"If all the personal computers in the world - 260 million - were put to
work on a single PGP-encrypted message, it would still take an estimated
12 million times the age of the universe, on average, to break a single
message.”

- William Crowell, Deputy Director, National Security Agency, March 20, 1997.

"I encourage you to use the latest version of PGP from NAI, PGP 6.0.2. That's what I use, and it's every bit as secure as any previous version of PGP, in fact the security has only improved. Peer review of the source code has shown that there have never been any back doors in PGP, and still aren't." -Phil Zimmermann, *The Zimmermann Telegram*, 12/4/98

"Let me assure all PGP users that all versions of PGP produced by NAI, and PGP Security, a division of NAI, up to and including the current (January 2001) release, PGP 7.0.3, are free of back doors. In all previous releases, up through PGP 6.5.8, this has been proven by the release of complete source code for public peer review. New senior management assumed control of PGP Security in the final months of 2000, and decided to reduce how much PGP source code they would publish. If NAI ever publishes the complete PGP 7.0.3 source code, I am confident that the public will be able to see that there are still no back doors. Until that time, I can offer only my own assurances that this version of PGP was developed on my watch, and has no back doors. In fact, I believe it to be the most secure version of PGP produced to date."

-Phil Zimmermann, alt.security.pgp newsgroup post, 2/19/01

"In order to solve the key management problem, Whitfield Diffie and Martin Hellman … introduced the concept of public-key cryptography in 1976."

-*RSA Labs FAQ v4.0* 1996, page 18

"Ron Rivest, Adi Shamir, and Leonard Adleman developed RSA in 1977."

-*RSA Labs FAQ v4.0* 1996, page 59

"The ElGamal system…is a public-key cryptosystem based on the discrete logarithm problem. It consists of both encryption and signature variants. The encryption algorithm is similar in nature to the Diffie-Hellman key agreement protocol…."

-*RSA Labs FAQ v4.0* 1996, page 95

"The most striking development in the history of cryptography came in 1976 when Diffie and Hellman published New Directions in Cryptography. This paper introduced the revolutionary concept of public-key cryptography and also provided a new and ingenious method for key exchange, the security of which is based on the intractability of the discrete logarithm problem. Although the authors had no practical realization of a public-key encryption scheme at the time, the idea was clear and it generated extensive interest and activity in the cryptographic community. In 1978 Rivest, Shamir, and Adleman discovered the first practical public-key encryption and signature scheme, now referred to as RSA. The RSA scheme is based on another hard mathematical problem, the intractability of factoring large integers. This application of a hard mathematical problem to cryptography revitalized efforts to find more efficient methods to factor. The 1980s saw major advances in this area but none which rendered the RSA system insecure. Another class of powerful and practical public-key schemes was found by ElGamal in 1985. These are also based on the discrete logarithm problem."

-*Handbook of Applied Cryptography 1996,* pages 1 & 2

"Analysis based on the best available algorithms for both factoring and discrete logarithms show that RSA and ElGamal have similar security for equivalent key lengths."

-*RSA Labs FAQ v4.0* 1996, page 95

"RSA has received far more attention, study, and actual use than any other public-key cryptosystem, and thus RSA has more empirical evidence of its security than more recent and less scrutinized systems."

-*RSA Labs FAQ v3.0* 1995, page 31

"PGP 6.0, both the business version called "Desktop Security" and the retail version called "Personal Privacy," are Diffie-Hellman-only. That is, if you don't specifically ask for an RSA-enabled product NAI (we) will sell you a DH-only version of PGP.

Why? We want to discourage the use of RSA keys. Not because they are bad from a crypto standpoint, but because we have put a lot of effort into extending the capability of DH keys and of course because the DH algorithm is no longer patented."

-Noah Salzman, NAI, PGP-Users email list 10/1/98

"In about 485 days when the RSA patent expires, we will release freeware with full RSA support, and upgrade RSA support to all the new features supported by DH keys. Consider this a pre-announcement, ;-) "

-Will Price, Network Associates, Inc., 5/12/99

"No one can duplicate the confidence that RSA offers after 20 years of cryptanalytic review."

-Bruce Schneier, *CRYPTO-GRAM,*
March 15, 1999

"The RSA system is probably the most
widely used public-key cryptosystem in the world. It is certainly
the best known."

"RSA is patented under U.S. Patent 4,405,829, issued September 29, 1983 and held by RSA Data Security, Inc.; the patent expires 17 years after issue, in the year 2000."

-*RSA Labs FAQ v4.0* 1996, page 154

"Furthermore, RSA Laboratories has made available (in the U.S. and Canada) at no charge a collection of cryptographic routines in source code, including the RSA algorithm; it can be used, improved and redistributed non-commercially…."

-*RSA Labs FAQ v3.0* 1995, page 34

"RSAREF is a free, portable software developer's library of popular encryption and authentication algorithms. The name "RSAREF" means "RSA reference." RSA Laboratories intends RSAREF to serve as a free, educational reference implementation of modern public- and secret-key cryptography."

-*RSA Labs FAQ v3.0* 1995, page 179

"While the 56-bit key in DES now only offers a few hours of protection against exhaustive search by a modern dedicated machine…,the current rate of increase in computing power is such that an 80-bit key as used by Skipjack…can be expected to offer the same level of protection against exhaustive key search in 18 years time as DES does today."

-*RSA Labs FAQ v4.0* 1996, page 50

"A 128 bit key makes a brute force attack ridiculous even to contemplate. Industry experts estimate that by 1996 there will be 200 million computers in use worldwide. This estimate includes everything from giant Cray mainframes to subnotebooks. If every one of those computers worked together on this brute-force attack, and each computer performed a million encryptions per second every second, it would still take a million times the age of the universe to recover the key."

-*Applied Cryptography 1996*, page 154-155

"In 1997, a specific assessment of the security of 512-bit RSA keys shows that one may be factored for less than $1,000,000 in cost and eight months of effort…. It is believed that 512-bit keys no longer provide sufficient security for anything more than very short-term security needs."

-*RSA Labs FAQ v4.0* 1996, page 63

"Today you need a 1024-bit number to get the level of security you got from a 512-bit number in the early 1980s. If you want your keys to remain secure for 20 years, 1024 bits is likely too short."

-*Applied Cryptography 1996*, page 160

"Using current mathematics and technology, it is impossible to even consider factoring a 1024-bit number. I'm not willing to make any hard predictions about tomorrow. "

-Bruce Schneier, *CRYPTO-GRAM,*
March 15, 1999

"A prime of 2048 bits can be expected to
secure data until around 2022; 3072 bits is secure until 2038; and 4096
bits until 2050."

....

"The predictions ... are by far the best estimates we have, but don't
put too much faith in them."

-Practical Cryptography 2003, page 217

"In general, though, you should choose a
public-key length that is more secure than your symmetric-key length."

-*Applied Cryptography 1996*, page 165

"If at all possible from a performance
point of view, use 4096 bits, or as close to 4096 bits as you can
afford."

"People who work in factoring research say that the workload to exhaust all the possible 128-bit keys in the IDEA cipher would roughly equal the factoring workload to crack a 3100-bit RSA key, which is quite a bit bigger than the 1024-bit RSA key size that most people use for high security applications. Given this range of key sizes, and assuming there are no hidden weaknesses in the conventional cipher, the weak link in this hybrid approach is in the public key algorithm, not the conventional cipher."

-*PGP 2.6.2 User's Guide Volume II 1994
*

"A conventional 80-bit key has the equivalent strength of a 1024-bit public key. A conventional 128-bit key is equivalent to a 3000-bit public key."

-*PGP 6.0 An Introduction to Cryptography* 1998, page 17

"Last fall, mathematician Dan Bernstein circulated a paper discussing improvements in integer factorization, using specialized parallel hardware. The paper didn't get much attention until recently, when discussions sprang up on SlashDot and other Internet forums about the results. A naive read of the paper implies that factoring is now significantly easier using the machine described in the paper, and that keys as long as 2048 bits can now be broken. This is not the case. The improvements described in Bernstein's paper are unlikely to produce the claimed speed improvements for practically useful numbers."

-Bruce Schneier, *CRYPTO-GRAM,*
March 15, 2002

"A possible successor to DES may be a variation known as "triple DES," which uses two DES keys to encrypt three times, achieving an effective key space of 112 bits"

-*PGP 2.6.2 User's Guide Volume II 1994
*

*"...*we do not recommend using
either DES or 3DES in new designs."

"IDEA is based on some impressive theoretical foundations and, although cryptanalysis has made some progress against reduced-round variants, the algorithm still seems strong. In my opinion, it is the best and most secure block algorithm available to the public at this time."

-*Applied Cryptography* 1996, page 319

"Sadly, the biggest obstacle to IDEA's acceptance as a standard has been the fact that Ascom Systec holds a patent on its design, and unlike DES and CAST, IDEA has not been made available to everyone on a royalty free basis."

-*PGP 6.0 An Introduction to Cryptography* 1998, page 34

"There is no known way to break CAST other than brute force."

-*Applied Cryptography* 1996, page 335

"There are a lot of CAST algorithms. Some have been beaten up somewhat; some haven't. I don't buy the design process. And I DON'T like CAST-256."

- Bruce Schneier, ailab.coderpunks newsgroup post, 7/17/98

"My favorite algorithm is IDEA."

-*Applied Cryptography* 1996, page 354

"Assuming you trust IDEA, PGP is the closest you're likely to get to military grade encryption."

-*Applied Cryptography* 1996, page 587

"A 128-bit key would be great except for
one problem: collision attacks."

...

"Therefore: use 256-bit keys!"

"In the United States, government agencies consider strong encryption to be systems that use RSA with key sizes over 512-bits or symmetric algorithms (like DES, IDEA, or RC5) with key sizes over 40-bits."

-*RSA Labs FAQ v4.0 1996*, page 161

"A good working assumption is that the NSA can read any message that it chooses, but that it cannot read all messages it chooses. The NSA is limited by resources, and has to pick and choose among its various targets. Another good assumption is that they prefer breaking knuckles to breaking codes; this preference is so strong that they will only resort to breaking codes when they wish to preserve the secret that they have read the message."

-*Applied Cryptography* 1996, page 215

"The NSA is known to be the largest employer of mathematicians in the world; it is also the largest purchaser of computer hardware in the world. The NSA probably possesses cryptographic expertise many years ahead of the public state of the art (in algorithms, but probably not in protocols) and can undoubtedly break many of the systems used in practice."

-*Applied Cryptography 1996*, page 598

"The Digital Signature Standard…was originally proposed by NIST with a fixed 512-bit key size. After much criticism that this is not secure enough, especially for long-term security, NIST revised DSS to allow key sizes up to 1024 bits. DSA is, at present, considered to be secure with 1024-bit keys."

-*RSA Labs FAQ v4.0 1996*, page 82

"In response to this criticism, NIST made the key size variable from 512 bits to 1024 bits. Not great, but better."

-*Applied Cryptography* 1996, page 486

"Gus Simmons discovered a subliminal channel in DSA…. This subliminal channel allows someone to embed a secret message in his signature that can only be read by another person who knows the key. According to Simmons, it is a "remarkable coincidence" that the "apparently inherent shortcomings of subliminal channels using the ElGamal scheme can all be overcome" in the DSS, and that the DSS "provides the most hospitable setting for subliminal communications discovered to date." NIST and NSA have not commented on this subliminal channel; no one knows if they even knew about it. Since this subliminal channel allows an unscrupulous implementer of DSS to leak a piece of the private key with each signature, it is important to never use an implementation of DSS if you don't trust the implementer."

-*Applied Cryptography 1996*, page 493

"Van Oorschot and Wiener…have considered a brute-force search for collisions…in hash functions, and they estimate a collision search machine designed specifically for MD5 (costing $10 million in 1994) could find a collision for MD5 in 24 days on average."

-*RSA Labs FAQ v4.0 1996*, page 92

"The problem with MD5 is that the
compression function h' is
known to have collisions.... At the moment, there are no known
attacks on MD5 itself, but the presence of collisions in the compression
function makes us wary of using MD5."

"Given my general level of paranoia, I recommend overwriting a deleted file seven times: the first time with all ones, the second time with all zeros, and five times with a cryptographically secure pseudo-random sequence. Recent developments at the National Institute of Standards and Technology with electron-tunneling microscopes suggest even that might not be enough. Honestly, if your data is sufficiently valuable, assume that it is impossible to erase data completely off magnetic media. Burn or shred the media; it's cheaper to buy media new than to lose your secrets."

-*Applied Cryptography 1996*, page 229

Return to Tom McCune's PGP Page

Return to Tom McCune's Homepage

Comments or Suggestions: tom@DELETE_THISmccune.cc

Please notice that part of the above address needs to be removed.