[4280] in bugtraq
Re: PGP Distributed Attack
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Mon Apr 14 16:06:59 1997
Date: Mon, 14 Apr 1997 12:38:26 -0400
Reply-To: perry@piermont.com
From: "Perry E. Metzger" <perry@PIERMONT.COM>
X-To: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 14 Apr 1997 02:32:37 CDT."
<Pine.SUN.3.94.970414022852.21437A-100000@dfw.dfw.net>
Aleph One writes:
> CYBERSPACE, 31 March 1997 - This is to announce the first truly
> distributed attack on the popular PGP encryption/authentication program.
> In 24 hours, users all across cyberspace can assist in 'factoring'
> a 1024-bits PGP public key, using a Java applet specially written by
> a team of 'cypherpunks'.
This is nearly an april fools joke.
1) The largest key thus cracked is perhaps one third that
size. Factoring is an *exponential problem* in the size of the
number being factored. Cracking a 1024 bit key right now would
require far more compute power than is conceivably available.
2) Java is insanely slow. Previous cracks used highly tuned C
code. Running the crack in Java would make it nearly impossible to
achieve the stated result.
> Some background information: a PGP key is considered unbreakable because
> it consists of a product of two very large prime numbers. The only way
> to 'crack' the key is to find the two prime numbers. This applet does
> exactly that. Each user who downloads the applet also is assigned a
> range of numbers to try. If at least 144,000 users download the applet,
> and run it for 24 hours on a computer at least as powerful as a 486,
> the entire keyspace will be searched.
These numbers sound wildly inaccurate to me.
Perry
