Re: PGP Software - Is it safe?
From: Dave (nospam_at_kcsystems.com)
Date: 4 May 2004 04:42:04 -0700
Secure Lockdown <email@example.com> wrote in message news:<Xns94DEE27CA199Esecurelockdown2123@188.8.131.52>...
> firstname.lastname@example.org (Bill Unruh) wrote in news:c75uup$5ce$1
> > What evidence do you have for this?
> uber crypto papers.
> > It is impossible to test the
> > security of an encryption system just by looking at the input and
> > output. Unless the encryption is completely and totally stupid, the
> > output will look random.
> > You MUST look at the source code for the
> > encryption routines, and must look to see how they are handled.
> > A number of years ago a paper was published showing how the factors in
> > RSA could be encoded in the public key, so that anyone in the know could
> > decrypt any message trivially easily, but this info was completely
> > invisible to those not in the know. Ie, not only the encryption system
> > but also ( or especially) the key generation algorithm need to be public
> > ( Recall also the Netscape disaster, where their ultra secure keys were
> > shown to have only something like 15 bits of randomness due to
> > incompetence in the generation of the random numbers).
> > I would not trust the MS encryption for anything but hiding your cookie
> > recipie from your mother-in-law.
> MS just got into bed with RSA. i think the next few generaions of MS OS and
> NOS will be more security focused. perhaps the programmers are still going
> to release stuff that has not been properly and thorouly tested (based on
> standards that should be in place considering they are the major OS out
> there), but i believe there is going to be more focus on security.
Given the prevalence of Microsoft/RSA encryption (EFS, SSL, S/MIME,
etc.) and the lack of exploits, I believe it is fair to say that it is
If there is a weakness in the MS/RSA encryption, it lies in the
general lack of security of Windows and that of human factors -
assuming the use of relatively strong algorithms and keys (128 bit
RC2, 3-DES, minimum 1024 bit keys).
However, there are measures you can take to further protect your keys,
and thus your data, such as enabling "high" protection so as to
password-protect your private key.