Analysis on the security Problem of PGP

PGP itself is a data security product, what security problems does it have? "No data security system is unbreakable," Philzimmermann, author of PGP, said in the PGP document. "PGP is no exception. We look at its security vulnerabilities in order to let users know what will degrade the security of PGP and how to avoid them. Here are the vulnerabilities: passwords or private key leaks, public key tampering, files that you deleted were restored, viruses and trojans, physical security violations (physical security refers to the security of physical resources such as computers), electromagnetic leakage, exposure to multi-user systems, network data flow analysis, It may even be decrypted directly from the perspective of cryptography (which is, of course, the least likely). Let's look at the security of the four key parts of the PGP encryption system first. PGP is a miscellaneous algorithm, the so-called "miscellaneous" embodied in it include: a symmetric encryption Algorithm (IDEA), an asymmetric encryption algorithm (RSA), a one-way hashing algorithm (MD5) and a random number generator (from the user keystroke frequency generated pseudo-random number sequence of seeds). Each algorithm is an integral part of PGP and has different attack modes. Idea Security Problem idea is the actual encryption algorithm PGP cipher, for the use of direct attack decryption, idea is PGP ciphertext of the first line of defense. The principle of idea is shown in "PGP Introduction," Where I'll talk about security-related parts. Idea, a traditional encryption algorithm for 64bit sized blocks of data, which was completed by Lai and Massey in 1992. idea is the abbreviation of Internationaldataencryptionalgorithm. It is based on the design idea of "mixed operation on different algebraic groups", it is much faster than des in software implementations, and, like DES, it also supports two modes of "Feedback encryption (CFB)" and "Chained Encryption (CBC)", using Idea's 64-BITSCFB pattern in PGP. Idea is more than the same age algorithm: Feal,redoc-ii,loki,snefru and Khafre are strong, and recent evidence suggests that even the Biham and Shamir differential cryptanalysis that have been hugely successful on des can do nothing for idea. Biham and Shamir had a special analysis of idea's weaknesses, but they didn't succeed. Until now there has been no publication of the results of the cryptography analysis attack on idea, according to the documents I have contacted, neither the NSA nor the hacker have been able to analyze ideas in cryptography, so the attack on idea is a "direct attack" or "key-poor". So how difficult is the direct attack on idea? We know that the secret key space of idea (key length) is 128 bits, in decimal notation the number of all possible keys will be an astronomical figure: 340,282,366,920,938,463,463,374,607,431,768,211,456. To try out a particular key, the average is to test half the possibility. Even if you use 1 billion computers that can test 1 billion keys per second, it will take longer than the age of the universe you know, and it is impossible to make a computer that tests 1 billion keys per second today. So it is impossible to explicitly attack idea, let alone from the principle of PGP to see an idea of the secret key secrets will reveal only once encrypted information, the user's most important key--rsa key to confidentiality has no effect. So there seems to be no problem with idea, because you can neither find the flaw in the algorithm nor the explicit attack. The loophole is still there, you know Netscape's security turmoil, because of the neglect of the problem of the key random generation, Netscape's random key generation algorithm generated by the key is very "regular", and far from uniform to the entire key space to go, So even though Netscape's American version uses a 128bits key, it was broken at a very small price. So does PGP have this problem? I'll talk about random number generation in detail below, which is mentioned here to illustrate the dependencies between the various parts of PGP. When it was discovered that PGP was not actually a "pure" RSA encryption algorithm, they feared being compromised by the idea's weakness in the encryption chain. In fact, this is due to the misconception that public key cryptography is inherently more secure than traditional encryption. As a matter of fact, cryptanalysis experts have calculated that the amount of work performed on the 128-bitidea key and the decomposition of the 3100-BITRSA key is equivalent to the fact that 1024-bit's RSA key has been considered a confidential level, and 1024-bit's pure RSA encryption is 4,000 times slower than 128-bit's idea encryption. RSA's strength lies in its ease of use rather than its robustness, and the weakness of the cryptographic chain is not on the idea but on RSA. Of course, this is relative, and we will soon see that RSA's resistance to direct attacks is strong enough. Incidentally, in future versions of PGP, a tripledes encryption algorithm with a key length of 112-bit is provided as a user option. 56-bit's standard des keys have been proven to be capable of being breached. RSA security issues First look at the basic principles of RSA, we know that RSA's confidentiality is based on a mathematical assumption: it is impossible to decompose a large composite. RSA uses the product of two very large prime numbers that cannot be decomposed at the current level of the computer. But this does not mean anything, there is no "proof" of RSA security. This does not mean that the decomposition of this large number is an attack on RSA onlyOne (or the best) way to prove that this decomposition is really difficult. RSA is likely to have some cryptography flaws, with the development of number theory may find a time consuming in a polynomial way to increase the decomposition algorithm. But this is still a prospect, even the direction of development has not been found. The development of three kinds of things threatens the security of RSA: decomposition technology, the improvement of computer ability and the decrease of computer cost. In particular, the first threat to RSA is greatest, because as long as the problem of large number decomposition is not resolved, do multiplication is always much faster than the decomposition factor, the computer is powerful enough to be able to add a long key to defense, because then encryption will be much faster. RSA's key generation step can be divided into seven steps:-Find two large prime numbers p,q-do multiplication n=p*q-Select a number of E, meet en, and the default E value is 17, if not 19,23 and so on. RSA timing Attack Method This is an alternative approach. was published by Paulkocher. You can find that the basic operation of RSA is the exponentiation modulo, this operation is characterized by time-consuming and accurate depending on the number of times. So if a can monitor the process of RSA decryption and timing it, he can work out D. I will not go into details. What I want to say is how to resist it. The simplest approach, Rivest says, is to make RSA spend an equal amount of time on basic operations, regardless of operand. Second, in the encryption before the data to make a transformation (spend a constant time), in the decryption end of the reverse transformation, so that the total time is no longer dependent on the number of operations. As for PGP, there is no need to worry about timing attacks, because PGP accelerates the operation by using the Chinese remainder theory, and it also makes it irrelevant to the operands. While timing attacks are too demanding for an attacker's resources, real-time monitoring of the encryption process is not possible for anyone. The reason for this attack here is that, although it is not practical at present, it is theoretically a new idea and worth noting. Other attacks on RSA also have attacks on RSA, like public modulus attacks. It refers to a number of users common to a module n, each has its own E and D, among several users of the public n will enable the attacker can not decompose N and restore plaintext. But PGP is not a common module between users. Finally, the RSA key length problem, how long the key is safe. Experts point out that any prophecy is irrational, the current computer level with 1024-bits key is safe, 2048-bits is absolutely safe. But they do not expect the situation to continue into the next century, and they simply point out that if RSA is as vulnerable as some say, it will not be possible to keep it from 1977 until now. MD5 Security Problem MD5 is a one-way hashing algorithm which is used to transform user's password and sign information in PGP. The strength of a one-way hash is reflected in the degree to which it can randomize arbitrary input and produces a unique output. For one-way hashDirect attacks can be divided into common direct attacks and "birthday" attacks. An ordinary direct attack on the MD5 called a direct attack called a savage attack. An attacker is H (m) =h (m) in order to find a plaintext m ' that is identical to the original plaintext m hash result. A common direct attack, as the name implies, is to give a possible plaintext to produce a hash result that is identical to H (m). For MD5, the hash result is 128-bits, which means that if an attacker had a machine that tried 1,000,000,000 plaintext per second, it would take about 10^22 years, and might also find M itself:). The birthday attack on MD5 is actually just to find two clear text that produces the same hash result. Remember that famous probability birthday question? What is the probability of having at least two people with the same birthday in n individuals? The so-called birthday attack is actually only using the probability to guide the discovery of the hash conflict, for MD5 if you try to 2^64 the text, then at least one of them has a collision probability of 50%. That is not the case for today's technological capabilities. One of the machines mentioned above averages 585 years to find a pair, and it doesn't immediately turn into a real attack. Because of the relationship between code length and speed, the birthday attack on crypt (3) is much more successful. Other attack differential attacks against MD5 were proved to be valid for a MD5 cycle, but not for all 4 cycles. (differential attack is to attack the encryption system by comparing and analyzing the specific difference of the plaintext in the transmission of the change after the encryption.) There is a successful MD5 attack, but it is MD5 the code itself, is a crack rather than hack is not cryptanalysis. And if you do a signature checksum for a PGP release package, it's easy to see that the code has been replaced. Password length and information theory according to traditional theory, the entropy of each 8-bits letter in English is 1.3bits. If the password is long enough, the result of the MD5 is random enough. For 128-bits's MD5 output, a 98-character password will give a random key. (8/1.3) * (128/8) =98.46chars but who would use a password as long as the one below? The fact that the information entropy of 1234567890123456789012345678901234567890123567890123456789012345678901234567890123456781.3bits comes from the regularity of English grammar , the probability of letters appearing in the unequal cause of the reduction of entropy. If the 26 Latin alphabet appears to be equal in probability, information entropy will be increased to log (/log) (2) =4.7bits such a random key requires the password length reduced to 27.23chars, if combined with the case and a few symbols can be reducedLess。 The question of choosing a password can refer to any book about security, and they all apply, which is about the characteristics of PGP itself. The security problem of random number PGP uses two pseudo-random number generators (PRNG), one is a ANSIX9.17 generator, and the other is calculating entropy from the time and sequence of user keystrokes to introduce randomness. ANSIX9.17PRNG uses idea instead of 3DES to produce random-number seeds. The Randseed.bin file was originally created with user keystroke information, and a new random number was introduced before and after each encryption, and the random number seed itself was encrypted. ANSIX9.17PRNG's official ANSIX9.17 standard uses tripledes as the kernel, which can easily be implemented using idea. X9.17 requires 24bytes of random numbers in Randseed.bin, and PGP uses other 384bytes to store other information. The X19.7 work process is as follows: E () =idea cryptographic function, using a reusable key (generated using plaintext). t= time from Randseed.bin file v= initialization vector r= generated random key (used to encrypt a PGP plaintext) r=e[e (t) XORV] The next initialization vector is calculated as follows: V=e[e (t) xorr] user keystrokes Introduce randomness this is the real random number, There is nothing to say, just try to make keystrokes without rules on the line. The higher the input entropy, the greater the entropy of the random number. X9.17 use MD5 to wash the so-called "wash" is to refer to the same as the shuffle data, encryption before called pre-wash, after encryption for the next encryption after the preparation called after washing. The daily random number generator of PGP is X19.7 by the MD5 value of the plaintext, based on the assumption that the attacker does not know the plaintext. If the attacker knew the plaintext he would not have much need to attack, of course, it would be, but it would only weaken the randomness of a little prng. Next we'll see a back-washing operation. Randseed.bin after washing operation is considered to be more safe. More random bytes are used to reinitialize randseed.bin files, which are encrypted with the current random temporary PGP key. Also, if the attacker knew the key, he would not have to attack the Randseed.bin file, instead he was more concerned about the current state of the Randseed.bin file because it might get some of the next encrypted information. Therefore, the protection of randseed.bin files and the public key ring and private key ring files are equally important. Of course, if it wasn't for the password experts, it would be fine for him. To force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) The original text: Security analysis of PGP return to network security home