Cryptography and the Open Source Security Debate
Jon Callas
jon at callas.org
Thu Aug 12 18:27:07 EDT 2004
On 10 Aug 2004, at 5:16 AM, John Kelsey wrote:
> So, how many people on this list have actually looked at the PGP key
> generation code in any depth? Open source makes it possible for
> people to look for security holes, but it sure doesn't guarantee that
> anyone will do so, especially anyone who's at all good at it.
>
<http://www.pgp.com/products/sourcecode.html>
The relevant key generation code can be found in:
libs2/pgpsdk/priv/crypto/pubkey/
(those are backslashes on Windows, of course). The RSA key generation,
for example is in ./pgpRSAKey.c.
You might also want to look at .../crypto/bignum and .../crypto/random/
while you're at it.
There is also high-level code in .../crypto/keys/pgpKeyMan.c for public
key generation.
Incidentally, none of the issues that lrk brought up (RSA key being
made from an "easy to factor" composite, a symmetric key that is a weak
key, etc.) are unique to PGP. This should be obvious, but I have to say
it.
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list