~buzz
Mon, Dec 8, 1997 (05:02)
seed
Pretty Good Privacy (PGP) has been the de facto standard for encrypting
e-mail messages and desktop files ever since its introduction to the 'net in
1993. The client itself is based on an encryption technology known as public
key cryptography which uses pairs of "keys" to maintain the security of data.
These keys are the digital codes that allow you to encrypt and decrypt the data
contained in your messages and files. PGP creates a pair of keys for each user
known as a public key and a private key. These two keys work together and
represent the core technology behind the two major areas of protection that PGP
focuses on -- privacy and authenticity.
PGP first ensures the privacy of your information by encrypting your messages
and enabling only the intended recipient (or recipients) the ability to read
them. Your public key is given out to others so that they can send you
encrypted messages, and in turn you receive the public keys of acquaintances so
that you can send your own PGP-encrypted mail. The second of the two keys, the
private key, is used in conjunction with your public key to decipher incoming
messages or desktop files that have been encrypted using PGP. And in order to
decipher encrypted messages that you have sent to others, they will need to use
their own private key in combination with the public key sent with your message.
PGP also ensures the authenticity of your messages by verifying that a message
received did indeed originate from the person claiming to have sent it and that
the message has not been altered in any way during its delivery. When using
PGP's authentication capabilities to send out your own authenticated messages,
you use your private key to digitally sign the messages you send to others. The
recipient can then use their copy of your public key to determine if you really
sent the e-mail and to ensure that it has not been modified during transit. And
when someone sends you e-mail with their digital signature, you use a copy of
their public key to verify the signature and to make sure that the message has
not been tampered with.
If it all sounds a bit confusing, no need to worry -- PGP handles all of the
tricky details for you. A Key Generation Wizard will create a key pair for you
composed of a public key and a private key. You can then use a public key
server to send out your public key to others as well as to retrieve the public
keys of your friends. Additionally, PGP features Automatic Key Retrieval which
will contact a public key server automatically when you attempt to send a
message to a PGP user without knowing their public key. This is all you need to
do in order to begin sending and receiving encrypted e-mail -- it's that simple.
Similarly, PGP makes the actual process of encrypting and decrypting your
messages a straightforward process. The client offers seamless integration with
Eudora Pro and Light (versions 3.0 and later) and functions as a plug-in for
Microsoft Outlook and Exchange. If you use another mail client you can access
PGP via either PGPmenu (a context menu plug-in offering clipboard encryption) or
PGPtray (clipboard encryption accessible from a system traybar application).
PGP also allows you to encrypt/sign or decrypt/verify files on your desktop
directly from the Windows Explorer. File formats that can be used with PGP
include web pages, documents, spreadsheets, sound bytes, video clips, and more.
The result of PGP's focus on privacy and authenticity is the most advanced
protection for your data currently available. While earlier versions of PGP
used RSA to generate keys, the newer versions offer the option of creating keys
based on the more sophisticated DSS/Diffie-Hellman technology. Keys generated
using the RSA technology max out at 1024-bit security, while the newer
technology allows for up to 4096-bit security (the strength of the security is
user-definable). As a gauge of the strength of PGP's security, a web browser in
comparison can only use a maximum of 128-bit security.
Perhaps the best thing about PGP is its freeware status as long as you use the
client for individual, non-commercial purposes. For commercial use, versions
are available for individuals beginning at $59 (PGP for Personal Privacy) and
for businesses beginning at $119 (PGP for Business Privacy). PGPfreeware
contains all of the features as the commercial versions with the exception of
technical support and optional PGP 2.x backward compatibility algorithm support.
The only real downside to PGP is that cryptographic software continues to be
classified as export-controlled by the U.S. Government, which means that only
citizens and permanent residents of the United States and Canada can download
and legally use the software. But if you do live in the U.S. or Canada and privacy is of any importance to you, PGP is an essential app to have in your arsenal.
Pros: Freeware, excellent encryption capabilities, helpful wizards and tips make the client easy to setup and use
Cons: Only available to U.S/Canada residents, plug-in support not available for all e-mail applications
For the latest information on PGP, check out:
http://cws.internet.com/32auxx.html#pgp
~sges
Mon, Dec 8, 1997 (19:24)
#1
Unfortunately 5.5.3 cannot use old RSA Keys, unlike 5.0 freeware. Old RSA keys could be as long as 2048 bits not 1024 as was stated. One disadvantage of DSS/DH is that the DSS key is limited to 1024 Bits, only the DH key is 4096 bits.
Both DSS/DH keys and RSA keys take about the same difficulty to break and at the lengths used are probably not breakable with current computing power.
When generating DSS/DH keys I advise against using the preselected primes. These these primes are not bad, but a common modulus is to tempting a target for cryptanalysis.
~sges
Mon, Dec 8, 1997 (19:31)
#2
The legal situation is a bit more complex. I am not a lawyer but as far as I know only the EXPORT in BINARY form is illegal. Once it is out of the US it canbe used by anyone. It can also be exported in BOOK form. PGP is available internationally from The International PGP Home Page, http://www.pgpi.com and several non-US ftp sites have PGP 5.5.3
~sges
Mon, Dec 8, 1997 (19:49)
#3
Don't compare apples to oranges. A symmetrical key length of 128 bits used in secure versions of Netscape and Internet Explorer in stronger than 1024 bits of RSA of DSS/DH. PGP internally uses a 128 bit symmetrical key, which is encoded using the DSS/DH or RSA key.
A 128 bit symmectrical key takes about the same computing powers to break as a 2304 bit RSA key or DSS/DH modulus. Mathematical advances may make it easier to break a RSA or DSS/DH key in the future thus PGP allows keys up to 4096 bits. But don't worry. All are unbreakable for the forseeable future.
~sges
Tue, Dec 9, 1997 (08:27)
#4
PGP for International Users PGPi, is NOT less secure than PGP for US users. The security is the SAME. It simply was complied outside the United States from the PGP 5.0 source which was exported in Book Form. Since it was made outside the US, US export laws don't apply. However since 5.0i is as strong as 5.0 or 5.5.3, if 5.0i is imported into the US it cannot be rexported! However US laws do not apply if neither the exporter or importer is in the US.
~sges
Wed, Apr 8, 1998 (06:59)
#5
PGP 5.5.3i has been released by the International PGP Home Page http://www.pgpi.com It supports RSA and DSS/DH keys unlike the freeware 5.5.5 and 5.5.3 that only support DSS/DH keys. It can be downloaded from ftp://ftp.no.pgpi.com/pub/pgp/5.5/win95nt/pgp553i-win95nt.exe
This version was created from the 5.5.3 source code which was legally exported in BOOK from and scanned. The only change from 5.5.3 to 5.5.5 is an updated splash screen to reflect the new owners, Network Associates.
~liberti
Thu, Apr 1, 1999 (02:58)
#6
For those who use Pegasus Mail, you can use QDPGP, a 32-bit encryptor plug-in for PGP. It is "freeware" and may be used and copied without fee or obligation
from: http://community.wow.net/grt/qdpgp.html .
Features:
Seamless integration of PGP with Pegasus Mail.
Version 2.60 supports PGP 6.0.2 and Pegasus Mail 3.02.
Version 2.12 supports PGP 5.5.3 and Pegasus Mail 3.01d.
Version 1.71a supports PGP (versions 5.5i, 5.0i and 2.6.3i) and Pegasus Mail (versions 2.5x and 3.0x).
Supports use of identities for signing.
Supports the anti-TEMPEST Secure Viewer.
Conventional encryption with IDEA (128 bit), CAST5 (128 bit) and 3DES (168 bit) ciphers.
Full install/uninstall.
Comprehensive help file with context sensitive support.
Multi-language support (English, German, French, Spanish, Italian, Dutch, Portugese).
Version update notification.