Re: thoughts on sha-1

Anthony G. Atkielski said the following on 01/09/2005 11:29:

> 
> But nobody has actually reviewed the code.  

How can you say that no-one has reviewed it ?  Do you have a direct
contact with PGP Corp that will tell you who has access to the source
code or who has signed a mutual non disclosure ?  I guess not, therefore
you cannot make that statement.

> And you're not allowed to compile the source code and use that as
> your copy of PGP; you must use only the pre-compiled executable.
> Hmm.

As I said, there are constraints.  Also, you are trusting any computer
program manufacturer when you use a pre-compiled binary.  Do you trust
Microsoft, Apple etc not to put back doors in ?

> And I suspect nobody has reviewed GnuPG, either, although I'd trust it
> more than PGP.

I personally know of three people who have gone through the source code
of GnuPG 1.40 and checked it out.  So again, this is an invalid
statement.  If you think that no-one has reviewed it, why do you trust
it more (and do you take a pre-compiled binary or compile your own ?)

> Only if someone actually takes the time to review the code, which
> nobody has done.  Just having source doesn't make it safe; you have to
> look at the code.

As I said, even having the source code may not help you that much.  Have
a look at http://www.acm.org/classics/sep95/ where Ken Thompson (one of
the founding fathers of Unix) where he says "The moral is obvious. You
can't trust code that you did not totally create yourself. (Especially
code from companies that employ people like me.) No amount of
source-level verification or scrutiny will protect you from using
untrusted code."

You have to look at the type of people who are writing the programs and
make a judgment about it.  Would I trust PRZ, Will Price or Werner Koch
if they are to say that there are no backdoors ?  Based on their
reputations and history within the (Open)PGP community *AND* other
friends and colleagues who have reviewed the code, then yes.

> I have no doubt that it is much easier to compromise both GnuPG and
> PGP in other ways.  The algorithm is the last thing you'd attack.

There are a lot easier attacks on any type of encryption (rubber hose,
keylogger, using a pretty (wo)man etc) but they will probably be noticed
at some stage.

The algorithm may be the last thing that you attack but it is a known
attack.  You know that burglars break into houses and cars and you
defend against this (or I would hope that you do), so why would you not
defend against this known attack (which will get better).  Remember that
a digital signature is supposed to provide non-repudiation.  The SHA-1
attack allows the possibility that this is removed.

--
Stuart Tares
List Moderator | GnuPG v1.4.1 | PGP 8.0.3
Thunderbird 1.0.6 | Enigmail 0.92.0.0
My OpenPGP Key: http://www.biglumber.com/x/web?qs=0xD56109E630C8CCF6