home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Ian & Stuart's Australian Mac: Not for Sale
/
Another.not.for.sale (Australia).iso
/
hold me in your arms
/
PGP Info
/
PGPFAQ6.ZIP
/
PGPFAQ-1.ASC
next >
Wrap
PGP Signed Message
|
1994-01-26
|
44KB
|
935 lines
-----BEGIN PGP SIGNED MESSAGE-----
Frequently Asked Questions
alt.security.pgp
Version 6
24-Jan-94
========================================================================
IMPORTANT DISCLAIMER!
The use of PGP raises a number of political and legal
issues. I AM NOT a lawyer and AM NOT qualified to give
any legal opinions. Nothing in this document should be
interpreted as legal advice. If you have any legal
questions concerning the use of PGP, you should consult
an attorney who specializes in patent and/or export
law. In any case, the law will vary from country to
country.
========================================================================
Revision History
Ver Date Description
- --- ---- -----------
1 09-Dec-93 Proof Reading Copy - Limited Distribution
2 11-Dec-93 First Preliminary Posting (Many changes)
3 19-Dec-93 Second Preliminary Posting (Many changes)
4 01-Jan-94 Third Preliminary Posting (Many changes)
15-Jan-94 Changes for version 5:
Fixed a number of minor spelling, grammar, and typographical errors.
Corrected phone number for Colorado Catacombs BBS.
Added pgp-public-keys@pgp.iastate.edu to servers no longer in service.
Added talk.politics.crypto to related newsgroups.
Added new pgp support product: PGP-Front.
Added new pgp support product: PGPWinFront.
Updated pgp support product information: PBBS availability.
Updated pgp support product information: PGPSHELL.
Added section on how to obtain _Wired_ articles.
Added announcement of Commodore Amiga PGP 2.3a patchlevel 2.
Recommended reading list: Added notation of articles available online.
24-Jan-94 Changes for version 6:
Fixed a number of minor spelling, grammar, and typographical errors.
Modified Public Key Server List in section 8.2
Added note that 2.3a is the latest version for VAX/VMS in section 1.10.5.
Added Emacs Auto-PGP 1.02 to support product section in Appendix I.
Modified dates to a format that is not ambiguous for international use.
========================================================================
Please read this FAQ over and let me know of any additions, deletions, or
corrections. It should be noted that most of the questions and answers
concerning PGP apply equally well to the ViaCrypt(tm) version as well. All
additions, deletions, or corrections to this list should be directed to me at
gbe@netcom.com (Gary Edstrom). I will acknowledge all e-mail.
This FAQ is slanted towards the DOS or Unix users of PGP and many of the
examples given may only apply to them. For other systems, I would like to
direct your attention to the following documents:
MAC: "Here's How to MacPGP!" by Xenon <an48138@anon.penet.fi>
Archimedes PGP comes with its own PGPhints file.
Send e-mail to pgpinfo@mantis.co.uk for a list of PGP tips.
I would like to thank Paul Allen <pla@sktb.demon.co.uk> for allowing me to
use some of his PGHints file in this FAQ.
The files making up this FAQ are available via ftp at netcom.com:/pub/gbe.
The file names are pgp-faq*.asc and are in clearsig pgp format. In addition,
the file pgp-faq.doc is available which is in the original Microsoft Word for
Windows format under which this FAQ was created..
- --
Gary B. Edstrom | Sequoia Software | PGP fingerprint:
Internet: gbe@netcom.com | Programming Services | 2F F6 1B 28 6E A6 09 6C
CompuServe: 72677,564 | P.O. Box 9573 | B0 EA 9E 4C C4 C6 7D 46
Fax: 1-818-247-6046 | Glendale, CA 91226 | Key available via finger
What is PGP? Subscribe to alt.security.pgp and find out!
========================================================================
Table of Contents
Part 1/4
1. Introductory Questions
1.1. What is PGP?
1.2. Why should I encrypt my mail? I'm not doing anything illegal!
1.3. What are public keys and private keys?
1.4. How much does PGP cost?
1.5. Is encryption legal?
1.6. Is PGP legal?
1.7. Where can I get translations of the PGP documentation and/or
language.txt files?
1.8. Is there an archive site for alt.security.pgp?
1.9. Is there a commercial version of PGP available?
1.10. What platforms has PGP been ported to?
1.10.1. DOS: 2.3a
1.10.2. MAC: 2.3
1.10.3. OS/2: 2.3a
1.10.4. Unix: 2.3a (Variations exist for many different systems.)
1.10.5. VAX/VMS: 2.3a
1.10.6. Atari ST: 2.3a
1.10.7. Archimedes: 2.3a subversion 1.18b
1.10.8. Commodore Amiga: 2.3a patchlevel 2
1.11. Where can I obtain PGP?
2. General Questions
2.1. Why can't a person using version 2.2 read my version 2.3 message?
2.2. Why does it take so long to encrypt/decrypt messages?
2.3. How do I create a secondary key file?
2.4. How does PGP handle multiple addresses?
2.5. How can I use PGP to create a return receipt for a message?
2.6. Where can I obtain scripts to integrate pgp with my email or news
reading system?
3. Keys
3.1. Which key size should I use?
3.2. Why does PGP take so long to add new keys to my key ring?
3.3. How can I extract multiple keys into a single armored file?
3.4. I tried encrypting the same message to the same address two different
times and got completely different outputs. Why is this?
3.5. How do I specify which key to use when an individual has 2 or more
public keys and the very same user ID on each, or when 2 different
users have the same name?
3.6. What does the message "Unknown signator, can't be checked" mean?
3.7. How do I get PGP to display the trust parameters on a key?
4. Security Questions
4.1. How secure is PGP?
4.2. Can't you break PGP by trying all of the possible keys?
4.3. How secure is the conventional cryptography (-c) option?
4.4. Can the NSA crack RSA?
4.5. How secure is the "for your eyes only" option (-m)?
4.6. What if I forget my pass phrase?
4.7. Why do you use the term "pass phrase" instead of "password"?
4.8. If my secret key ring is stolen, can my messages be read?
4.9. How do I choose a pass phrase?
4.10. How do I remember my pass phrase?
4.11. How do I verify that my copy of PGP has not been tampered with?
4.12. How do I know that there is no trap door in the program?
4.13. Can I put PGP on a multi-user system like a network or amainframe?
4.14. Why not use RSA alone rather than a hybrid mix of IDEA, MD5, & RSA?
4.15. Aren't all of these security procedures a little paranoid?
4.16. Can I be forced to reveal my pass phrase in any legal proceedings?
5. Message Signatures
5.1. What is message signing?
5.2. How do I sign a message while still leaving it readable?
Part 2/4
6. Key Signatures
6.1. What is key signing?
6.2. How do I sign a key?
6.3. Should I sign my own key?
6.4. Should I sign X's key?
6.5. How do I verify someone's identity?
6.6. How do I know someone hasn't sent me a bogus key to sign?
7. Revoking a key
7.1. My secret key ring has been stolen or lost, what do I do?
7.2. I forgot my pass phrase. Can I create a key revocation certificate?
8. Public Key Servers
8.1. What are the Public Key Servers?
8.2. What public key servers are available?
8.3. What is the syntax of the key server commands?
9. Bugs
10. Related News Groups
11. Recommended Reading
12. General Tips
Appendix I - PGP add-ons and Related Products
Part 3/4
Appendix II - Glossary of Cryptographic Terms
Appendix III - Cypherpunks
Appendix IV - How to obtain articles from _Wired_ magazine
Appendix V - Testimony of Philip Zimmermann to Congress
Appendix VI - Announcement of Philip Zimmermann Defense Fund
Appendix VII - A Statement from ViaCrypt Concerning ITAR
Part 4/4
Appendix VIII - Unites States Congress Phone and FAX List
========================================================================
1. Introductory Questions
1.1. What is PGP?
PGP is a program that gives your electronic mail something that it
otherwise doesn't have: Privacy. It does this by encrypting your mail so
that nobody but the intended person can read it. When encrypted, the
message looks like a meaningless jumble of random characters. PGP has
proven itself quite capable of resisting even the most sophisticated
forms of analysis aimed at reading the encrypted text.
PGP can also be used to apply a digital signature to a message without
encrypting it. This is normally used in public postings where you don't
want to hide what you are saying, but rather want to allow others to
confirm that the message actually came from you. Once a digital signature
is created, it is impossible for anyone to modify either the message or
the signature without the modification being detected by PGP.
While PGP is easy to use, it does give you enough rope so that you can
hang yourself. You should become thoroughly familiar with the various
options in PGP before using it to send serious messages. For example,
giving the command "PGP -sat <filename>" will only sign a message, it
will not encrypt it. Even though the output looks like it is encrypted,
it really isn't. Anybody in the world would be able to recover the
original text.
1.2. Why should I encrypt my mail? I'm not doing anything illegal!
You should encrypt your e-mail for the same reason that you don't write
all of your correspondence on the back of a post card. E-mail is actually
far less secure than the postal system. With the post office, you at
least put your letter inside an envelope to hide it from casual snooping.
Take a look at the header area of any e-mail message that you receive and
you will see that it has passed through a number of nodes on its way to
you. Every one of these nodes presents the opportunity for snooping.
Encryption in no way should imply illegal activity. It is simply
intended to keep personal thoughts personal.
Xenon <an48138@anon.penet.fi> puts it like this:
Crime? If you are not a politician, research scientist, investor, CEO,
lawyer, celebrity, libertarian in a repressive society, investor, or
person having too much fun, and you do not send e-mail about your private
sex life, financial/political/legal/scientific plans, or gossip then
maybe you don't need PGP, but at least realize that privacy has nothing
to do with crime and is in fact what keeps the world from falling apart.
Besides, PGP is FUN. You never had a secret decoder ring? Boo! -Xenon
(Copyright 1993, Xenon)
1.3. What are public keys and private keys?
With conventional encryption schemes, keys must be exchanged with
everyone you wish to talk to by some other secure method such as face to
face meetings, or via a trusted courier. The problem is that you need a
secure channel before you can establish a secure channel! With
conventional encryption, either the same key is used for both encryption
and decryption or it is easy to convert either key to the other. With
public key encryption, the encryption and decryption keys are different
and it is impossible for anyone to convert one to the other. Therefore,
the encryption key can be made public knowledge, and posted in a database
somewhere. Anyone wanting to send you a message would obtain your
encryption key from this database or some other source and encrypt his
message to you. This message can't be decrypted with the encryption key.
Therefore nobody other than the intended receiver can decrypt the
message. Even the person who encrypted it can not reverse the process.
When you receive a message, you use your secret decryption key to decrypt
the message. This secret key never leaves your computer. In fact, your
secret key is itself encrypted to protect it from anyone snooping around
your computer.
1.4. How much does PGP cost?
Nothing! (Compare to ViaCrypt PGP at $98!) It should be noted, however,
that in the United States, the freeware version of PGP *MAY* be a
violation of a patent held by Public Key Partners (PKP).
1.5. Is encryption legal?
In much of the civilized world, encryption is either legal, or at least
tolerated. However, there are a some countries where such activities
could put you in front of a firing squad! Check with the laws in your own
country before using PGP or any other encryption product. A couple of the
countries where encryption is illegal are Iran and Iraq.
1.6. Is PGP legal?
In addition to the comments about encryption listed above, there are a
couple of additional issues of importance to those individuals residing
in the United States or Canada. First, there is a question as to whether
or not PGP falls under ITAR regulations with govern the exporting of
cryptographic technology from the United States and Canada. This despite
the fact that technical articles on the subject of public key encryption
have been available legally world wide for a number of years. Any
competent programmer would have been able to translate those articles
into a workable encryption program. There is the possibility that ITAR
regulations may be relaxed to allow for encryption technology.
1.7. Where can I get translations of the PGP documentation and/or
language.txt files?
Spanish: Armando Ramos <armando@clerval.org>
German: Marc Aurel <4-tea-2@bong.saar.de>
Lithuanian: Zygimantas Cepaitis, Bokera Ltd., Kaunas Lithuania.
e-mail: <zcepaitis@ktl.fi> or <zygis@bokera.lira.lt.ee>
ftp: ghost.dsi.unimi.it:/pub/crypt/pgp23ltk.zip
ftp: nic.funet.fi:/pub/crypt/ghost.dsi.unimi.it/pgp23ltk.zip
1.8. Is there an archive site for alt.security.pgp?
laszlo@instrlab.kth.se (Laszlo Baranyi) says:
"My memory says that ripem.msu.edu stores a backlog of both
alt.security.pgp, and sci.crypt. But that site is ONLY open for ftp for
those that are inside US."
1.9. Is there a commercial version of PGP available?
Yes, by arrangement with the author of PGP, a company called ViaCrypt is
marketing a version of PGP that is almost identical to the version
currently available on Internet. Each can read or write messages to the
other. The list price of ViaCrypt PGP is $98 (US) for a single user
license and is NOT available for export from the United States. In
addition, it is presently available only for MS-DOS. Versions for other
platforms are under development. While the present product is 100%
compatible with free PGP, it is not known if this will remain the case in
the future. The address of ViaCrypt is:
ViaCrypt
David A. Barnhart
Product Manager
2104 West Peoria Avenue
Phoenix, Arizona 85029
Tel: (602) 944-0773
Fax: (602) 943-2601
E-Mail: 70304.41@compuserve.com
E-Mail: wk01965@worldlink.com
Credit card orders only. (800)536-2664 (8-5 MST M-F)
1.10. What platforms has PGP been ported to?
1.10.1. DOS: 2.3a
1.10.2. MAC: 2.3
1.10.3. OS/2: 2.3a
1.10.4. Unix: 2.3a (Variations exist for many different systems.)
1.10.5. VAX/VMS: 2.3a
1.10.6. Atari ST: 2.3a
1.10.7. Archimedes: 2.3a subversion 1.18b
1.10.8. Commodore Amiga: 2.3a patchlevel 2
From: simons@peti.GUN.de (Peter Simons)
Date: Fri, 31 Dec 1993 08:10:53 +0100
Newsgroups: alt.security.pgp
Subject: PGPAmiga 2.3a.2 available for FTP
TITLE
Pretty Good Privacy (PGP)
VERSION
Version 2.3a patchlevel 2
AUTHOR
Amiga port and enhancements by Peter Simons <simons@peti.GUN.de>
CHANGES
This version is re-compiled with SAS/C 6.50. A few minor bugs have
been fixed. Additionally, the manual is now availabe in TexInfo style and
can easily be converted into AmigaGuide, postscript, dvi or whatever
format. AmigaGuide versions are included.
Also for the first time, the alt.security.pgp frequently asked
questions (FAQ) are included in the archive.
NOTES
Please take note that the archive contains a readme file, with
checksums for ALL files in the distribution and is signed with my key!
Please be careful, if this file is missing or rigged!
A mailing list concerning PGPAmiga has been opened on peti.GUN.de.
To subscribe, send e-mail to listserv@peti.GUN.de with "ADD your_address
PGPAmiga" in the message body. You may add "HELP" in the next line to
receive a command overview of ListSERV.
SPECIAL REQUIREMENTS
none
HOST NAME
Any Aminet host, i.e. ftp.uni-kl.de (131.246.9.95).
DIRECTORY
/pub/aminet/util/crypt/
FILE NAMES
PGPAmi23a_2.lha
PGPAmi23a2_src.lha
1.11. Where can I obtain PGP?
FTP sites:
soda.berkeley.edu
/pub/cypherpunks/pgp (DOS, MAC)
Verified: 21-Dec-93
ftp.demon.co.uk
/pub/amiga/pgp
/pub/archimedes
/pub/pgp
/pub/mac/MacPGP
ftp.informatik.tu-muenchen.de
ftp.funet.fi
ghost.dsi.unimi.it
/pub/crypt
Verified: 21-Dec-93
ftp.tu-clausthal.de (139.174.2.10)
wuarchive.wustl.edu
/pub/aminet/util/crypt
src.doc.ic.ac.uk (Amiga)
/aminet
/amiga-boing
ftp.informatik.tu-muenchen.de
/pub/comp/os/os2/crypt/pgp23os2A.zip (OS/2)
black.ox.ac.uk (129.67.1.165)
/src/security (Unix)
iswuarchive.wustl.edu
pub/aminet/util/crypt (Amiga)
csn.org
/mpj (see README.MPJ for export restrictions)
nic.funet.fi (128.214.6.100)
van-bc.wimsey.bc.ca (192.48.234.1)
ftp.uni-kl.de (131.246.9.95)
qiclab.scn.rain.com (147.28.0.97)
pc.usl.edu (130.70.40.3)
leif.thep.lu.se (130.235.92.55)
goya.dit.upm.es (138.4.2.2)
tupac-amaru.informatik.rwth-aachen.de (137.226.112.31)
ftp.etsu.edu (192.43.199.20)
princeton.edu (128.112.228.1)
pencil.cs.missouri.edu (128.206.100.207)
Also, try an archie search for PGP using the command:
archie -s pgp23 (DOS Versions)
archie -s pgp2.3 (MAC Versions)
ftpmail:
For those individuals who do not have access to FTP, but do have access
to e-mail, you can get FTP files mailed to you. For information on
this service, send a message saying "Help" to ftpmail@decwrl.dec.com.
You will be sent an instruction sheet on how to use the ftpmail
service.
BBS sites:
Hieroglyphics Vodoo Machine (Colorado)
DOS version only
(303) 443-2457
Verified: 26-Dec-93
Colorado Catacombs BBS
(303) 938-9654
Exec-Net (New York)
Host BBS for the ILink net.
(914) 667-4567
The Grapvine BBS (Little Rock Arkansas)
No longer in operation
2. General Questions
2.1. Why can't a person using version 2.2 read my version 2.3 message?
Try adding "+pkcs_compat=0" to your command line as follows: "pgp -seat
+pkcs_compat=0 <filename>" By default, version 2.3 of PGP uses a
different header format that is not compatible with earlier versions of
PGP. Inserting this option into the command will force PGP to use the
older header format. You can also set this option in your config.txt
file, but this is not recommended.
2.2. Why does it take so long to encrypt/decrypt messages?
This problem can arise when you have placed the entire public key ring
from one of the servers into the pubring.pgp file. PGP may have to search
through several thousand keys to find the one that it is after. The
solution to this dilemma is to maintain 2 public key rings. The first
ring, the normal pubring.pgp file, should contain only those individuals
that you send messages to quite often. The second key ring can contain
ALL of the keys for those occasions when the key you need isn't in your
short ring. You will, of course, need to specify the key file name
whenever encrypting messages using keys in your secondary key ring. Now,
when encrypting or decrypting messages to individuals in your short key
ring, the process will be a LOT faster.
2.3. How do I create a secondary key file?
First, let's assume that you have all of the mammoth public key ring in
your default pubring.pgp file. First, you will need to extract all of
your commonly used keys into separate key files using the -kx option.
Next, rename pubring.pgp to some other name. For this example, I will use
the name pubring.big. Next, add each of the individual key files that you
previously created to a new pubring.pgp using the -ka option. You now
have your 2 key rings. To encrypt a message to someone in the short
default file, use the command "pgp -e <userid>". To encrypt a message to
someone in the long ring, use the command "pgp -e <userid>
c:\pgp\pubring.big". Note that you need to specify the complete path and
file name for the secondary key ring. It will not be found if you only
specify the file name.
2.4. How does PGP handle multiple addresses?
When encrypting a message to multiple addresses, you will notice that the
length of the encrypted file only increases by a small amount for each
additional address. The reason that the message only grows by a small
amount for each additional key is that the body of the message is only
encrypted once using a random session key and IDEA. It is only necessary
then to encrypt this session key once for each address and place it in
the header of the message. Therefore, the total length of a message only
increases by the size of a header segment for each additional address.
(To avoid a known weakness in RSA when encrypting the same message to
multiple recipients, the IDEA session key is padded with different random
data each time it is RSA-encrypted.)
2.5. How can I use PGP to create a return receipt for a message?
I was planning on including a section on this question. However, while
following a similar thread in alt.security.pgp, I realized that there
were too many unresolved issues to include an answer here. I may try to
include the subject in a future release of the FAQ.
2.6. Where can I obtain scripts to integrate pgp with my email or news
reading system?
The scripts that come with the source code of PGP are rather out of date.
Newer versions of some of the scripts are available via anonymous ftp at
ftp.informatik.uni-hamburg.de:/pub/virus/misc/contrib.zip
3. Keys
3.1. Which key size should I use?
PGP gives you 4 choices of key size: 384, 512, 1024, or a user selected
number of bits. The larger the key, the more secure the RSA portion of
the encryption is. The only place where the key size makes a large change
in the running time of the program is during key generation. A 1024 bit
key can take 8 times longer to generate than a 384 bit key. Fortunately,
this is a one time process that doesn't need to be repeated unless you
wish to generate another key pair. During encryption, only the RSA
portion of the encryption process is affected by key size. The RSA
portion is only used for encrypting the session key used by the IDEA. The
main body of the message is totally unaffected by the choice of RSA key
size. So unless you have a very good reason for doing otherwise, select
the 1024 bit key size. Using currently available algorithms for
factoring, the 384 bit key is just not far enough out of reach to be a
good choice.
3.2. Why does PGP take so long to add new keys to my key ring?
The time required to check signatures and add keys to your public key
ring tends to grow as the square of the size of your existing public key
ring. This can reach extreme proportions. I just recently added the
entire 850KB public key ring form one of the key servers to my local
public key ring. Even on my 66MHz 486 system, the process took over 10
hours.
3.3. How can I extract multiple keys into a single armored file?
A number of people have more than one public key that they would like to
make available. One way of doing this is executing the "-kxa" command for
each key you wish to extract from the key ring into separate armored
files, then appending all the individual files into a single long file
with multiple armored blocks. This is not as convenient as having all of
your keys in a single armored block.
Unfortunately, the present version of PGP does not allow you to do this
directly. Fortunately, there is an indirect way to do it. First, extract
each of the desired keys into separate armored key files using the
command "pgp -kxa <key>". Next, create a temporary key ring by adding
the individual key files one by one using the command "pgp -ka <keyfile>
<temp-key-ring>". This new temporary key ring will contain only the keys
that you are interested in. Finally, execute the command "pgp -kxa * <new-
armored-file> <temp-key-ring> to extract all of the keys in the temporary
ring to an armored file. Note the "*" in the previous command. It is not
described in the PGP documentation but apparently means "all keys". This
armored file now contains all of the desired keys just as if pgp had had
a built in command to do it in the first place.
A Unix script to perform the extraction with a singled command would be
as follows:
foreach name (name1 name2 name3 ...)
pgp -kx $name /tmp/keys.pgp <keyring>
end
An equilivent DOS command would be:
for %a in (name1 name2 name3 ...) do pgp -kx %a <keyring>
3.4. I tried encrypting the same message to the same address two different
times and got completely different outputs. Why is this?
Every time you run pgp, a different session key is generated. This
session key is used as the key for IDEA. As a result, the entire header
and body of the message changes. You will never see the same output
twice, no matter how many times you encrypt the same message to the same
address. This adds to the overall security of PGP.
3.5. How do I specify which key to use when an individual has 2 or more
public keys and the very same user ID on each, or when 2 different
users have the same name?
Instead of specifying the user's name in the ID field of the PGP command,
you can use the key ID number. The format is 0xNNNNNN where NNNNNN is the
user's 6 character key ID number. It should be noted that you don't need
to enter the entire ID number, a few consecutive digits from anywhere in
the ID should do the trick. Be careful: If you enter "0x123", you will
be matching key IDs 0x123937, 0x931237, or 0x912373. Any key ID that
contains "123" anywhere in it will produce a match. They don't need to
be the starting characters of the key ID. You will recognize that this
is the format for entering hex numbers in the C programming language. For
example, any of the following commands could be used to encrypt a file to
me.
pgp -e <filename> "Gary Edstrom"
pgp -e <filename> gbe@netcom.com
pgp -e <filename> 0x90A9C9
This same method of key identification can be used in the config.txt file
in the "MyName" variable to specify exactly which of the keys in the
secret key ring should be used for encrypting a message.
3.6. What does the message "Unknown signator, can't be checked" mean?
It means that the key used to create that signature does not exist in
your database. If at sometime in the future, you happen to add that key
to your database, then the signature line will read normally. It is
completely harmless to leave these non checkable signatures in your
database. They neither add to nor take away from the validity of the key
in question.
3.7. How do I get PGP to display the trust parameters on a key?
You can only do this when you run the -kc option by itself on the entire
database. The parameters will NOT be shown if you give a specific ID on
the command line. The correct command is: "pgp -kc". The command "pgp -kc
smith" will NOT show the trust parameters for smith.
4. Security Questions
4.1. How secure is PGP?
The big unknown in any encryption scheme based on RSA is whether or not
there is an efficient way to factor huge numbers, or if there is some
backdoor algorithm that can break the code without solving the factoring
problem. Even if no such algorithm exists, it is still believed that RSA
is the weakest link in the PGP chain.
4.2. Can't you break PGP by trying all of the possible keys?
This is one of the first questions that people ask when they are first
introduced to cryptography. They do not understand the size of the
problem. For the IDEA encryption scheme, a 128 bit key is required. Any
one of the 2^128 possible combinations would be legal as a key, and only
that one key would successfully decrypt all message blocks. Let's say
that you had developed a special purpose chip that could try a billion
keys per second. This is FAR beyond anything that could really be
developed today. Let's also say that you could afford to throw a billion
such chips at the problem at the same time. It would still require over
10,000,000,000,000 years to try all of the possible 128 bit keys. That is
something like a thousand times the age of the known universe! While the
speed of computers continues to increase and their cost decrease at a
very rapid pace, it will probably never get to the point that IDEA could
be broken by the brute force attack.
The only type of attack that might succeed is one that tries to solve the
problem from a mathematical standpoint by analyzing the transformations
that take place between plain text blocks, and their cipher text
equivalents. IDEA is still a fairly new algorithm, and work still needs
to be done on it as it relates to complexity theory, but so far, it
appears that there is no algorithm much better suited to solving an IDEA
cipher than the brute force attack, which we have already shown is
unworkable. The nonlinear transformation that takes place in IDEA puts it
in a class of extremely difficult to solve mathmatical problems.
4.3. How secure is the conventional cryptography (-c) option?
Assuming that you are using a good strong random pass phrase, it is
actually much stronger than the normal mode of encryption because you
have removed RSA which is believed to be the weakest link in the chain.
Of course, in this mode, you will need to exchange secret keys ahead of
time with each of the recipients using some other secure method of
communication, such as an in-person meeting or trusted courier.
4.4. Can the NSA crack RSA?
This question has been asked many times. If the NSA were able to crack
RSA, you would probably never hear about it from them. The best defense
against this is the fact the algorithm for RSA is known world wide. There
are many competent mathematicians and cryptographers outside the NSA and
there is much research being done in the field right now. If any of them
were to discover a hole in RSA, I'm sure that we would hear about it from
them. I think that it would be hard to hide such a discovery. For this
reason, when you read messages on USENET saying that "someone told them"
that the NSA is able to break pgp, take it with a grain of salt and ask
for some documentation on exactly where the information is coming from.
4.5. How secure is the "for your eyes only" option (-m)?
It is not secure at all. There are many ways to defeat it. Probably the
easiest way is to simply redirect your screen output to a file as
follows:
pgp [filename] > [diskfile]
The -m option was not intended as a fail-safe option to prevent plain
text files from being generated, but to serve simply as a warning to the
person decrypting the file that he probably shouldn't keep a copy of the
plain text on his system.
4.6. What if I forget my pass phrase?
In a word: DON'T. If you forget your pass phrase, there is absolutely no
way to recover any encrypted files. I use the following technique: I have
a backup copy of my secret key ring on floppy, along with a sealed
envelope containing the pass phrase. I keep these two items in separate
safe locations, neither of which is my home or office. The pass phrase
used on this backup copy is different from the one that I normally use on
my computer. That way, even if some stumbles onto the hidden pass phrase
and can figure out who it belongs to, it still doesn't do them any good,
because it is not the one required to unlock the key on my computer.
4.7. Why do you use the term "pass phrase" instead of "password"?
This is because most people, when asked to choose a password, select some
simple common word. This can be cracked by a program that uses a
dictionary to try out passwords on a system. Since most people really
don't want to select a truly random password, where the letters and
digits are mixed in a nonsense pattern, the term pass phrase is used to
urge people to at least use several unrelated words in sequence as the
pass phrase.
4.8. If my secret key ring is stolen, can my messages be read?
No, not unless they have also stolen your secret pass phrase, or if your
pass phrase is susceptible to a brute-force attack. Neither part is
useful without the other. You should, however, revoke that key and
generate a fresh key pair using a different pass phrase. Before revoking
your old key, you might want to add another user ID that states what your
new key id is so that others can know of your new address.
4.9. How do I choose a pass phrase?
All of the security that is available in PGP can be made absolutely
useless if you don't choose a good pass phrase to encrypt your secret key
ring. Too many people use their birthday, their telephone number, the
name of a loved one, or some easy to guess common word. While there are
a number of suggestions for generating good pass phrases, the ultimate in
security is obtained when the characters of the pass phrase are chosen
completely at random. It may be a little harder to remember, but the
added security is worth it. As an absolute minimum pass phrase, I would
suggest a random combination of at least 8 letters and digits, with 12
being a better choice. With a 12 character pass phrase made up of the
lower case letters a-z plus the digits 0-9, you have about 62 bits of
key, which is 6 bits better than the 56 bit DES keys. If you wish, you
can mix upper and lower case letters in your pass phrase to cut down the
number of characters that are required to achieve the same level of
security. I don't do this myself because I hate having to manipulate the
shift key while entering a pass phrase.
A pass phrase which is composed of ordinary words without punctuation or
special characters is susceptible to a dictionary attack. Transposing
characters or mis-spelling words makes your pass phrase less vulnerable,
but a professional dictionary attack will cater for this sort of thing.
4.10. How do I remember my pass phrase?
This can be quite a problem especially if you are like me and have about
a dozen different pass phrases that are required in your every day life.
Writing them down someplace so that you can remember them would defeat
the whole purpose of pass phrases in the first place. There is really no
good way around this. Either remember it, or write it down someplace and
risk having it compromised.
4.11. How do I verify that my copy of PGP has not been tampered with?
If you do not presently own any copy of PGP, use great care on where you
obtain your first copy. What I would suggest is that you get two or more
copies from different sources that you feel that you can trust. Compare
the copies to see if they are absolutely identical. This won't eliminate
the possibility of having a bad copy, but it will greatly reduce the
chances.
If you already own a trusted version of PGP, it is easy to check the
validity of any future version. There is a file called PGPSIG.ASC
included with all new releases. It is a stand-alone signature file for
the contents of PGP.EXE. The signature file was created by the author of
the program. Since nobody except the author has access to his secret key,
nobody can tamper with either PGP.EXE or PGPSIG.ASC without it being
detected. To check the signature, you MUST be careful that you are
executing the OLD version of PGP to check the NEW. If not, the entire
check is useless. Let's say that your existing copy of PGP is in
subdirectory C:\PGP and your new copy is in C:\NEW. You should execute
the following command:
\PGP\PGP C:\NEW\PGPSIG.ASC C:\NEW\PGP.EXE
This will force your old copy of PGP to be the one that is executed. If
you simply changed to the C:\NEW directory and executed the command "PGP
PGPSIG.ASC PGP.EXE" you would be using the new version to check itself,
and this is an absolutely worthless check.
Once you have properly checked the signature of your new copy of PGP, you
can copy all of the files to your C:\PGP directory.
4.12. How do I know that there is no trap door in the program?
The fact that the entire source code for PGP is available makes it just
about impossible for there to be some hidden trap door. The source code
has been examined by countless individuals and no such trap door has been
found. To make sure that your executable file actually represents the
given source code, all you need to do is to re-compile the entire
program. I did this with the DOS version 2.3a and the Borland C++ 3.1
compiler and found that the output exactly matched byte for byte the
distributed executable file.
4.13. Can I put PGP on a multi-user system like a network or a
mainframe?
You can, but you should not, because this greatly reduces the security of
your secret key/pass phrase. This is because your pass phrase may be
passed over the network in the clear where it could be intercepted by
network monitoring equipment. Also, while it is being used by PGP on the
host system, it could be caught by some Trojan Horse program. Also, even
though your secret key ring is encrypted, it would not be good practice
to leave it lying around for anyone else to look at.
4.14. Why not use RSA alone rather than a hybrid mix of IDEA, MD5, & RSA?
Two reasons: First, the IDEA encryption algorithm used in PGP is actually
MUCH stronger than RSA given the same key length. Even with a 1024 bit
RSA key, it is believed that IDEA encryption is still stronger, and,
since a chain is no stronger than it's weakest link, it is believed that
RSA is actually the weakest part of the RSA - IDEA approach. Second, RSA
encryption is MUCH slower than IDEA. The only purpose of RSA in most
public key schemes is for the transfer of session keys to be used in the
conventional secret key algorithm, or to encode signatures.
4.15. Aren't all of these security procedures a little paranoid?
That all depends on how much your privacy means to you! Even apart from
the government, there are many people out there who would just love to
read your private mail. And many of these individuals would be willing to
go to great lengths to compromise your mail. Look at the amount of work
that has been put into some of the virus programs that have found their
way into various computer systems. Even when it doesn't involve money,
some people are obsessed with breaking into systems. Just about week ago,
I saw a posting on alt.security.pgp where the return address had been
altered to say "president@whitehouse.gov". In this case, the content of
the message showed that it was obviously fake, but what about some of
those other not so obvious cases.
4.16. Can I be forced to reveal my pass phrase in any legal proceedings?
The following information applies only to citizens of the United States
in U.S. Courts. The laws in other countries may vary. Please see the
disclaimer at the top of part 1.
There have been several threads on Internet concerning the question of
whether or not the fifth amendment right about not being forced to give
testimony against yourself can be applied to the subject of being forced
to reveal your pass phrase. Not wanting to settle for the many
conflicting opinions of armchair lawyers on usenet, I asked for input
from individuals who were more qualified in the area. The results were
somewhat mixed. There apparently has NOT been much case history to set
precedence in this area. So if you find yourself in this situation, you
should be prepared for a long and costly legal fight on the matter. Do
you have the time and money for such a fight? Also remember that judges
have great freedom in the use of "Contempt of Court". They might choose
to lock you up until you decide to reveal the pass phrase and it could
take your lawyer some time to get you out. (If only you just had a poor
memory!)
5. Message Signatures
5.1. What is message signing?
Let's imagine that you received a letter in the mail from someone you
know named John Smith. How do you know that John was really the person
who sent you the letter and that someone else simply forged his name?
With PGP, it is possible to apply a digital signature to a message that
is impossible to forge. If you already have a trusted copy of John's
public encryption key, you can use it to check the signature on the
message. It would be impossible for anybody but John to have created the
signature, since he is the only person with access to the secret key
necessary to create the signature. In addition, if anybody has tampered
with an otherwise valid message, the digital signature will detect the
fact. It protects the entire message.
5.2. How do I sign a message while still leaving it readable?
Sometimes you are not interested in keeping the contents of a message
secret, you only want to make sure that nobody tampers with it, and to
allow others to verify that the message is really from you. For this, you
can use clear signing. Clear signing only works on text files, it will
NOT work on binary files. The command format is:
pgp -sat +clearsig=on <filename>
The output file will contain your original unmodified text, along with
section headers and an armored PGP signature. In this case, PGP is not
required to read the file, only to verify the signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQCVAgUBLUS8KUHZYsvlkKnJAQGD9wP/bIepiTw4hq7u07Oyi3xlWgDliHO/iPBV
WJVTWndzy7YEGPqvu+TVSIeLViIhsx4l8FCOximX0j7ZTw7zCiUdfTmkysT3baHS
FcUAhYSrHRxNERssF1UFULpAF1KNtPRGf/WvrncXLl4RUhlimfrmBY5zy20ZaBiH
KvhNmLqQxGs=
=NS7y
-----END PGP SIGNATURE-----
