Can NSA crack PGP?

Carl Ellison cme at sw.stratus.com
Tue Nov 23 12:03:00 PST 1993 

> [ Stanton McCandlish wrote ]

>The persons holding this viewpoint espouse the idea that
>the NSA can crack anything, pretty much, and that anything they could not
>crack would not be available to the general public, but would have been
>supressed.


That view allocates to the NSA the power they wish they had over
cryptographic creativity.  I wonder if the author is really NSA him/her
self.

Vernam's one-time-tape [-file, for us] is provably unbreakable and not
suppressed.

RSA with enough modulus bits is unbreakable and not suppressed (although
they tried).  [We don't know how many bits is "enough", however.]

There are ways to use DES which increase the difficulty of breaking -- but
again we don't know how many instances we have to use to achieve enough
security to foil the NSA.  We know we can get there, however, and I'm willing
to bet it's not difficult.  Of course, I don't know and don't want to know.

I want the NSA to be good at what it does.  I want our team to be able to
read the other team's signals.

All I want is to preserve my freedom to use any cryptosystem of my own
concoction -- straight invention or cobbled together from others'.  I've
had that freedom for all my life and intend to preserve it.

-----------

Can NSA break PGP?  Who knows?

I'm not sure I care.  I don't see the NSA as my enemy, per se.  (That does
*not* mean I'll hand them a skeleton key to my traffic, eg., via Clipper.)
My secrets are from people I think of as criminals (in or out of government)
and I want to use strong cryptography to foil them.  I would trust PGP for
that.  I trust RIPEM with triple DES (and 1024 bit RSA keys) a bit more, for
its better-tested conventional algorithm.

For even better security, I would use:

	2000 bit RSA keys
	true hardware ranno generator for session keys
	des-cbc|tran|des-cbc|tran|des  as the conventional cryptosystem

but, of course, there are always TEMPEST attacks, bugs in my office, ...,
and as Diffie points out -- you have no control over the recipient.  S/he
might send cleartext of your messages right to the person you're trying to
foil.

Fact remains: there is *no* absolute privacy.  There is only a computational
hindrance on eavesdropping.

 - Carl

More information about the cypherpunks-legacy mailing list