your mail

[Dr. Frederick B. Cohen]

> As I'm sure you know, PGP picks its primes by choosing a random starting 
> point and testing each odd number upwards until it gets a probable 
> prime.  The random number generator used to seed this search is mixed 
> using MD5 which gives a uniform 1/0 distribution.  I'd hazard a guess 
> that the chances of a start point having so many contiguous 1's as to be 
> close to 2^N is so vanishingly small that it's more likely a 
> non-prime would pass the probabalistic tests!

Well, not exactly random starting points.  Starting points generated by
user keystrokes with characteristics that may be analyzed so as to
reduce the key space to a searchable size, starting points that are
determined by a transformation of those keystroke sequences using an
algorithm, starting points that are determined by an algorithm that uses
a deterministic (albeit complex) algorithm which performs input and
output based on timeslices and interrupt mechanisms and queues that may
tend to alter the statistics of arrival times.

> I suppose if I were really paranoid I'd feed in fixed starting points
> for the search to MIT PGP and PGP 2.6.2 to make sure that they come out 
> with the same keys.

The term paranoid is inappropriate in this context.  Paranoia refers to
an irrational fear, while I am expressing a rational concern over a
system that has been taken over by a (partially) government funded
university and which has not been properly verified.  The history of
cryptography (as they say) is (quite literally) littered with the dead
bodies of people killed because somebody else thought a cryptosystem was
good enough when it was not. 

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236