BCPG key strength

DeepDotWeb1 claims that BCPG is insecure, and that you shouldn't buy from vendors who use it. Can anyone shed more light on the accuracy of these claims? Some well-regarded vendors (namely Avalokitesvara) use BCPG for generating their keys which gives the libraries some non-zero credibility.

[1]: aytch tea tea pea ess colon forward-slash forward-slash double-you double-you double-you dot dee ee ee pea dee oh tea double-you ee bee dot sea oh em/security-tutorials/word-warning-versions-pgp-created-equally/


Comments


[8 Points] KimJongUntouchable:

aytch tea tea pea ess colon forward-slash forward-slash double-you double-you double-you dot dee ee ee pea dee oh tea double-you ee bee dot sea oh em/security-tutorials/word-warning-versions-pgp-created-equally/

What the fuck? No one wants to sound that shit out. And clearnet links aren't even filtered. Lmao

http://deepdotweb.com/security-tutorials/word-warning-versions-pgp-created-equally/


[3 Points] ziz1:

I think that the main problem with Avalokitesvara's PGP key is that the version string is an exact match to a key produced by using igolder.com

If they are indeed using igolder.com to encrypt and decrypt messages, that would be very poor opsec. The igolder website could be recording all unencrypted messages, private keys, and passwords.

You can generate a key to see the version string yourself by using this link and hitting "Generate PGP Keys" (you don't need to enter any information to generate a key).

https://www.igolder.com/pgp/generate-key/

http://grams7enufi7jmdl.onion/infodesk/vendor/0x41F1EF58D270C73E