|Forum|Articles|Crypto By Anubis and Cyber Seduction   Distrubution August 31 2001 at 10:09 AM Anubis Breaking PGP When I hear people talk about the unbreakable qualities of PGP's RSA encryption scheme I tend to hear the statistic that a PGP encrypted document would take 100 years to crack on a modern supercomputer. Thus, barring quantum computer breakthroughs, a PGP encrypted document should be unbreakable. Most of you have heard of SETI@Home. The basic concept is that you download a fancy screensaver that downloads and processes SETI information in its spare time. Its called distributed computing and by dividing up a computing task among thousands of hosts, SETI could gain the power of a supercomputer without paying for one. The SETI network was far more popular than the people who made it expected, SETI is reporting that they now get seventy five hours of superconputer time for every hour on their distributed network. I hope you can see where I am going with this. If SETI's network could be put to use breaking PGP codes, a code that would have taken 100 years to break on a supercomputer would only take 2 years to break on SETI's network, a long time still, but well within the patience of many organizations. Of course SETI's network was not designed to break encrypted documents. There is a program called distributed.net to crack 56 bit keys but it is does not have nearly enough hosts to tackle the 2048 bit keys that most PGP users use. It is unlikely that consumers would download a screensaver designed to break their encrypted documents. So you can not break PGP with a distributed program. A virus however.. Take a look at how much of a problem people are having getting rid of the Code Red virus. Code Red infects users computers not to destroy them but to use them as pawns in a denial of service attack of other webservers. If a virus were written that would use a users computer as an unwilling part in an distributed network for breaking PGP it could spread to far more machines than SETI's screensaver. With more machines the time needed to break an encrypted document could become significantly less. And PGP would be broken. Cyber Seduction Process August 31 2001, 11:25 AM I am reminded of a statement made by a famous celebrity..."Hard to see the Dark Side is." I am less worried about the potential ability to use many computers as sort of a "Poor Man's Supercomputer" and more worried that we would never see it coming. By that I mean that many computers could be used to break PGP encryption but, as Anubis stated, it would take either MANY willing partners. The potentiality of this happening doesn't bother me because of the fact that it would take willing partners and I doubt seriously that there would be many people that would want to contribute to such an intrusive act. So, as such, I do not fear this happening. Anubis also brought attention to the fact that a virus could conceivably have the same desired result. This, I fear. In my agreement to this point, I have to first touch on the ineptitude of many companies to adequately protect themselves against hackers and/or viruses. That being said, if one were to inject a virus into a large company, you could potentially infect every computer on their network. Now of these, let's say 5,000 computers, you could project the virus to stay active on 50% of the computers. This could be done by making the virus benign...just program it to work and hide. With no malicious activity, the average computer user would be none the wiser that their computer was infected. For the purposes of this post lets say that every company has 5,000 computers. Now, based on these ideas, a good hacker could place this virus in hundreds of companies that, using the projected outcomes above, would yeild hundreds of thousands of computers that could be used to decrypt hundreds of PGP messages at a time. On another note, I dont even want to think about the potential ramifications of someone using said computers to decrypt a passcode. Using the same method to retrieve passcodes instead of messages, each passcode could open hundreds of messages in it's lifetime. There would be a domino effect that would increase exponentially. And then the most important messages would be broadcast by hacking into a network...during the superbowl. Can we say Civil War II. Anubis Crypto August 31 2001, 7:25 PM Well if someone is at the point where they are trying to break your passcode, the encryption is as good as broken. Since the passcode is anything but random, it is not that hard for a skilled cryptographer to break with modren day computer hardware. The passphrase is just the last line of defense protecting the real password, the private key. Since the private key is huge, 2048 bits long if you use PGPs default values,and is generated from true random data gathered through biometric input, it is much much harder to break, so hard that many people consider it inpossible. Just having the public key for a message can make it easier to decrypt since it can be used to eliminate many possibilites from a brute force attack or to generate source material for decryption. That is why I use a different keyset for encrypting files than for encrypting posts,and keep that keyset stored in a location off my hard drive. PGP is like any other password system in that the weakest link is the user. If you can break the user than you can break the system Cyber Seduction I do have a point August 31 2001, 10:52 PM Yes, I agree with your last post completely but my point still stands about non-passcode issues. There is the potential for a skilled computer user, call them a hacker if you will, to use hundreds of thousands of computers in a code breaking network...2048 or not. My point was simply to point out that the flaws of most computer enhanced enterprises are be used as the entry point for a hacker created virus that is programmed to use the computer in a code breaking operation. Anubis Distributed.net September 1 2001, 9:11 AM I downloaded distributed.net to see what they were using to conpel people to join their network. It is not flashy like the SETI screensaver so to motivate people they offer a 10,000 prize to the users who break a key.       Syntax Error/:|Forum|Articles|