From: Rick Moen (rick at domain linuxmafia.com)
Date: Sat 15 Sep 2001 - 02:36:56 IST
begin John McCormac quotation:
> Just because it can be compiled and the source is freely available
> does not guarantee security. Even RSA is based on a theory that it is
> difficult to factor large numbers. If someone was to develop a faster
> factoring algorithm then RSA encryption could be vulnerable.
That is true. As a mathematician, I'd be at least moderately surprised
at a breakthrough in this area of which we had no hint in the academic
journals, regardless of how many geniuses they have on staff. But it
> Even with PGP, as far as I remember, the core encryption algorithm
> (that used to encrypt the data) is not RSA.
With PGP having gone proprietary after 2.6.3i, I use GnuPG exclusively,
these days. GnuPG defaults to Blowfish for its symmetric cipher, and
DSA & ElGamal for the assymetric ones (with DSA favoured). In the
latter category, RSA support was added in v. 1.0.3 (after the USA patent
expired on Sept. 20/21, 2000).
> RSA is used for the keyhandling.
Yes (in PGP), though there are actually two levels of keys (just as
with SSH and TLS/SSL): You can't use asymmetric aka public-key crypto
for the who thing, because it's too slow.
(That's not to mention the hashing algorithms.)
> In some cases, who the encrypted e-mail is going to can be far more
> revealing than the contents.
Oh yes. There are all sorts of nasty tricks that can be played with
traffic analysis, and other methods. See Bruce Schneier's _Secrets and
Lies_ for a good rundown.
And, when all else fails, the bad guys can always fall back on "lead
pipe decryption". ;->
-- Cheers, Right to keep and bear Rick Moen Haiku shall not be abridged rick at domain linuxmafia.com Or denied. So there.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:12:09 GMT