Cryptography Reference
In-Depth Information
Version 2.6 had an error in the XOR operation mentioned above, which weak-
ened the randomness.
The wild keystrokes mentioned above are needed only once. In all subsequent
uses, PGP securely falls back on the 'old randomness' — more about this in the
section about the session keys.
Generating Prime Numbers
PGP initially uses these random bits to generate large prime numbers by sta-
tistical tests, as usual. The random bits determine the position where searching
for prime numbers should begin. However, rather than using the very effec-
tive Rabin - Miller method (see Section 4.5.3), it uses simple tests for Fermat's
little theorem, i.e., it checks whether or not the tentative prime number,
p
,
in equation
a
p
−
1
1 mod
p
holds for a sufficiently large set of numbers,
a
(
slowtest()
function in
genprime.c
). PGP previously checks for divisibility by
all prime numbers smaller than 8192 (2
13
)
(
fastsieve()
function in
genprime.c
),
and then runs the Fermat test five times. Outputs in the form of
=
...................++++.........+++...........+++++
appear during these tests, where each dot denotes a failed attempt in
fastsieve()
,
and each + sign denotes a Fermat test passed in
slowtest()
.
Creating RSA Key Pairs
The program takes the two prime numbers,
p
and
q
, created above to compute
module
n=pq
and search for an exponent,
e
, for the public key. This exponent
has to have at least 5 bits, i.e., it has to be at least equal to 17, but it may be
longer. This means that no attack against RSA with a small exponent can be
mounted (in addition, RSA is applied only to random numbers or hash values,
respectively).
Generating Session Keys
The session keys and the initialization vector (IV) are generated based on the
information in the
random.c
file and ANSI standard X9.17 (see Section 5.1.4),
however with some slight modifications. The
randseed.bin
file is used as 'secret
corner', where this data is 'washed' before and after each use (see comments
on 'prewash' and 'postwash' in
random.c
):
