Xref: sparky sci.crypt:6464 alt.security.pgp:462
Newsgroups: sci.crypt,alt.security.pgp
Path: sparky!uunet!noc.near.net!lynx!mkagalen
From: mkag...@lynx.dac.northeastern.edu (michael kagalenko)
Subject: discussion desired
Message-ID: <1993Jan7.002820.3579@lynx.dac.northeastern.edu>
Organization: Northeastern University, Boston, MA. 02115, USA
Date: Thu, 7 Jan 1993 00:28:20 GMT
Lines: 127

I'd appreciate greately your enlightened opinions on the following article.
(disclaimer : I have no qualification in the Great Science of
Cryptology(tm) ; I'm just posting someone's e-mail)




  About using the electronic signature for protection of
  commercial information:

  The analysis of PGP ver.2.0 program.


   ---------------------------------------------------------------------



     THE MOSCOW STATE UNIVERSITY named after m.V. Lomonosov
   ______________________________________________________________


        THE MATHEMATICAL CRYPTOGRAPHY PROBLEMS LABORATORY




    The MSU   mathematical   cryptography   problems   laboratory
employeers with  some  addition  specialists  were  executed  the
preliminary analysis of PGP ver.2.0 program.

    The preliminary study of  working  and  program  source  code
analysis result in following PGP features and problems:


    1. The common character problems


    - the  sequence  of  random numbers has strong prevalences on
bytes (up to 0.05 ...  0.1 on material of 10000 byte) and  strong
correlation dependence between contiguous bytes;

    - the program doesn't check it's own integrity,  so it can be
infected by  "virus"  which  intercept  confidential   keys   and
passwords used  for  their protection and save them onto magnetic
carriers;

    - the program has not  optimal  exponentiation  algorithm  in
GF(P) field,   when  P  -  prime  number,  which  result  in  low
performance;


    2. The RSA algorithm realization problems


    - the prime numbers reception using in this program (R and  q
in RSA  algorithm)  permits  not less than on two order to reduce
the labour-intensiveness of factorization;  with 256 bit blocks
of  data lenght it is possible to execute the cryptanalysis in
real time;

    - before using RSA the program executes compression and block
encryption that  positively  affects  on  the  common   stability
encryption.


    3. The electronic signature problems


    - for  signature  calculation the program originally executes
hashing of file into number of given  length  (256, 512 or 1024 bit),
but hashing function does not corresponds the ISO recommendations;

    - when considering the hashing function as the automatic  device
without output,  it  is  enough  simply possible to construct the
image of reverse automatic device and with using  the  blanks  in
text files  (or  free fields in some standard formats as in DBF),
to  compensate  the  hashing function  at  changed  file  to  former
significance.

    Thus, it  is  possible  to  forge  the  electronic  signature
without analysis of RSA algorithm.


    4. The block encryption algorithm problems


    - when executing analysis on  plaintext  and  ciphertext  the
linear correlation  dependences  with encryption key were founded
(0.01 and more degree);

    - also the effective method  of  decreasing security which
reduces the  order  of  time  necessery  to key definition in two
times in comparison with exhaustive search of all keys  (i.e.
algorithm has the labour-intensiveness which is equal the root
square from labour-intensiveness of the exhaustive search algorithm)
have been found.


    The conclusions:


    It is recommended to use encryption with 1024 bit key length.

    The using of electronic  signature  is  not  recommended  and
    requires the additional study.

    The block encryption algorithm has temporary stability.

    The hashing function  should  be  reduce  in conformity with ISO
    recommendations.

    The using of PGP program in actual version is undesired.




                       The MSU mathematical cryptography
                       problems Laboratory Manager
                       Academician

                          Dr. Sidelnikov V.M.

==END