7.1 copyright
THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
1994-09-10, Copyright Timothy C. May. All rights reserved.
See the detailed disclaimer. Use short sections under "fair
use" provisions, with appropriate credit, but don't put your
name on my words.
7.2 - SUMMARY: PGP -- Pretty Good Privacy
7.2.1. Main Points
- PGP is the most important crypto tool there is, having
single-handedly spread public key methods around the world
- many other tools are being built on top of it
7.2.2. Connections to Other Sections
- ironically, almost no understanding of how PGP works in
detail is needed; there are plenty of experts who
specialize in that
7.2.3. Where to Find Additional Information
- newsgroups carry up to date comments; just read them for a
few weeks and many things will float by
- various FAQs on PGP
+ even an entire book, by Simpson Garfinkel:
- PGP: Pretty Good Privacy
by Simson Garfinkel
1st Edition November 1994 (est.)
250 pages (est),ISBN: 1-56592-098-8, $17.95 (est)
7.2.4. Miscellaneous Comments
- a vast number of ftp sites, URLs, etc., and these change
- this document can't possibly stay current on these--see the
pointers in the newsgroups for the most current sites
7.3 - Introduction
7.3.1. Why does PGP rate its own section?
- Like Clipper, PGP is too big a set of issues not to have
its own section
7.3.2. "What's the fascination in Cypherpunks with PGP?"
- Ironically, our first meeting, in September 1992, coincided
within a few days of the release of PGP 2.0. Arthur Abraham
provided diskettes of 2.0, complete with laser-printed
labels. Version 2.0 was the first truly useful version of
PGP (so I hear....I never tried Version 1.0, which had
limited distribution). So PGP and Cypherpunks shared a
history--and Phil Zimmermann has been to some physical
meetings.
- A practical, usable, understandable tool. Fairly easy to
use. In contrast, many other developments are more abstract
and do not lend themselves to use by hobbyists and
amateurs. This alone ensures PGP an honored place (and
might be an object lesson for developers of other tools).
7.3.3. The points here focus on PGP, but may apply as well to
similar crypto programs, such as commercial RSA packages
(integrated into mailers, commercial programs, etc.).
7.4 - What is PGP?
7.4.1. "What is PGP?"
7.4.2. "Why was PGP developed?"
7.4.3. Who developed PGP?
7.5 - Importance of PGP
7.5.1. PGP 2.0 arrived at an important time
- in September 1992, the very same week the Cypherpunks had
their first meeting, in Oakland, CA. (Arthur Abraham
printed up professional-looking diskette labels for the PGO
2.0 diskettes distributed. A general feeling that we were
forming at the "right time.")
- just 6 months before the Clipper announcement caused a
firestorm of interest in public key cryptography
7.5.2. PGP has been the catalyst for major shifts in opinion
- has educated tens of thousands of users in the nature of
strong crypto
- has led to other tools, including encrypted remailers,
experiments in digital money, etc.
7.5.3. "If this stuff is so important, how come not everyone is
digitally signing their messages?"
- (Me, for example. I never sign my messages, and this FAQ is
not signed. Maybe I will, later.)
- convenience, ease of use, "all crypto is economics"
- insecurity of host Unix machines (illusory)
- better integration with mailers needed
7.5.4. Ripem appears to be dead; traffic in alt.security.ripem is
almost zero. PGP has obviously won the hearts and minds of
the user community; and now that it's "legal"...
7.6 - PGP Versions
7.6.1. PGP Versions and Implementations
- 2.6ui is the version compatible with 2.3
+ What is the difference between versions 2.6 and 2.6ui?
- "PGP 2.6 is distributed from MIT and is legally available
to US and Canadian residents. It uses the RSAREF library.
It has code that will prevent interoperation with earlier
versions of PGP.
"PGP 2.6ui is a modified version of PGP 2.3a which
functions almost identically to MIT PGP 2.6, without the
"cripple code" of MIT PGP 2.6. It is legally available
outside the US and Canada only." [Rat
, alt.security.pgp, 1994-07-03]
+ DOS
- Versions
+ Pretty Good Shell
- "When your Microsoft Mail supports an external Editor,
you might want to try PGS (Pretty Good Shell),
available as PGS099B.ZIP at several ftp sites. It
enables you to run PGP from a shell, with a easy way to
edit/encrypt files." [HHM LIMPENS, 1994-07-01]
- Windows
+ Sun
- "I guess that you should be able to use PGPsendmail,
available at ftp.atnf.csiro.au:/pub/people/rgooch'
[eric@terra.hacktic.nl (Eric Veldhuyzen), PGP support for
Sun's Mailtool?, alt.security.pgp, 1994-06-29]
+ Mark Grant has been working on a tool
to replace Sun's mailtool. "Privtool ("Privacy Tool") is
intended to be a PGP-aware replacement for the standard
Sun Workstation mailtool program, with a similar user
interface and automagick support for PGP-signing and PGP-
encryption." [MG, 1994-07-03]
- "At the moment, the Beta release is available from
ftp.c2.org in /pub/privtool as privtool-0.80.tar.Z, and
I've attached the README.1ST file so that you can check
out the features and bugs before you download it. ....
Currently the program requires the Xview toolkit to
build, and has only been compiled on SunOS 4.1 and
Solaris 2.1."
+ MacPGP
- 2.6ui: reports of problems, bombs (remove Preferencs set
by previous versions from System folder)
- "MacPGP 2.6ui is fully compatible with MIT's MacPGP 2.6,
but offers several advantages, a chief one being that
MacPGP 2.6ui is controllable via AppleScript. This is a
very powerful feature, and pre-written AppleScripts are
already available. A set of AppleScripts called the
Interim Macintosh PGP Interface (IMPI) support
encryption, decryption, and signing of files via drag-n-
drop, finder selection, the clipboard, all accessible
from a system-wide menu. Eudora AppleScripts also exist
to interface MacPGP with the mail program Eudora.
"MacPGP 2.6ui v1.2 is available via anonymous ftp from:
FTP SITE DIRECTORY
CONTENTS
-------- ---------
--------
ftp.darmstadt.gmd.de pub/crypto/macintosh/MacPGP
MacPGP 2.6ui, source
AppleScripts for 2.6ui are available for U.S. and
Canadian citizens ONLY
via anonymous ftp from:
FTP SITE DIRECTORY
CONTENTS
-------- ---------
--------
ftp.csn.net mpj
IMPI & Eudora scripts
MacPGP 2.6ui, source
[phinely@uhunix.uhcc.Hawaii.Edu (Peter Hinely),
alt.security.pgp, 1994-06-28]
- Amiga
+ VMS
- 2.6ui is said to compile and run under VMS.
+ German version
- MaaPGP0,1T1,1
- dtp8//dtp,dapmqtadt,gmd,de/ilaomilg/MaaP
- Ahpiqtoph_Pagalies@hh2.maus.
- (source: andreas.elbert@gmd.de (A.Elbert). by way of
qwerty@netcom.com (-=Xenon=-), 3-31-94
7.6.2. What versions of PGP exist?
- PGP 2.7 is ViaCrypt's commercial version of PGP 2.6
7.6.3. PGP 2.6 issues
- There has been much confusion, in the press and in
discussion groups, about the issues surrounding 2.5, 2.6,
2.6ui, and various versions of these. Motivations,
conspiracies, etc., have all been discussed. I'm not
involved as others on our list are, so I'm often confused
too.
+ Here are some comments by Phil Zimmermann, in response to a
misleading press report:
- "PGP 2.6 will always be able to read messages,
signatures, and keys from olderversions, even after
September 1st. The older versions will not be able to
read messages, signatures and keys produced by PGP 2.6
after September 1st. This is an entirely different
situation. There is every reason for people to switch to
PGP 2.6, because it will be able to handle both data
formats, while the older versions will not. Until
September, the new PGP will continue to produce the old
format that can be read by older versions, but will start
producing the new format after that date. This delay
allows time for everyone to obtain the new version of
PGP, so that they will not be affected by the change.
Key servers will still be able to carry the keys made in
the old format, because PGP 2.6 will still read them with
no problems. " [Phil Zimmermann, 1994-07-07, also posted
to Usenet groups] [all dates here refer to 1994]
- "I developed PGP 2.6 to be released by MIT, and I think
this new
arrangement is a breakthrough in the legal status of PGP,
of benefit to
all PGP users. I urge all PGP users to switch to PGP
2.6, and abandon
earlier versions. The widespread replacement of the old
versions with
this new version of PGP fits in with future plans for the
creation of a
PGP standard." [Phil Zimmermann, 1994-07-07, also posted
to Usenet groups]
7.6.4. PGP version 2.6.1
- "MIT will be releasing Pretty Good Privacy (PGP) version
2.6.1 real soon now. By tomorrow, I think. The MSDOS
release filename will be pgp261.zip, and the source code
will be in pgp261s.zip. The MIT FTP site is net-
dist@mit.edu, in the pub/PGP directory." [corrected by
Derek Atkins to be: net-dist.mit.edu, not net-
dist@mit.edu.]
"This new version has a lot of bug fixes over version 2.6.
I hope this is the final release of this family of PGP
source code. We've been working on an entirely new version
of PGP, rewritten from scratch, which is much cleaner and
faster, and better suited for the future enhancements we
have planned. All PGP development efforts will be
redirected toward this new code base, after this 2.6.1
release." [Phil Zimmermann, Cypherpunks list, 1994-09-02]
7.7 - Where to Get PGP?
7.7.1. "Where can I get PGP on CompuServe?"
- Note: I can't keep track of the major ftp sites for the
various crypto packages, let alone info on services like
this. But, here it is;
- "Current as of 5-Jul-1994:"
GO EURFORUM / Utilities PGP26UI.ZIP PGP 2.6ui
GO PWOFORUM / New uploads PGP26.ZIP PGP 2.6
PWOFORUM also has the source code and documentation, plus
a number of shell utilities for PGP. Version 2.3a is also
still around." [cannon@panix.com, Kevin Martin, PGP on
Compuserve??, alt.security.pgp, 1994-07-08]
7.7.2. Off line PGP
+ ftp.informatik.uni-
hamburg.de:/pub/virus/crypt/pgp/tools/pgp-elm.zip
- another place: Crosspoint: ftp.uni-
kl.de:/pub3/pc/dos/terminal/xpoint XP302*.EXE
+ "I highly recommend Offline AutoPGP v2.10. It works
seamlessly with virtually any offline mail reader that
supports .QWK packets. Shareware registration is $10.00
US. The author is Staale Schumacher, a student at the
University of Oslo, is reachable at staale@ifi.uio.no .
The program should be pretty widely available on US bbs's
by now. I use the program constantly for bbs mail. It's
really quite a slick piece of work. If you have any
trouble finding it, drop me a note."
[bhowatt@eis.calstate.edu Brent H. Howatt, PGP in an
offline reader?, alt.security.pgp, 1994-07-05]
- oak.oakland.edu in /pub/msdos/offline, version 2.11
- ftp.informatik.uni-
hamburg.de:/pub/virus/crypt/pgp/tools/apgp211.zip
7.7.3. "Should I worry about obtaining and compiling the PGP
sources?"
- Well, unless you're an expert on the internals of PGP, why
bother? And a subtle bug in the random number generator
eluded even Colin Plumb for a while.
- The value of the source being available is that others can,
if they wish, make the confirmation that the executable
correspond to the source. That this _can_ be done is enough
for me. (Strategy: Hold on to the code for a while, wait
for reports of flaws or holes, then use with confidence.)
- Signatures can be checked. Maybe timestamped versions,
someday.
- Frankly, the odds are much higher that one's messages or
pseudonymous identity will be exposed in others ways than
that PGP has been compromised. Slip-ups in sending messages
sometimes reveal identities, as do inadvertent comments and
stylistic cues.
7.8 - How to Use PGP
7.8.1. How does PGP work?
7.8.2. "How should I store the secret part of my key? Can I memorize
it?"
- Modern ciphers use keys that are far beyond memorization
(or even typing in!). The key is usually stored on one's
home machine, or a machine that is reasonably secure, or on
diskette. The passphrase should always be memorized or
written down (ugh) in one's wallet or other such place.
Secure "dongles" worn around the neck, or a ring or watch,
may eventually be used. Smartcards and PDAs are a more
likely intermediate solution (many PCs now have PCMCIA card
slots).
7.8.3. "How do I sign messages?"
- cf. the PGP docs
+ however, this has come up on the List, and:
-
+ pgp -sta +clearsig=on message.txt
-
- That's from pgpdoc2.txt. Hope it helps. You might
wish to set up your mail
- user agent to invoke this command upon exiting your
default message editor,
- with "message.txt" set to whatever your editor calls
the temporary message
- file.
7.8.4. Why isn't PGP easier to use?
- Compared to other possible crypto applications (like
digital money or voting systems), it is actually _very_
easy to use
- semantic gap...learning
7.8.5. How should I learn PGP?
7.8.6. "What's the status of PGP integration with other programs?"
+ Editors
+ emacs
+ emacs supports pgp, probably in various flavors (I've
seen several reports of different packages)..the built-
in language certainly helps
- Rick Busdiecker has an emacs front
end to PGP available
- Jin S. Choi once described a
package he wrote in elisp which supported GNU emacs:
"mailcrypt"
- there are probably many more
+ Mailers
- That is, are there any mailers that have a good link to
PGP? Hooks into existing mailers are needed
+ emacs
+ emacs supports pgp, probably in various flavors (I've
seen several reports of different packages)..the built-
in language certainly helps
- Rick Busdiecker has an emacs front
end to PGP available
- Jin S. Choi once described a
package he wrote in elisp which supported GNU emacs:
"mailcrypt"
- there are probably many more
- elm
- Eudora
+ PGP sendmail, etc.
- "Get the PGPsendmail Suite, announced here a few days
ago. It's available for anonymous ftp from:
ftp.atnf.csiro.au: pub/people/rgooch (Australia)
ftp.dhp.com: pub/crypto/pgp/PGPsendmail(U.S.A.)
ftp.ox.ac.uk: src/security (U.K.)... It works by
wrapping around the regular sendmail programme, so
you get automatic encryption for all mailers, not just
Rmail. " [Richard Gooch, alt.security.pgp, 1994-07-10]
+ MIME
- MIME and PGP
- [the following material taken from an announcement
forwarded to the Cypherpunks list by
remijn@athena.research.ptt.nl, 1994-07-05]
- "MIME [RFC-1341, RFC-1521] defines a format and
general framework for the representation of a wide
variety of data types in Internet mail. This document
defines one particular type of MIME data, the
application/pgp type, for "pretty good" privacy,
authentication, and encryption in Internet mail. The
application/pgp MIME type is intended to facilitate the
wider interoperation of private mail across a wide
variety of hardware and software platforms.
+ Newsreaders
- useful for automatic signing/verification, and e-mail
from withing newsreader
- yarn
- tin
- The "yarn" newsreader reportedly has PGP built in.
7.8.7. "How often should I change my key or keys?"
- Hal Finney points out that many people seem to think PGP
keys are quasi-permanent. In fact, never changing one's key
is an invitation to disaster, as keys may be compromised in
various ways (keystroke capture programs, diskettes left
lying around, even rf monitoring) and may conceivably be
cracked.
- "
+ "What is a good interval for key changes? I would suggest
every year or so
- makes sense, especially if infrastructure can be
developed to make it easier
- to propagate key changes. Keys should be overlapped in
time, so that you make
- a new key and start using it, while continuing to support
the old key for a
- time.
- Hal also recommends that remailer sites change their keys
even more frequently, perhaps monthly.
7.9 - Keys, Key Signings, and Key Servers
7.9.1. Web of trust vs. heierarchical key management
- A key innovations of Phil Zimmermann was the use of a "web
of trust" model for distributed trust in keys.
- locality, users bear costs
- by contrast, government estimates $1-2 B a year to run key
certification agencies for a large fraction of the
population
- "PGP is about choice and constructing a web of trust that
suits your needs. PGP supports a completely decentralized,
personalized web of trust and also the most highly
structured bureaucratic centralized scheme you could
imagine. One problem with relying solely on a personalized
web of trust is that it limitsyour universe of
correspondents. We can't expect Phil Zimmermann and a few
well-known others to sign everyone's key, and I would not
want to limit my private correspondence to just those
people I know and trust plus those people whose keys have
been signed by someone I know and trust." [William
Stallings, SLED key verification, alt.security.pgp, 1994-09-
01]
7.9.2. Practical approaches to signing the keys of others
+ sign keys of folks you know and wish to communicate with
- face-to-face encounters ("Here is my key.")
+ trust--to varying extents--the keys signed by others you
know
- web-of-trust
- trust--to a lesser extent--the keys of people in key
registries
7.9.3. Key Servers
+ There are several major sites which appear to be stable
+ MIT PGP Public Key Server
- via www.eff.org
+ Vesselin Bontchev at University of Hamburg operates a
very stable one:
- Ftp: ftp.informatik.uni-hamburg.de
IP: 134.100.4.42
Dir: /pub/virus/crypt/pgp/
File: pubkring.pgp
E-Mail: pgp-public-keys@fbihh.informatik.uni-hamburg.de
- pgpkeys.io.com
+ http://martigny.ai.mit.edu/~bal/pks-commands.html
- This is a PGP keyserver in Zurich.
-
7.9.4. Use of PGP key fingerprints
- "One of the better uses for key fingerprints is for
inclusion in signature files and other places that a key
itself is too bulky. By widespread dissemination of the
fingerprint, the chances of a bogus key being undetected
are decreased, since there are more channels for the
fingerprint to get to recipients, and more channels for the
owner of a key to see any bogus fingerprints out on the
net. [Bill Stewart, 1994-08-31]
7.9.5. "How should address changes be handled? Do old keys have to
be revoked?"
- Future versions of PGP may handle better
- One way is to issue .... "User-id revocation certificates
are a *good* idea and the PGP key format allows for them -
maybe one day PGP will do something about it." [Paul Allen,
alt.security.pgp, 1994-07-01]
- Persistent e-mail addresses is one approach. Some people
are using organization like the ACM to provide this (e.g.,
Phil Zimmermann is prz@acm.org). Others are using remapping
services. For example, "I signed up with the SLED (Stable
Large E-mail Database), which is a cross-referencing
database for linking old, obsolete E-mail addresses with
current ones over the course of time.... Anyone using this
key will always be able to find me on the SLED by
conducting a search with "blbrooks..." as the keyword. Thus
my key and associated sigs always remain good.... If you
are interested in the SLED, its address is
sled@drebes.com." [Robert Brooks, alt.security.pgp, 1994-07-
01]
7.9.6. "How can I ensure that my keys have not been tampered with?"
+ Keep your private key secure
+ if on an unsecured machine, take steps to protect it
- offlline storage (Perry Metzger loads his key(s) every
morning, and removes it when he leaves the machine)
+ memorize your PGP passphrase and don't write it down, at
least not anywhere near where the private key is
available
- sealed envelopes with a lawyer, safe deposit boxes,
etc., are possibilities
- given the near-impossibility of recovering one's files
if the passphrase is lost permanently, I recommend
storing it _someplace_, despite the slight loss in
security (this is a topic of debate...I personally feel
a lot more comfortable knowing my memory is backed up
somewhere)
- Colin Plumb has noted that if someone has accesss to your
personal keyring, they also probably have access to your
PGP program and could make modifications to it *directly*.
- Derek Atkins answered a similar question on sci.crypt:
"Sure. You can use PGP to verify your keyring, and using
the web-of-trust, you can then have it verify your
signatures all the keys that you signed, and recurse
through your circle-of-friends. To verify that your own
key was not munged, you can sign something with your secret
key and then try to verify it. This will ensure that your
public key wasn't munged." [Derek Atkins, sci.crypt, 1994-
07-06]
7.9.7. "Why are key revocations needed?"
- Key revocation is the "ebb-of-trust"
- "There are a number of real reasons. Maybe you got coerced
into signing the key, or you think that maybe the key was
signed incorrectly, or maybe that person no longer uses
that email address, because they lost the account, or that
maybe you don't believe that the binding of key to userID
is valid for any number of reasons." [Derek Atkins, 4-28-
94]
7.9.8. "Is-a-person" registries
+ There have been proposals that governments could and should
create registries of "legal persons." This is known in the
crypto community as "is-a-person" credentialling, and
various papers (notably Fiat-Shamir) have dealt with issues
- of spoofing by malicious governments
- of the dangers of person-tracking
+ We need to be very careful here!
- this could limit the spread of 'ad hoc crypto' (by which
I mean the use of locally-generated keys for reasons
other than personal use...digital cash, pseudonyms etc.)
- any system which "issues" permission slips to allow keys
to be generated is dangerous!
+ Could be an area that governments want to get into.
- a la Fiat-Shamir "passport" issues (Murdoch, Libyan
example)
- I favor free markets--no limitations on which registries I
can use
7.9.9. Keyservers (this list is constantly changing, but most share
keys, so all one needs is one). Send "help" message. For
current information, follow alt.security.pgp.
- about 6000 keys on the main keyservers, as of 1994-08.
- pgp-public-keys@martigny.ai.mit.edu
- pgp-public-keys@dsi.unimi.it
- pgp-public-keys@kub.nl
- pgp-public-keys@sw.oz.au
- pgp-public-keys@kiae.su
- pgp-public-keys@fbihh.informatick.uni-hamburg.de
- and wasabi.io.com offers public keys by finger (I couldn't
get it to work)
7.9.10. "What are key fingerprints and why are they used?"
- "Distributing the key fingerprint allows J. Random Human to
correlate a key supplied via one method with that supplied
via another. For example, now that I have the fingerprint
for the Betsi key, I can verify whether any other alleged
Betsi key I see is real or not.....It's a lot easier to
read off & cross-check 32-character fingerprints than the
entire key block, especially as signatures are added and
the key block grows in size." [Paul Robichaux, 1994-08-29]
7.9.11. Betsi
- Bellcore
- key signing
7.9.12. on attacks on keyservers...
+ flooding attacks on the keyservers have started; this may
be an attempt to have the keyservers shut down by using
obscene, racist, sexist phrases as key names (Cypherpunks
would not support shutting down a site for something so
trivial as abusive, offensive language, but many others
would.)
- "It appears that some childish jerk has had a great time
generating bogus PGP keys and uploading them to the
public keyservers. Here are some of the keys I found on a
keyserver:...[keys elided]..." [staalesc@ifi.uio.no,
alt.security.pgp, 1994-09-05]
7.10 - PGP Front Ends, Shells, and Tools
7.10.1. Many can be found at this ftp site:
+ ftp.informatik.uni-hamburg.de:/pub/virus/crypt/pgp/shells/
- for various shells and front-ends for PGP
7.10.2. William Stallings had this to say in a Usenet post:
- "PGPShell: runs directly on the DOS version, doesn't need
Windows. Nice, simple interface. freeware
"PGP Winfront: freeware windows front end. Uses a "control
panel" style, with many options displayed in a compact
fashion.
"WinPGP: shareware ($45). Uses a drop-down menu style,
common to many Windows applications." [William Stallings,
Looking for PGP front end, alt.security, 1994-08-31]
7.10.3. Rick Busdiecker has an emacs front end to
PGP available
7.10.4. Pr0duct Cypher's tools:
+ ftp.informatik.uni-
hamburg.de:/pub/virus/crypt/pgp/tools/PGPTools.tar.gz
- Pr0duct Cypher's tools, and other tools in general
7.11 - Other Crypto Programs And Tools
7.11.1. Other Ciphers and Tools
- RIPEM
- PEM
- MD5
+ SFS (Secure FileSystem) 1.0
- "SFS (Secure FileSystem) is a set of programs which
create and manage a number of encrypted disk volumes, and
runs under both DOS and Windows. Each volume appears as
a normal DOS drive, but all data stored on it is encryped
at the individual-sector level....SFS 1.1 is a
maintenance release which fixes a few minor problems in
1.0, and adds a number of features suggested by users.
More details on changes are given in in the README file."
[Peter Gutmann, sci.crypt, 1994-08-25]
- not the same thing as CFS!
- 512-bit key using a MDC/SHS hash. (Fast)
- only works on a386 or better (says V. Bontchev)
- source code not available?
- implemented as a device driver (rather than a TSR, like
SecureDrive)
- "is vulnerable to a special form of attack, which was
mentioned once here in sci.crypt and is described in
detaills in the SFS documentation. Take a loot at the
section "Encryption Considerations"." [Vesselin Bontchev,
sci.crypt, 1994-07-01]
- Comparing SFS to SecureDrive: "Both packages are
approximately equal in terms of user interface, but SFS
seems to be quite a bit faster. And comments from
various people (previous message thread) seems to
indicate that it is more "secure" as well." [Bill Couture
, sci.crypt, 1994-0703]
+ SecureDrive
- encrypts a disk (always be very careful!)
- SecureDrive 1.3D, 128-bit IDEA cypher is based on an MD5
hash of the passphrase
- implemented as a TSR (rather than a device driver, like
CFS)
- source code available
+ Some problems reported (your mileage may vary)
- "I have been having quite a bit of difficulty with my
encrypted drive mangling files. After getting secure
drive 1.3d installed on my hard drive, I find that
various files are being corrupted and many times after
accessing the drive a bunch of crosslinked files are
present." [Vaccinia@uncvx1.oit.unc.edu, 1994-07-01]
- Others report being happy with, under both DOS and
Windows
- no OS/2 or Mac versions reported; some say an OS/2 device
driver will have to be used (such as Stacker for OS/2
uses)
+ SecureDevice
- "If you can't find it elsewhere, I have it at
ftp://ftp.ee.und.ac.za/pub/crypto/secdev13.arj, but
that's at the end of a saturated 64kbps link." [Alan
Barrett, 1994-07-01]
7.11.2. MDC and SHS (same as SHA?)
- "The MDC cyphers are believed to be as strong as it is
difficult to invert the cryptographic hash function they
are using. SHS was designed by the NSA and is believed to
be secure. There might be other ways to attack the MDC
cyphers, but nobody who is allowed to speak knows such
methods." [Vesselin Bontchev, sci.crypt, 1994-07-01]
+ Secure Hash Standard's algorithm is public, and hence can
be analyzed and tested for weaknesses (in strong contrast
with Skipjack).
- may replace MD5 in future versions of PGP (a rumor)
- Speed of MDC: "It's a speed tradeoff. MDC is a few times
faster than IDEA, so SFS is a few times faster than
SecureDrive. But MDC is less proven." [Colin Plumb,
sci.crypt, 1994-07-04]
+ Rumors of problems with SHA
- "The other big news is a security problem with the Secure
Hash Algorithm (SHA), discussed in the Apr 94 DDJ. The
cryptographers at NSA have found a problem with the
algorithm. They won't tell anyone what it is, or even
how serious it is, but they promise a fix soon. Everyone
is waiting with baited breath." [Bruce Schneier, reprot
on Eurocrypt '94, 1994-07-01]
7.11.3. Stego programs
+ DOS
- S-Tools (or Stools?). DOS? Encrypts in .gif and .wav
(SoundBlaster format) files. Can set to not indicate
encrypted files are inside.
- Windows
+ Macintosh
- Stego
+ sound programs
- marielsn@Hawaii.Edu (Nathan Mariels) has written a
program which "takes a file and encrypts it with IDEA
using a MD5 hash of the password typed in by the user.
It then stores the file in the lowest bit (or bits,
user selectable) of a sound file."
7.11.4. "What about "Pretty Good Voice Privacy" or "Voice PGP" and
Other Speech Programs?"
+ Several groups, including one led by Phil Zimmermann, are
said to be working on something like this. Most are using
commercially- and widely-available sound input boards, a la
"SoundBlaster" boards.
- proprietary hardware or DSPs is often a lose, as people
won't be able to easily acquire the hardware; a software-
only solution (possibly relying on built-in hardware, or
readily-available add-in boards, like SoundBlasters) is
preferable.
+ Many important reasons to do such a project:
- proliferate more crypto tools and systems
- get it out ahead of "Digital Telephony II" and Clipper-
type systems; make the tools so ubiquitous that outlawing
them is too difficult
- people understand voice communcations in a more natural
way than e-,mail, so people who don't use PGP may
nevertheless use a voice encryption system
+ Eric Blossom has his own effort, and has demonstrated
hardware at Cypherpunks meetings:
- "At this moment our primary efforts are on developing a
family of extensible protocols for both encryption and
voice across point to point links. We indend to use
existing standards where ever possible.
"We are currently planning on building on top of the RFCs
for PPP (see RFCs 1549, 1548, and 1334). The basic idea
is to add a new Link Control Protocol (or possibly a
Network Control Protocol) that will negotiate base and
modulus and perform DH key exchange. Some forms of
Authentication are already supported by RFCs. We're
looking at others." [Eric Blossom, 1994-04-14]
+ Building on top of multimedia capabilities of Macintoshes
and Windows may be an easier approach
- nearly all Macs and Windows machines will be
multimedia/audiovisual-capable soon
- "I realize that it is quite possible to design a secure
phone
with a Vocoder, a modem and some cpu power to do the
encryption, but I think that an easier solution may be on
the horizon. ....I believe that Microsoft and many others
are exploring hooking phones to PCs so people can do
things like ship pictures of their weekend fun to
friends. When PC's can easily access phone
communications, then developing encrypted conversations
should be as easy as programming for Windows :-)."
[Peter Wayner, 1993--07-08]
7.11.5. Random Number Generators
- A huge area...
+ Chaotic systems, pendula
- may be unexpected periodicities (phase space maps show
basins of attraction, even though behavior is seemingly
random)
7.11.6. "What's the situation on the dispute between NIST and RSADSI
over the DSS?"
- NIST claims it doesn't infringe patents
- RSADSI bought the Schnorr patent and claims DSS infringes
it
- NIST makes no guarantees, nor does it indemnify users
[Reginald Braithwaite-Lee, talk.politics.crypto, 1994-07-
04]
7.11.7. "Are there any programs like telnet or "talk" that use pgp?"
- "Don't know about Telnet, but I'd like to see "talk"
secured like that... It exists. (PGP-ized ytalk, that is.)
Have a look at ftp.informatik.uni-
hamburg.de:/pub/virus/crypto/pgp/tools/pgptalk.2.0.tar.gz"
[Vesselin Bontchev, alt.security.pgp, 1994-07-4]
7.11.8. Digital Timestamping
+ There are two flavors:
- toy or play versions
- real or comercial version(s)
+ For a play version, send a message to
"timestamp@lorax.mv.com" and it will be timestamped and
returned. Clearly this is not proof of much, has not been
tested in court, and relies solely on the reputation of the
timestamper. (A fatal flaw: is trivial to reset system
clocks on computes and thereby alter dates.)
- "hearsay" equivalent: time stamps by servers that are
*not* using the "widely witnessed event" approach of
Haber and Stornetta
- The version of Haber and Stornetta is of course much more
impressive, as it relies on something more powerful than
mere trust that they have set the system clocks on their
computers correctly!
7.12 - Legal Issues with PGP
7.12.1. "What is RSA Data Security Inc.'s position on PGP?"
I. They were strongly opposed to early versions
II. objections
- infringes on PKP patents (claimed infringements, not
tested in court, though)
- breaks the tight control previously seen
- brings unwanted attention to public key approaches (I
think PGP also helped RSA and RSADSI)
- bad blood between Zimmermann and Bidzos
III. objections
- infringes on PKP patents (claimed infringements, not
tested in court, though)
- breaks the tight control previously seen
- brings unwanted attention to public key approaches (I
think PGP also helped RSA and RSADSI)
- bad blood between Zimmermann and Bidzos
IV. Talk of lawsuits, actions, etc.
V. The 2.6 MIT accomodation may have lessened the tension;
purely speculative
7.12.2. "Is PGP legal or illegal"?
7.12.3. "Is there still a conflict between RSADSI and PRZ?"
- Apparently not. The MIT 2.6 negotiations seem to have
buried all such rancor. At least officially. I hear there's
still animosity, but it's no longer at the surface. (And
RSADSI is now facing lawsuits and patent suits.)
7.13 - Problems with PGP, Flaws, Etc.
7.13.1. Speculations on possible attacks on PGP
+ There are periodically reports of problems, most just
rumors. These are swatted-down by more knowledgeable
people, for the most part. True flaws may exist, of course,
as in any piece of software.
- Colin Plumb acknowledged a flaw in the random number
generation process in PGP 2.6, to be fixed in later
versions.
+ spreading fear, uncertainty and doubt
- rumors about security of PGP versions
- selective prosecution of PGP users
- death threats (a la against Bidzos)
- sowing confusion in the user community
- fragmenting it (perhaps via multiple, noninteroperable
versions...such as we're beginning to see now?)
7.13.2. What does the NSA know about flaws in PGP?
- They're not saying. Ironically, this violates the part of
their charter that deals with making commercial security
stronger. Now that PGP is kosher, they should help to make
it stronger, and certainly should not keep mum about
weaknesses they know about. But for them to help strengthen
PGP is not really too likely.
7.13.3. The PGP timebomb
- (As I've said elsewhere, it all gets very confusing. Many
versions, many sites, many viewpoints, many tools, many
shells, many other things. Fortunately, most of it is
flotsam.)
- I take no point of view--for various reasons--on avoiding
the "timebomb" by using 2.6ui. Here's someone else's
comment: "I would like to take this time to encourage you
to upgrade to 2.6ui which will overcome mit's timebomb and
not exclude PGP 2.3a from decrypting messages.....DON'T USE
MIT's 2.6, use PGP 2.6ui available from soda.berkeley.edu
: /pub/cypherpunks/pgp" [Matrix at Cypherpunks, BLACK
THURSAY!, alt.security.pgp, 1994-09-01]
+ can also be defeated with the "legal kludge":
- ftp.informatik.uni-hamburg.de :
/pub/virus/crypt/pgp/legal_kludge.txt
7.13.4. Spoofing
- "Suitable timing constraints, and in particular real-time
constraints, can be used to hinder, and perhaps defeat,
spoofing attacks. But with a store-and-forward e-mail
system (such as PGP is designed to work with) these
constraints cannot, in general, be set." [Ken Pizzini ,
sci.crypt, 1994-07-05]
7.13.5. "How do we know that PGP doesn't have a back door or some
other major flaw? After all, not all of us are programmers or
cryptologists."
- Yes, but many of us are. Many folks have analyzed the
source code in PGP, have compiled the code themselves (a
fairly common way to get the executable), and have examined
the random number generators, the selection of primes, and
all of the other math.
+ It would take only a single sharp-eyed person to blow the
whistle on a conspiracy to insert flaws or backdoors. This
has not been done. (Though Colin Plumb ackknowledged a
slight weakness in the RNG of 2.6...being fixed.)
- "While having source code available doesn't guarantee
that the program is secure, it helps a lot. Even though
many users are not programmers or cryptographers, others
are, and many of these will examine the code carefully
and publicly yell about weaknesses that they notice or
think they notice. For example, apparently there was a
big discussion here about the xorbytes() bug in PGP 2.6.
Contrast this with a commercial program, where such a bug
might go undetected for years." [Paul Rubin,
alt.security.pgp, 1994-09-06]
7.13.6. "Can I run PGP on a machine I don't control, e.g., the campus
computer system?"
- Sure, but the sysops and others may then have access to
your key and passphrase. Only machines the user directly
controls, and that are adequately firewalled from other
machines, offer reasonable amounts of security. Arguing
about whether 1024-bit keylengths are "enough" is rather
moot if the PGP program is being run on a corportate
computer, or a university network. The illusion of security
may be present, but no real security. Too many people are
kidding themselves that their messages are secure. That
their electronic identities cannot be spoofed.
- I'm not interested in the various elm and emacs PGP
packages (several such shells and wrappers exist). Any
sysop can not only obtain your secret key, stored on
hissystem, but he can also capture your passphrase as you
feed it to the PGP program (assuming you do...many people
automate this part as well). Since this sysop or one of his
cronies can then compromise your mail, sign messages and
contracts as "you," I consider this totally unacceptable.
Others apparently don't.
- What can be done? Many of us only run PGP on home machines,
or on machines we directly control. Some folks who use PGP
on such machines at least take steps to better secure
things....Perry Metzger, for example, once described the
multi-stage process he went through each day to reload his
key material in a way he felt was quasi-safe.
- Until the "Internet-in-a-box" or TIA-type products are more
widespread, many people will be connecting home or office
machines to other systems they don't control. (To put this
in sharper focus: do you want your electronic money being
run out of an account that your sysop and his friends can
monitor? Not hardly. "Electronic purses," which may be
smart cards, Newton-like PDAs, or dongle-like rings or
pendants, are clearly needed. Another entire discussion.)
7.14 - The Future of PGP
7.14.1. "Does PGP help or hurt public key methods in general and RSA
Data Security Inc. in particular?"
- The outcome is not final, but on balance I think the
position of RSADSI is helped by the publicity PGP has
generated. Users of PGP will "graduate" to fully-licensed
versions, in many cases. Corporations will then use
RSADSI's products.
+ Interestingly, PGP could do the "radical" things that
RSADSI was not prepared to do. (Uses familiar to
Cypherpunks.)
- bypassing export restrictions is an example of this
- incorporation into experimental digital cash systems
- Parasitism often increases the rate of evolution. Certainly
PGP has helped to light a fire under RSADSI.
7.14.2. Stealth PGP
- Xenon, Nik, S-Tools,
7.14.3. "Should we work on a more advanced version, a *Really Good
Privacy*?"
- easier said than done...strong committment of time
- not clear what is needed...
7.14.4. "Can changes and improvements be made to PGP?"
- I consider it one of the supreme ironies of our age that
Phil Zimmermann has denounced Tom Rollins for making
various changes to a version of PGP he makes available.
+ Issues:
- Phil's reputation, and that of PGP
- intellectual property
- GNU Public license
- the mere name of PGP
- Consider that RSA said much the same thing, that PGP
would degrade the reputation of public key (esp. as Phil
was an "amateur," the same exact phrasing PRZ uses to
criticize Tom Rollins!)
- I'm not taking a stand here....I don't know the details.
Just some irony.
7.15 - Loose Ends
7.15.1. Security measures on login, passwords, etc.
- Avoid entering passwords over the Net (such as in rlogins
or telnets). If someone or some agent asks for your
password, be paranoid.
- Can use encrypted telnet, or something like Kerberos, to
avoid sending passwords in the clear between machines. Lots
of approaches, almost none of them commonly used (at least
I never see them).