RSA in programs that can be legally exported from the US
(e.g. exportable versions of Netscape)
has a "hole" in the sense that the key length is required by
law to be short enough (56 bits, I believe) that
major governments can find the key by brute force. (That is not
a flaw in the algorithm, though...). PGP (Pretty Good Privacy) is
currently based on RSA, current versions developed outside the
US by software geek types and academic crypto types, supported
1024-bit "military" grade keys in version 2.6, and may by now
support so-called "alien"-grade 2048-bit keys. Can't get too
paranoid about who might be reading your stuff.
The odds that RSA contains "holes" inserted
deliberately to satisfy US spooks are pretty low... unless the RSA
algorithm itself has some flaw, inserted deliberately by Rivest,
Shamir, and Adleman at the behest of the National Security Agency,
before publication. I doubt this, although it is not utterly
inconceivable.
Less inconceivable is that the NSA actually knows how to factor
large numbers in polynomial time on a classical computer
(generally believed, but not proved, impossible),
in which case RSA is totally
insecure, but they are not telling. That wouldn't really be a
"deliberately inserted hole" in RSA, though. The whole scheme
would be worthless. You could check this by seeing the degree
to which genuinely sensitive US government communications are
encrypted using RSA, if at all; probably
the government would not let it be used
if NSA could crack it that easily, since others too might have
figured out how. On the other hand, maybe
they don't but it looks like they do...
The TecSec site was somewhat interesting, seems their product is
a key management system, some of the products
involving smart-cards, rather than a
complete cryptosystem, but I'm not sure yet;
they may supply algorithms
with the key management programs, or perhaps the programs
manage keys for use with external algorithms. Would seem to need
some crypto in the programs themselves, though! I was a tad
disappointed by the lack of details, at the website, on what was involved as far as the crypto algorithms used.
Will look into it a bit more.
<"The man I never met"> -G- sounds like he may have been a bit
kooky, which doesn't preclude his also being a genius. If TecSec
was supposed to be the best, was his program "the best"?
If so, presumably he meant outside the major governmental crypto
agencies. Unless he was inside one of them, in which case he is
certifiable on the basis of his conversations with you.
Are lawyers involved with your money, or his crypto? If the latter,
well that seems to be par for the course. If the former, I'm
sorry to hear it.
Take care,
HB |
