[15900] in cryptography@c2.net mail archive
Re: Cryptography and the Open Source Security Debate
daemon@ATHENA.MIT.EDU (Jon Callas)
Fri Aug 13 18:12:25 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <31261274.1092140192837.JavaMail.root@daisy.psp.pas.earthlink.net>
Cc: lrk <crypto@ovillatx.sytes.net>,
"R. A. Hettinga" <rah@shipwright.com>, cryptography@metzdowd.com
From: Jon Callas <jon@callas.org>
Date: Thu, 12 Aug 2004 15:27:07 -0700
To: John Kelsey <kelsey.j@ix.netcom.com>
On 10 Aug 2004, at 5:16 AM, John Kelsey wrote:
> So, how many people on this list have actually looked at the PGP key
> generation code in any depth? Open source makes it possible for
> people to look for security holes, but it sure doesn't guarantee that
> anyone will do so, especially anyone who's at all good at it.
>
<http://www.pgp.com/products/sourcecode.html>
The relevant key generation code can be found in:
libs2/pgpsdk/priv/crypto/pubkey/
(those are backslashes on Windows, of course). The RSA key generation,
for example is in ./pgpRSAKey.c.
You might also want to look at .../crypto/bignum and .../crypto/random/
while you're at it.
There is also high-level code in .../crypto/keys/pgpKeyMan.c for public
key generation.
Incidentally, none of the issues that lrk brought up (RSA key being
made from an "easy to factor" composite, a symmetric key that is a weak
key, etc.) are unique to PGP. This should be obvious, but I have to say
it.
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
