Cryptography Reference
In-Depth Information
General Security
The entire security of PGP relies on one single passphrase. It is used to encrypt
the private key, and this key, in turn, serves to verify all signatures and com-
pute session keys of incoming encrypted messages. Finally, the signatures are
eventually used to secure the integrity of files using public keys.
Since the use of PGP on multiuser systems is a somewhat insecure matter in
any event (UNIX at least allows the superuser to theoretically always read the
data from a running process), all sensitive data are overwritten by the
burn()
function immediately upon their use.
In the product documentation, Zimmermann points to the fact that all systems
with virtual memories (basically all real multitasking systems and Windows)
can swap sensitive unencrypted data to the disk. Once the program is exited
or aborted, the private key might be found in the swap area in unencrypted
form. This problem can be solved by a better security concept of the operating
system, or by disabling or encrypting the swap. There is a number of security
concepts available in UNIX, where the superuser is not almighty (SELinux is
probably the best-known example). This is the only reliable way, because a
malicious or sly administrator can run a daemon that automatically analyzes
the PGP sessions of users. If you count on all superusers being malicious,
then what you can do is to find out whether or not they are logged in during
your PGP session (mind you, that's not easy, and it's not part of the topics of
this topic). A 100 % security can never be achieved, if only by the fact that
analyzing the swap area can hardly be prevented. But a 95 % security is better
than a 30 % security.
Generating Randomness
PGP puts a lot of effort into secure random generation when looking for large
prime numbers. It uses a pretty reliable method: the user has to continue doing
wild keystrokes until the program tells him it's enough. It then uses the time
intervals between the keystrokes, together with the computer-internal time and
the codes of the keys pressed to generate randomness. This is done by XOR-
ing the byte sequence with parts of a 'random buffer', and then 'encrypting'
this part with MD5 in CFB mode. PGP already uses random numbers for this
last operation. A closer look at the functions
randPoolAddBytes()
and
rand-
PoolStir()
in
randpool.c
, and at the comment at the beginning of
random.c
shows how much effort and care have been put into the program (these parts
were presumably implemented by Colin Plumb). That much care is required;
