Extract numbers from a key

vedaal at nym.hush.com vedaal at nym.hush.com
Thu Aug 4 16:14:55 CEST 2011


>Date: Wed, 03 Aug 2011 12:43:17 +0200
>From: S?bastien <tigresetdragons at yahoo.fr>
>Cc: gnupg-users at gnupg.org
>Subject: Re: Extract numbers from a key
>Message-ID: <4E392645.2020208 at yahoo.fr>
>Content-Type: text/plain; charset=UTF-8; format=flowed

>I know that gpg is an hybrid system.
>I want to know these numbers to check with a mathematica-like 
>program 
>that numbers supposed to be primes are actually real prime 
>numbers.
-----
>I tried with pgpdump but it doesn't work anymore because numbers 
in 
>secret keys are encrypted.
>Is there any way to decrypt these numbers in the secret key?


Remove the password and then check it in pgpdump
but NOT over the internet ;-)

Download the sourcecode and compile pgpdump on your computer and 
then check it.
http://www.pgpdump.net/about.html

Or, alternatively, if all you want to do is see how gnupg makes a 
key and if primes are used,
then generate a test key for this purpose, with the passphrase 
blank, and send it to pgpdump.

But, if you are suspecting gnupg (or any openpgp implementation), 
of generating a composite key with a secret prime factor that the 
implementation can use for master decryption, then there is an 
easier way for them to accomplish this, in a way where the the 
prime numbers are definitely primes, but the program can still 
decrypt:

All that is necessary, is to use pre-canned primes, 
(i.e. to generate a prime which falls within a range of primes 
stored in an offsite area by the implementation.)

The decryption can be accomplished with relatively little 
difficulty, by checking all the pre-canned primes, which would be 
much, much fewer, [but still large enough that someone using the 
program, would not be likely to generate duplicate keys].

Short of thoroughly checking the source code, this would not be 
user-detectable,
and if you are already checking the gnupg sourcecode, 
you can see that the generation of primes for keys is quite 
impeccably done ;-)


vedaal




More information about the Gnupg-users mailing list