A few recent headlines (Google translated link) have suggested that PGP encryption can be broken. My first reaction was with a sigh: “Not this again!” Such claims have been made before, and so far not a single one has proven true. Thus far, that seems to be the case here.
Breaking “PGP Crypto” Means Breaking AES
First, remember that PGP products do not use a custom encryption algorithm. They are based on well-studied, standard algorithms such as RSA and AES, at bit lengths that are regarded as best practices for strong security (2048-bit RSA keys and 256-bit AES keys). Other algorithms can be selected by policy (e.g., DSS, Twofish, etc.), as can other bit lengths.
For an organization to “break” PGP, they would need to break these standard algorithms that governments and industries worldwide use to protect national security and global commerce. Such news would have an impact far broader than just the use of PGP software.
Symantec Rigorously Validates Its Crypto Implementations
An alternative to attacking the crypto itself is to break the implementation of the cryptography. To ensure our implementation is as bullet-proof as possible, we rigorously validate our products via the United States government’s NIST FIPS 140-2 and the UK government’s CESG CAPS processes.
For some, that’s not far enough – so we take an extra step. Symantec is unique in the commercial software industry in that we make our source code available for cryptographic review – allowing the highest security organizations and educational institutions to satisfy their own peer review requirements.
Digging into the text of the specific, recent claims, it’s easy to see how (probably intentionally) obtuse language and the use of automated translations could lead to mistaken conclusions. As in many similar situations, if data encrypted with PGP was accessible—which isn’t clear—it is likely that a weak passphrase or a keylogger was used. Such details are notably omitted from the articles.
Closing Thoughts
We have worked hard to earn the trust of our customers, who use our products to protect their most important data. When something jeopardizes that trust, we take it seriously.
Imagine my delight then, when today I see a second article from the same publication, this one entitled, “PGP is Still Very Safe” (Google translated link.) It does a great job of making the points above, and highlighting the lack of details in the original article.