Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Is PGP Encryption really secure?

Created: 14 Feb 2012 | 3 comments

The below article came out today and all that is going through my Senior Partner's and mine heads is:

Is PGP Encryption Really Secure?  Does the below article basically tell me that we have been basing our Firm's email security and a "Hope and Prayer"?

Someone (Who actually knows) please answer the question, Are my Transmissions Secure?

http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?pagewanted=all

Thank you.

 

P.S. I was really suprised that there was not already something up on this board........ 

Comments 3 CommentsJump to latest comment

dfinkelstein's picture

 

The paper just came out, and we are still researching all the details at this point.
 
First, understand that the issue is not with PGP (or rather, an issue with OpenPGP) but is a concern that the key you've generated might be weak (e.g. have small factors) or share factors with some other key generated by someone else.
 
The paper says they checked 5.48 million PGP keys.  Of these, about 400,000 are RSA keys, and there are only 28 RSA modulii that are shared. In one instance they could determine that the modulus was shared by keys for the same owner, while for the other 27 cases they couldn't realy tell.  They perform a similar analysis for DSA and ElGamal keys.
 
OpenPGP has been a standard since 1998 with RFC 2440.  PGP keys can be generated by quite a wide variety of software (old versions of the "original" Pretty Good Privacy, current versions of PGP Desktop from Symantec, GnuPGP, CryptoEx, BouncyCastle, etc. etc.) so it may never be known what software was actually used to generate "suspect" keys.
 
For our products, we take entropy collection and random number generation very seriously.  We've been submitting versions of our PGP SDK for FIPS validation since 2003 and we've been publishing our source code for cryptographic peer review for even longer.
 
We test for small prime factors implicity for RSA by using a sieve.  Our main test is a Miller-Rabin primality test that we run to assure that the resulting number is prime with error probablity of 2^-112 (as recommended by FIPS PUB 186-3).  With proper random number generation, small factor rejection, and good primality testing, the likelyhood of someone sharing a factor with you is astronomically small.

--------

David Finkelstein

Symantec R&D

Remo Williams's picture

THANK YOU!

Honestly, I needed to hear that from someone and nowhere I turned seemed to have an answer.

Thank you!

dfinkelstein's picture

You're very welcome.

Regards,

--------

David Finkelstein

Symantec R&D