i know of no example of recent PGP encryption
being broken. What happened last year is that a
hacker exposed a specific flaw in the verification
process. This has been patched (PGP 7 Hotfix 2,
i believe) and according to the most recent PGP
faq, 1024/2048 bit PGP keys are still - for all
practical purposes - completely secure.
An interesting news article from the past couple
of days regarding this subject is at:
http://europe.cnn.com/2002/TECH/ptech/11/07/certicom.contest.reut/index.html
This week, having had 10,000 computers and the
services of a top mathematician, the University
of Notre Dame announced that it had "cracked
only a 109-bit key". It took them over a year and
a half. What's more, it didn't invalidate the code;
merely exposed the contents of a single message.
As the PGP FAQ (updated August 23rd 2002)
points out... "almost every week there's a story
about a college kid cracking PGP. As yet this is
just a demonstration of the paranoia within the
encryption community. There is currently no
evidence to suggest that PGP, when used
correctly and within a secure environment, is not
for all practical purposes secure."
(A secure environment, by the way, is a way of
stating that PGP is insecure if someone has
installed "keystroke logging" software on your
computer, or if you wrote down your passphrase
somewhere and left it unattended, etc etc etc).
So yeah, having spent the past 40 minutes or so
trying to trace evidence on the web of PGP being
cracked, i have drawn a blank. So unless you can
provide a reference to the story; i submit that you
are simply perpetrating an urban myth.
|