Cryptography and the Open Source Security Debate

Jon Callas jon at
Thu Aug 12 18:27:07 EDT 2004

On 10 Aug 2004, at 5:16 AM, John Kelsey wrote:

> So, how many people on this list have actually looked at the PGP key 
> generation code in any depth?  Open source makes it possible for 
> people to look for security holes, but it sure doesn't guarantee that 
> anyone will do so, especially anyone who's at all good at it.


The relevant key generation code can be found in:


(those are backslashes on Windows, of course). The RSA key generation, 
for example is in ./pgpRSAKey.c.

You might also want to look at .../crypto/bignum and .../crypto/random/ 
while you're at it.

There is also high-level code in .../crypto/keys/pgpKeyMan.c for public 
key generation.

Incidentally, none of the issues that lrk brought up (RSA key being 
made from an "easy to factor" composite, a symmetric key that is a weak 
key, etc.) are unique to PGP. This should be obvious, but I have to say 


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list