The PGP Attack FAQ

PGP is the most widely used hybrid cryptosystem around today. There have been AMPLE rumours regarding its security (or lack there of). There have been rumours ranging from PRZ was coerced by the Gov't into placing backdoors into PGP, that the NSA has the ability to break RSA or IDEA in a reasonable amount of time, and so on. While I cannot confirm or deny these rumours with 100% certainty, I really doubt that either is true. This FAQ while not in the 'traditional FAQ format' answers some questions about the security of PGP, and should clear up some rumours...

Brief introduction

There are a great many misconceptions out there about how vulnerable Pretty Good Privacy is to attack. This FAQ is designed to shed some light on the subject. It is not an introduction to PGP or cryptography. If you are not at least conversationally versed in either topic, start with the Crash course on cryptography, and the sci.crypt FAQ.

PGP is a hybrid cryptosystem. It is made up of 4 cryptographic elements: It contains a symmetric cipher (IDEA), an asymmetric cipher (RSA), a one-way hash (MD5), and a random number generator (Which is two-headed, actually: it samples entropy from the user and then uses that to seed a PRNG). Each is subject to a different form of attack.

Closing comments

I have presented factual data, statistical data, and projected data. Form your own conclusions. Perhaps the NSA has found a polynomial-time (read: fast) factoring algorithm. But we cannot dismiss an otherwise secure cryptosystem due to paranoia. Of course, on the same token, we cannot trust cryptosystems on hearsay or assumptions of security. Bottom line is this: in the field of computer security, it pays to be cautious. But it doens't pay to be un-informed or needlessly paranoid. Know the facts.

Thank You's (in no particular order)

PRZ, Collin Plumb, Paul Kocher, Bruce Schneier, Paul Rubin, Stephen McCluskey, Adam Back, Bill Unruh, Ben Cantrick,Jordy, Galactus, the readers of sci.crypt and the comp.security.* groups

List of questions

The symmetric cipher

• Can IDEA be brute-forced?
• What indirect attacks are possible?

The asymmetric cipher

• Can RSA be brute-forced?
• How does PGP generate prime numbers?
• Are there attacks on PGP's implementation of RSA?
• Does a low encryption exponent e reduce security?
• Are there timing attacks against RSA?
• Are there other attacks on RSA?
• What RSA key sizes are secure?

The one-way hash

• Can MD5 be brute-forced?
• Are there other attacks against MD5?
• Will MD5 always create a secure key?

The pseudo-random number generator (PRNG)

• How does ANSI X9.17 work?
• How does the trueRand latency timer work?
• How does the prewash with MD5 work?
• How does the randseed.bin wash work?

Practical attacks

• What passive attacks are known against PGP?
• What is keypress snooping?
• What is Van Eck snooping
• What is memory space snooping?
• What is disk cache snooping?
• What is packet sniffing?
• What active attacks are known against PGP?
• What is a Trojan Horse attack?
• What is reworked code?

What if...

• What if... my secret key was compromised?
• What if... PGP ran out of primes?
• What if... someone just listed all the prime numbers?
• What if... PGP chose composite numbers instead of primes?