty Good. (There's them there words again) ----------------------------------------------------------------------------- JUSTICE: The outcome of NOT protecting people from the results of their own folly. -----------------------------------------------------------------------------
participants (3)
-
Eric Anderson -
Phil Fraering -
Robert A. Hayden