[108180] in Cypherpunks
Re: FUD attack
daemon@ATHENA.MIT.EDU (Mixmaster)
Sun Feb 7 20:05:41 1999
Date: Sun, 7 Feb 1999 12:03:44 -0800 (PST)
From: Mixmaster <mixmaster@remail.obscura.com>
To: cypherpunks@toad.com
Reply-To: Mixmaster <mixmaster@remail.obscura.com>
> This message is quite funny by it's implication.
>
> It implies that PGP RSA secret key passphrases can be cracked. If it bases
> it's assumption on the statistical fact that there are a lot of users who
> use weak passphrases, then, it might be true. But since it doesn't specify
> such, it leaves the PGP user on the impression that secret keys can be
> cracked.
>
> What protects the secret RSA key is IDEA encryption (well, on 2.x.x
> versions...). If the secret key protection can get cracked, then, one can
> say that they could break the one-time IDEA key for each message. From the
> cracker's standpoint, the economy of scale comes only if he can intercept
> more than one message encrypted from the same RSA secret key, therefore
> giving them access to every IDEA session keys.
>
> It looks improbable... I thus conclude that this is a FUD-inducing (Fear
> Uncertainty and Doubt) operation to undermine the confidence that people
> have in PGP.
>
> Comments?
Yep. Many people don't use complex enough passphrases; some I know will use the plain old single-word password, then bypass PGP's warning message. This makes the secret key vulnerable to cryptanalysis.
