PGP problems

Brian Morrison pmmail@rpglink.com
Sat, 05 Aug 2000 07:24:12 +0100 (BST) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 4 Aug 2000 13:44:25 -0700 (PDT), Froggyball wrote:

>On Fri, 4 Aug 2000, Steve Lamb wrote:
>
>> Friday, August 04, 2000, 12:33:22 PM, Bill wrote:
>> > Not astronomical for PGP. a few hours to a few days, ... they
>> > have the hardware. Our diplomatic codes must be good for 20
>> > years minimum, and this may be in jeopardy depend on processing
>> > advances.
>> 
>>     *sigh*  Did anyone here read the numbers?  Do the math before making
>> assinine statements, ok?  There would have to be a quantum leap in processing
>> power well beyond anything ever seen in history.... /EVER/.  Even what we have
>> now nothing more than single atom in all the oceans of the world of what is
>> needed to even begin to think about craking it through brute force.
>
>You can't compare the numbers that way. 64-bit DES takes far shorter time
>to cover the keyspace than 56-bit RC5 and PGP will be different yet again.

No, DES comes in two flavours, 56 bit DES and 168 bit triple DES,
computationally equivalent to 112 bits in fact. RC5-56 was broken by
d.net, it took months back in 1997. PGP can have different weak spots
depending on how it is set up. If you use maximum length (4096 bits)
asymmetric keys, then these are stronger than the 128 bit symmetric
keys used for bulk encryption. Since the secret key is stored
somewhere, then the pass phrase is critical and should have sufficient
entropy to defeat pass phrase cracking attacks.

>(For those of you who think that you should use PGP all the time, lest
>"they" get suspicious when you send encrypted messages some of the time,
>consider that most people do NOT send encrypted messages. By the same
>token, who do you think "they" will be zeroing in on? Those minority of
>"suspicious" characters who always send encrypted, obviously they have
>something to hide... ;)

Which is exactly why everybody should use it. Better still is for all
traffic, not just email, to be encrypted using IPv6 encryption. This
uses short term keys and forward secrecy to avoid these keys being
recoverable. The only point of vulnerability is then stored mail at end
users' machines. Anyone can avoid that problem by avoiding storing data
locally, or using steganography or something like Scramdisk which
stores data in a special partition that is not recognisable as
containing anything, it just looks like random noise.


- -- 

Brian Morrison                                  bdm@fenrir.org.uk

 "Almost noon, and she had yet to go the launderette in Concreton to 
 thaw out chickens in the spin-drier..."

PGP Public Key Fingerprint= C7 12 B9 54 00 0F 51 F6  37 9B 18 D1 E1 61 14 0B

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i OS/2 for non-commercial use
Comment: This comment _is_ plain text
Charset: cp850

iQA/AwUBOYuzC/QTY1HeMuXFEQLcZgCg2OY353u7ex9rTbmVdFqUCY2KGbMAnRHd
D9SlZHxGp5lg6wCtur1I07h5
=I09A
-----END PGP SIGNATURE-----