PGP how secure?

bug · 20-10-2003 7:55pm #1

Just wondering about using PGP is it a random encryption? How secure is it exactly? Do companies use it for transferring sensitive information?

theciscokid · 20-10-2003 8:09pm

imagine every single computer working together multiplied by the age of the universe on average,,

and you still mighn't crack a single pgp encrypted message!

Sev · 20-10-2003 8:09pm

Originally quoted by William Crowell, Deputy Director of the United States National Security Agency, March 1997

"If all the personal computers in the world - ~260 million computers - were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message."

theciscokid · 20-10-2003 8:12pm

thats the one sev

damn my google skillz today

Martyr · 20-10-2003 8:48pm

That was nearly 7 years ago.
Computers, not to mention NSA's annual budget has come
along way since then.
Also, why would they want you to think it easy for them to
break a single message?
They can't?..Thats just naive.

I don't see what interest NSA would have in general public e-mails.
I don't mean to be cheeky, but do you expect the NSA to be
interested in yours? hardly.

Capt'n Midnight · 20-10-2003 8:51pm

260m x 12m x 12bn years = 3.744 E25 computer years

But moores law suggests (speed doubling every 18months - 82.3 doublings ) that in 123.5 years time one computer would do it in a single year.

Though the us gov't could use a million computer (cf. SETI) to crack it in one year 30 years earlier...

[edit] ok in 126.5 years then,,,,

bug · 20-10-2003 8:56pm

heh so pretty secure then

....thanks

WizZard · 20-10-2003 9:09pm

If the NSA wanted to read your PGP encrypted message they would not spend billions on *just* computing equipment, they would just try to discover your keys! A lot easier...

theciscokid · 21-10-2003 9:58am

Originally posted by Average Joe

I don't see what interest NSA would have in general public e-mails.
I don't mean to be cheeky, but do you expect the NSA to be
interested in yours? hardly.

how do you know what bug's email's will contain..

i think nsa would be well concerned if r00t passwords for their machines were been emailed in confidence and nothing could be done about it!

private companys use pgp too!

rob1891 · 21-10-2003 10:40am

PGP is as secure as your public and private keys. If you don't protect these, and the private's passcode too, then it's not all that secure. The encryption is so strong that no one is going to try and break it that way. More likely, they'll storm your home/workplace, steal your equipment, shoot your children, and then demand the passcode.

At least, that's how I'd do it! :ninja:

Capt'n Midnight · 21-10-2003 1:37pm

no need they'll just activate code built into the BIOS to log keystrokes - where do you think intel are getting the money to push centrino

Martyr · 21-10-2003 6:23pm

I wasn't neccessarily talking about the interest in bug's e-mail.
More so about lack of interest in majority of people who use PGP.
Unless Osama Bin Laden uses PGP, or bug is a terrorist stealing root passwords from NSA ED-209 super-computers, e-mailing.. some information critical to "national security" of U.S, why bother.

bug · 21-10-2003 8:08pm

or bug is a terrorist stealing root passwords from NSA ED-209 super-computers, e-mailing.. some information critical to "national security" of U.S,.

hey! it took me two days to figure out how to install and set up IRC.:D I hide my ignorance relatively well.

computers eh?

GuanYin · 21-10-2003 8:18pm

Ya know bug, you really are a paranoid young lass.

jmcc · 30-10-2003 6:30am

Originally posted by rob1891
PGP is as secure as your public and private keys. If you don't protect these, and the private's passcode too, then it's not all that secure.

PGP is fundamentally just as secure as the algorithm used at the heart of it for the encryption process. I simply do not trust it as being secure enough against attacks from well funded government agencies. There have been too many 'unbreakable' systems over the years and I have actually broken some of them.

However I think that a massive chosen plaintext flaw exists for many PGP users that would reduce the complexity of an attack on PGP encrypted data. (It is a blindingly obvious one to most cryppies but it does not apply to all cases - just encrypted files.)

How a government deals with obtaining the keys depends on the threat level that the PGP user poses to a government agency. The government agency can use rubber hosepipe cryptography and beat the keys out of the user. This is perhaps an easier solution, especially if tricky questions like Human Rights do not apply. However a blackbag job on the user's premises may be the simplest option.

The encryption is so strong that no one is going to try and break it that way.

While the algorithms in PGP are open to analysis, there is always the possibility that a government agency has potentially compromised them by using an unknown approach or algorithm. Besides what would happen if a system that could evaluate all possible keys to the core algorithm existed?

Regards...jmcc

jmcc · 30-10-2003 6:42am

Originally posted by Sev
"If all the personal computers in the world - ~260 million computers - were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message."
Originally quoted by William Crowell, Deputy Director of the United States National Security Agency, March 1997

Nice bit of disinformation in that quote. Sev

It was intended for the idiot technology journalists who do not understand crypto but simple enough to let them sound convincing.

The same arguments were used for DES. (Though the real reason that DES was dropped as a USG standard may have been the massive attack on it by satellite tv pirates in the US.)

The DES crack approach was to use a massively parallel attack with a properly designed system based on microcontrollers rather than PCs. PCs are inefficient for this kind of operation and simpler, well coded logic and microcontrollers work far better. Therefore it may be possible to develop an attack on the core algorithms of PGP using a similar device. The cost of the device would be high (perhaps only governments could afford it).

Regards...jmcc

dahamsta · 30-10-2003 10:37am

Course in the UK the rubber hose is not required, they simply need to subpoeona the keys under the Regulation of Investigatory Powers Act 2000. The Brits can thank good old Jack Straw for that one.

adam

PGP how secure?

Comments