PGP — Apps

~buzz Mon, Dec 8, 1997 (05:02) seed

Pretty Good Privacy (PGP) has been the de facto standard for encrypting e-mail messages and desktop files ever since its introduction to the 'net in 1993. The client itself is based on an encryption technology known as public key cryptography which uses pairs of "keys" to maintain the security of data. These keys are the digital codes that allow you to encrypt and decrypt the data contained in your messages and files. PGP creates a pair of keys for each user known as a public key and a private key. These two keys work together and represent the core technology behind the two major areas of protection that PGP focuses on -- privacy and authenticity. PGP first ensures the privacy of your information by encrypting your messages and enabling only the intended recipient (or recipients) the ability to read them. Your public key is given out to others so that they can send you encrypted messages, and in turn you receive the public keys of acquaintances so that you can send your own PGP-encrypted mail. The second of the two keys, the private key, is used in conjunction with your public key to decipher incoming messages or desktop files that have been encrypted using PGP. And in order to decipher encrypted messages that you have sent to others, they will need to use their own private key in combination with the public key sent with your message. PGP also ensures the authenticity of your messages by verifying that a message received did indeed originate from the person claiming to have sent it and that the message has not been altered in any way during its delivery. When using PGP's authentication capabilities to send out your own authenticated messages, you use your private key to digitally sign the messages you send to others. The recipient can then use their copy of your public key to determine if you really sent the e-mail and to ensure that it has not been modified during transit. And when someone sends you e-mail with their digital signature, you use a copy of their public key to verify the signature and to make sure that the message has not been tampered with. If it all sounds a bit confusing, no need to worry -- PGP handles all of the tricky details for you. A Key Generation Wizard will create a key pair for you composed of a public key and a private key. You can then use a public key server to send out your public key to others as well as to retrieve the public keys of your friends. Additionally, PGP features Automatic Key Retrieval which will contact a public key server automatically when you attempt to send a message to a PGP user without knowing their public key. This is all you need to do in order to begin sending and receiving encrypted e-mail -- it's that simple. Similarly, PGP makes the actual process of encrypting and decrypting your messages a straightforward process. The client offers seamless integration with Eudora Pro and Light (versions 3.0 and later) and functions as a plug-in for Microsoft Outlook and Exchange. If you use another mail client you can access PGP via either PGPmenu (a context menu plug-in offering clipboard encryption) or PGPtray (clipboard encryption accessible from a system traybar application). PGP also allows you to encrypt/sign or decrypt/verify files on your desktop directly from the Windows Explorer. File formats that can be used with PGP include web pages, documents, spreadsheets, sound bytes, video clips, and more. The result of PGP's focus on privacy and authenticity is the most advanced protection for your data currently available. While earlier versions of PGP used RSA to generate keys, the newer versions offer the option of creating keys based on the more sophisticated DSS/Diffie-Hellman technology. Keys generated using the RSA technology max out at 1024-bit security, while the newer technology allows for up to 4096-bit security (the strength of the security is user-definable). As a gauge of the strength of PGP's security, a web browser in comparison can only use a maximum of 128-bit security. Perhaps the best thing about PGP is its freeware status as long as you use the client for individual, non-commercial purposes. For commercial use, versions are available for individuals beginning at $59 (PGP for Personal Privacy) and for businesses beginning at $119 (PGP for Business Privacy). PGPfreeware contains all of the features as the commercial versions with the exception of technical support and optional PGP 2.x backward compatibility algorithm support. The only real downside to PGP is that cryptographic software continues to be classified as export-controlled by the U.S. Government, which means that only citizens and permanent residents of the United States and Canada can download and legally use the software. But if you do live in the U.S. or Canada and privacy is of any importance to you, PGP is an essential app to have in your arsenal. Pros: Freeware, excellent encryption capabilities, helpful wizards and tips make the client easy to setup and use Cons: Only available to U.S/Canada residents, plug-in support not available for all e-mail applications For the latest information on PGP, check out: http://cws.internet.com/32auxx.html#pgp

~sges Mon, Dec 8, 1997 (19:24) #1

Unfortunately 5.5.3 cannot use old RSA Keys, unlike 5.0 freeware. Old RSA keys could be as long as 2048 bits not 1024 as was stated. One disadvantage of DSS/DH is that the DSS key is limited to 1024 Bits, only the DH key is 4096 bits. Both DSS/DH keys and RSA keys take about the same difficulty to break and at the lengths used are probably not breakable with current computing power. When generating DSS/DH keys I advise against using the preselected primes. These these primes are not bad, but a common modulus is to tempting a target for cryptanalysis.

~sges Mon, Dec 8, 1997 (19:31) #2

The legal situation is a bit more complex. I am not a lawyer but as far as I know only the EXPORT in BINARY form is illegal. Once it is out of the US it canbe used by anyone. It can also be exported in BOOK form. PGP is available internationally from The International PGP Home Page, http://www.pgpi.com and several non-US ftp sites have PGP 5.5.3

~sges Mon, Dec 8, 1997 (19:49) #3

Don't compare apples to oranges. A symmetrical key length of 128 bits used in secure versions of Netscape and Internet Explorer in stronger than 1024 bits of RSA of DSS/DH. PGP internally uses a 128 bit symmetrical key, which is encoded using the DSS/DH or RSA key. A 128 bit symmectrical key takes about the same computing powers to break as a 2304 bit RSA key or DSS/DH modulus. Mathematical advances may make it easier to break a RSA or DSS/DH key in the future thus PGP allows keys up to 4096 bits. But don't worry. All are unbreakable for the forseeable future.

~sges Tue, Dec 9, 1997 (08:27) #4

PGP for International Users PGPi, is NOT less secure than PGP for US users. The security is the SAME. It simply was complied outside the United States from the PGP 5.0 source which was exported in Book Form. Since it was made outside the US, US export laws don't apply. However since 5.0i is as strong as 5.0 or 5.5.3, if 5.0i is imported into the US it cannot be rexported! However US laws do not apply if neither the exporter or importer is in the US.

~sges Wed, Apr 8, 1998 (06:59) #5

PGP 5.5.3i has been released by the International PGP Home Page http://www.pgpi.com It supports RSA and DSS/DH keys unlike the freeware 5.5.5 and 5.5.3 that only support DSS/DH keys. It can be downloaded from ftp://ftp.no.pgpi.com/pub/pgp/5.5/win95nt/pgp553i-win95nt.exe This version was created from the 5.5.3 source code which was legally exported in BOOK from and scanned. The only change from 5.5.3 to 5.5.5 is an updated splash screen to reflect the new owners, Network Associates.

~liberti Thu, Apr 1, 1999 (02:58) #6

For those who use Pegasus Mail, you can use QDPGP, a 32-bit encryptor plug-in for PGP. It is "freeware" and may be used and copied without fee or obligation from: http://community.wow.net/grt/qdpgp.html . Features: Seamless integration of PGP with Pegasus Mail. Version 2.60 supports PGP 6.0.2 and Pegasus Mail 3.02. Version 2.12 supports PGP 5.5.3 and Pegasus Mail 3.01d. Version 1.71a supports PGP (versions 5.5i, 5.0i and 2.6.3i) and Pegasus Mail (versions 2.5x and 3.0x). Supports use of identities for signing. Supports the anti-TEMPEST Secure Viewer. Conventional encryption with IDEA (128 bit), CAST5 (128 bit) and 3DES (168 bit) ciphers. Full install/uninstall. Comprehensive help file with context sensitive support. Multi-language support (English, German, French, Spanish, Italian, Dutch, Portugese). Version update notification.