Which PGP algorithms have been broken (after all PGP is just a suite of algorithms, it can't really be broken)? RSA? ELG? DSA? 3DES? CAST5? BLOWFISH? AES(128? 192? 256?)? TWOFISH? CAMELLIA(128? 192? 256?)? MD5? SHA1? RIPEMD160? SHA(256? 384? 512? 224?) For that matter what about the key sizes of the asymmetric algorithms? Anyway I just humor you I already know you are just trolling because you seem to think that PGP is in itself an encryption algorithm lol. Was there a mathematic breakthrough in factoring large composite numbers into primes? Are all of the non-government cryptographers from academia in on the conspiracy? Why have you not sold this information to foreign governments, that is some pretty valuable intelligence! Bruce Schneier said he doesn't think NSA can pwn strong crypto in response to that wired article. He thinks they can hack into computers and steal keys. He thinks they can do timing analysis and other fancy attacks to steal plaintexts and keys. Implementation is a lot more than using a good password. It is really something that must be done correctly by the person who makes the software. There are a lot of ways that implementation can be fucked up, for example in a streaming encryption program maybe it takes longer for the CPU to do one type of operation involved than another, and by measuring timing characteristics of input/output the attacker can slowly or quickly gain bits of the key (because the person who implemented it didn't make sure to use constant rate operation time set at the maximum time any of the operations could potentially take). Pseudo random number generators have a pretty established history of frequently being poorly implemented, and if your PRNG doesn't really randomly pick a number from a range it will potentially greatly reduce your keyspace (for example one PRNG always generated numbers from certain planes instead of even distribution through out the entire range, when represented in a certain dimensional space, I really don't know math well enough to talk about this though....). Also PRNGs need a random seed and entropy accumulation is not a perfected art. There are a lot of ways that encryption systems can be compromised, but the actual algorithms being compromised is pretty much the *least likely* way for modern strong encryption algorithms to be pwnt. I talk with a few cryptographers on occasion. One of them did speculate that it is possible that some previously published attack on AES-128 was implemented by the NSA (talking about the same wired article) and that they may be able to compromise *some* things encrypted with it. I really don't know enough about crypto to even relay the highly technical things he was saying on without fucking it up, but I am pretty sure a less than ideal PRNG was a prerequisite to the attack. Bruce also said that he wouldn't be totally blown away if he found out that NSA has enough classical computing power to brute force 1,024 bit RSA keys, but he said he leans towards side channel attacks. So in short, it still seems as unlikely as ever that NSA can directly break strong encryption algorithms, and in the worst case scenario they might be able to break a small amount of ciphertexts encrypted with AES-128 under certain circumstances, and they might be able to brute force RSA-1,024 when they want to bad enough to focus their resources on it. I guess it is possible that they made a quantum computing breakthrough, but none of the professionals seem to think this is very likely. GPG works like this. First a PRNG is seeded with randomness and used to generate a random string. I am not sure how its entropy accumulation works but it probably hooks into the OS entropy pool cryptgenrandom on windows and /dev/urandom on unix, which are always gathering entropy from events like you moving your mouse and typing on your keyboard etc. The output from the seeded PRNG is then hashed to create a session key. Your message to whoever is then encrypted with a symmetric algorithm using the previously generated hash as the key to decrypt it, and also a randomly generated initialization vector which is used to initiate cipher block chaining mode (CBC mode) (without an IV the word "dog" will always encrypt to the same ciphertext....not good...especially since if you have an image that is black and white the black and white pixels will all encrypt into the same respective ciphertexts !..look up ECB mode....) . The session key is then asymmetrically encrypted with whoevers public asymmetric key. The final message is then base64 encoded to make it into text that can be worked with (ie: sent through email). Then when whoever gets the block, they base64 decode it, use their passphrase as a key to decrypt their symmetrically encrypted private asymmetric key, use the private asymmetric key to decrypt the session key and then use the session key to decrypt the symmetrically encrypted message. All that said, I could really not give a fuck less if NSA can pwn strong encryption. NSA doesn't share information with federal police except in matters of terrorism and espionage, and even then they rarely do and it seems only with FBI. Since I am not a major international terrorist, am not safe guarding foreign military secrets and am not commiting espionage against the USA or its allies, I can be pretty confident that NSA will never target me and will never share the dragnet intelligence they have gathered on me with any of my adversaries.