lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: kenng at kpmg.com (Ng, Kenneth (US))
Subject: On PGP (was: Wiretap or Magic Lantern?)

If the FBI, or NSA, or any other government agency could break PGP, do you
think they would let the world know?  Remember that in World War II, the
British had cracked the German Enigma code.  They could have done a lot more
to stop German attacks.  But they didn't because it could have tipped off
the Germans.  When hunting down the U-boats they always sent a plane into
the area first, so if the U Boat got away they would tell the German command
that they had been spotted by an airplane, instead of the suspicious "a task
force of ships came over the horizon straight at us".

If they get the pass phrase, it will probably be through other means, human
nature, scanning through memory on the device, maybe seeing which keys are
more worn, lord knows what the NSA has available.  But like someone else who
cracked systems by looking at the power utilization, hitting the front door
is the hard way, its the side door that people may not even realize is
there.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Feher Tamas
Sent: Wednesday, April 07, 2004 11:57 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] On PGP (was: Wiretap or Magic Lantern?)


Hello,

>>The terrorsts are not stupid, they use strong encryption and
>>there is proof that PGP repels NSA.
>
>What proof are you referring to? 

The case of the italian comrades:

http://www.pcworld.com/news/article/0,aid,110841,00.asp

PGP Encryption Proves Powerful
by Philip Willan, IDG News Service, 26 May 2003

If the police and FBI can't crack the code, is the technology too strong?

Italian police have seized at least two Psion personal digital assistants 
from members of the Red Brigades terrorist organization. But the major 
investigative breakthrough they were hoping for as a result of the 
information contained on the devices has failed to materialize--
thwarted by encryption software used by the left-wing revolutionaries.

Failure to crack the code, despite the reported assistance of U.S. 
Federal Bureau of Investigation computer experts, puts a spotlight on 
the controversy over the wide availability of powerful encryption tools.

The Psion devices were seized on March 2 after a shootout on a train 
traveling between Rome and Florence, Italian media and sources close 
to the investigation said. The devices, believed to number two or three, 
were seized from Nadia Desdemona Lioce and her Red Brigades 
comrade Mario Galesi, who was killed in the shootout. An Italian police 
officer was also killed. At least one of the devices contains information 
protected by encryption software and has been sent for analysis to the 
FBI facility in Quantico, Virginia, news reports and sources said.

The FBI declined to comment on ongoing investigations, and Italian 
authorities would not reveal details about the information or equipment 
seized during the shootout.

Pretty Good Privacy
The software separating the investigators from a potentially invaluable 
mine of information about the shadowy terrorist group, which 
destabilized Italy during the 1970s and 1980s and revived its practice 
of political assassination four years ago after a decade of quiescence, 
was PGP (Pretty Good Privacy), the Rome daily La Repubblica reported. 
So far the system has defied all efforts to penetrate it, the paper said.

Palm-top devices can only run PGP if they use the Palm OS or Windows 
CE operating systems, said Phil Zimmermann, who developed the 
encryption software in the early 1990s. Psion uses its own operating 
system known as Epoc, but it might still be possible to use PGP as a 
third party add-on, a spokesperson for the British company said.

There is no way that the investigators will succeed in breaking the code 
with the collaboration of the current manufacturers of PGP, the Palo 
Alto, California-based PGP, Zimmermann said in a telephone interview.

"Does PGP have a back door? The answer is no, it does not," he 
said. "If the device is running PGP it will not be possible to break it with

cryptanalysis alone."

Investigators would need to employ alternative techniques, such as 
looking at the unused area of memory to see if it contained remnants of 
plain text that existed before encryption, Zimmermann said.

Privacy vs. Security
The investigators' failure to penetrate the PDA's encryption provides a 
good example of what is at stake in the privacy-versus-security debate, 
which has been given a whole new dimension by the September 11 
terrorist attacks in the U.S.

Zimmermann remains convinced that the advantages of PGP, which was 
originally developed as a human rights project to protect individuals 
against oppressive governments, outweigh the disadvantages.

"I'm sorry that cryptology is such a problematic technology, but there is 
nothing we can do that will give this technology to everyone without 
also giving it to the criminals," he said. "PGP is used by every human 
rights organization in the world. It's something that's used for good. It 
saves lives."

Nazi Germany and Stalin's Soviet Union are examples of governments 
that had killed far more people than all the world's criminals and 
terrorists combined, Zimmermann said. It was probably technically 
impossible, Zimmermann said, to develop a system with a back door 
without running the risk that the key could fall into the hands of a 
Saddam Hussein or a Slobodan Milosevic, the former heads of Iraq and 
Yugoslavia, respectively.

"A lot of cryptographers wracked their brains in the 1990s trying to 
devise strategies that would make everyone happy and we just 
couldn't come up with a scheme for doing it," he said.

"I recognize we are having more problems with terrorists now than we 
did a decade ago. Nonetheless the march of surveillance technology is 
giving ever increasing power to governments. We need to have some 
ability for people to try to hide their private lives and get out of the way

of the video cameras," he said.

More Good Than Harm?
Even in the wake of September 11, Zimmermann retains the view that 
strong cryptography does more good for a democracy than harm. His 
personal website, PhilZimmerman.com, contains letters of appreciation 
from human rights organizations that have been able to defy intrusion 
by oppressive governments in Guatemala and Eastern Europe thanks 
to PGP. One letter describes how the software helped to protect an 
Albanian Muslim woman who faced an attack by Islamic extremists 
because she had converted to Christianity.

Zimmermann said he had received a letter from a Kosovar man living in 
Scandinavia describing how the software had helped the Kosovo 
Liberation Army (KLA) in its struggle against the Serbs. On one 
occasion, he said, PGP-encrypted communications had helped to 
coordinate the evacuation of 8,000 civilians trapped by the Serbs in a 
Kosovo valley. "That could have turned into another mass grave," 
Zimmermann said.

Italian investigators have been particularly frustrated by their failure to 
break into the captured Psions because so little is known about the 
new generation of Red Brigades. Their predecessors left a swathe of 
blood behind them, assassinating politicians, businessmen, and 
security officials and terrorizing the population by "knee-capping," or 
shooting in the legs, perceived opponents. Since re-emerging from the 
shadows in 1999 they have shot dead two university professors who 
advised the government on labor law reform.

Cracking the Code
Zimmermann is not optimistic about the investigators' chances of 
success. "The very best encryption available today is out of reach of the 
very best cryptanalytic methods that are known in the academic world, 
and it's likely to continue that way," he said.

Sources close to the investigation have suggested that they may even 
have to turn to talented hackers for help in breaking into the seized 
devices. One of the magistrates coordinating the inquiry laughed at 
mention of the idea. "I can't say anything about that," he said.

The technical difficulty in breaking PGP was described by an expert 
witness at a trial in the U.S. District Court in Tacoma, Washington, in 
April 1999. Steven Russelle, a detective with the Portland Police 
Bureau, was asked to explain what he meant when he said it was 
not "computationally feasible" to crack the code. "It means that in 
terms of today's technology and the speed of today's computers, you 
can't put enough computers together to crack a message of the kind 
that we've discussed in any sort of reasonable length of time," he told 
the court.

Russelle was asked whether he was talking about a couple of years or 
longer. "We're talking about millions of years," he replied.

[BTW: I read the ring was dismantled later, because one of the GSM 
mobile phones they used had to be repaired months earlier and the 
shop owner has preserved the telephone number they gave for 
notification when the unit is ready. His repair warrantly sticker was 
found inside the confiscated phone and so the law enforcement 
contacted him. Parsing the telco's history log for calls to / from that 
single number revealed almost the entire cell's structure. So make 
yourself a favour and buy a disposable mobile phone next time! Unless 
you are an environmental terrorist of course...]

Sincerely: Tamas Feher.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         
*****************************************************************************

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ