Here's a real simple way to verify the trustworthiness of the commercial version of PGP. It's a bidirectional comparison of outputs. 1) Have freeware PGP generate a set of keys. 2) Using keys from (1) encrypt several files using both conventional and public key encryption using freeware PGP _and_ commercial PGP, then compare the output byte-for-byte of both to see if they match up. 3) Have commercial PGP generate a set of keys. 4) Using keys from (3) encrypt several files using both conventional and public key encryption using freeware PGP _and_ commercial PGP, then compare the output byte-for-byte of both to see if they match up. Basically, if both commercial PGP and freeware PGP produce exactly the same encrypted files as output based on the same keys, and if you have the source code and can trust freeware PGP, then it can be stated that commercial PGP is secure. I'm no expert on mathematical proofs, but the above seems very logical to me. I'm assuming the NSA will pressure ViaCrypt to put in a backdoor. One possible backdoor that can be placed inside the commercial PGP and still allow it to pass the above test is if commericial PGP secretly writes all keys and pass phrases to a block on your hard disk, and marks that block as used to the file system. In order to prevent you from scanning your hard disk and finding that block, the information stored there could be encrypted by a key which the NSA has in it's possession. I would never use commercial PGP because I do not place inherent trust in programs which come with no source code, and commercial PGP doesn't come with source code. Thug
participants (1)
-
thug@phantom.com