PGP and HMG

[Jonathan Care]

> > So, are you saying that PGP is not of 'government strength' then?
> Sounds like standard "not invented here" syndrome so beloved of government
> everywhere - they have internal, unpublished crypto which may or
> may not be
> more advanced than cap'n crunch decoder rings, but is obvously better than
> commercial systems since it is MORE SECRET ;)

This is, of course, a major flaw in relying heavily on obscuring the methods
used, and one that has been discussed extensively in this forum.

While its true that for commercial well-known systems, the more ciphertext
one has, the more probable it is that a statistical analysis will be
successfully undertaken. It is certain that when the secrecy of a system is
considered to be a given constraint, then once that constraint is violated,
the whole architecture becomes unstable. The task of breaking that secrecy
then becomes a valuable objective of the opposing team.

Architectures such as PGP using established, peer-reviewed systems within
them, do not normally make the assumption of secrecy of all the parts, only
of identifiers and authenticators such as the private key and associated
passwords - hence it is unlikely that having the algorithms and other
subsystems exposed to unfriendly eyes will create an insecurity.

I don't think its quite the "not invented here" syndrome, but more the
acknowledgement of the fact that the infrastructure around which crypto is
used in HMG relies on a need-to-know clearance, and hence systems which are
developed for use within that infrastructure will carry forward the
assumptions made by the designers, shaped by the environment in which they
work.

With kind regards,
Jonathan Care,
T: +44 1428 601106
F: +44 1428 601105
M: +44 7775 938383
E: jonc@lacunae.org