|
Frequently Asked Questions about PGPi The following is a list of Frequently Asked Questions about PGPi. Comments may be sent to stale@hypnotech.com. Last updated: 2 March 2001.
Contents
If you have a question about PGP in general, try the comp.security.pgp FAQ. PGPi is the international variant of PGP (Pretty Good Privacy), a public key encryption program originally written by Phil Zimmermann in 1991. Later PGP versions have been developed and distributed by MIT, ViaCrypt, PGP Inc., and now Network Associates Inc. (NAI). PGP is the de-facto standard for email encryption today, with millions of users worldwide. The international PGP versions differ slightly from the US versions, but otherwise they are completely interoperable. See below for details.
PGP was originally created inside the USA, but eventually spread to the rest of the world despite the US Export Regulations which controlled export of strong cryptography. PGP 5.0i (released in 1997) was the first PGP version that was legally available outside USA/Canada, because the program was exported as printed books and then scanned and OCRed to make the code available in electronic form. The reasons for scanning the source and releasing a special version, called PGPi, were manyfold:
In September 1999 the US Government announced the relaxation of the export regulations
on cryptographic software, and in December 1999 NAI obtained a worldwide export license
for PGP. This means that it will probably not be necessary to scan and OCR future
PGP versions, because the source code can be legally exported electronically. However,
the PGPi project will still go on, focussing on development, porting, translation and localization rather than scanning. We are still devoted to giving you high-quality, free versions of PGP, including full source code.
The latest international release of PGP for Windows 95/98/NT, MacOS and Unix is PGP 6.5.1i. The latest US release is 7.0.3 (Windows and MacOS), and this is the version you should use if you don't care about the source code, or if you want the latest bug-fixes, as well as support for Windows 2000 and MacOS 9. For a complete list of the latest PGP version for different platforms, look here.
PGPi is basically the same version as PGP, but there are some important differences:
PGP 6i can read and understand messages, keys and signatures created with PGP 2.0 and later. (Note, however, that the keys cannot be larger than 4096 bits. No official PGP version uses larger keys, though.) PGP 6i can generate messages, keys and signatures that can be read and understood by PGP 2.6.x and later, as long as you only use RSA keys. PGP 6i also supports DSS/Diffie-Hellman keys, but messages encrypted using this new key type cannot be read by versions prior to 5.0. Note, however, that PGP 6i messages cannot be understood by PGP 2.3a or earlier versions, regardless of which key type you are using.
Yes. PGP 6.5.1i is available as a command line program, similar to the PGP 2.x series. It is currently in beta testing, and the code still needs some work before it will compile cleanly on all platforms. If you are interested you can download it here. You will need GCC and GNU make in order to compile it.
If you want a PGP version where the source code is available (so that you can check for errors and backdoors), you should use PGP 6.5.1i or 6.5.8. If you are using Windows or MacOS and you want the latest bug-fixes, as well as support for Windows 2000 and MacOS 9, you should use PGP 7.0.3.
The 'i' in the version number stands for 'international'. It can be used by anyone who lives in any country where encryption is legal. If you're not sure whether encryption is legal in your country, check out the Crypto Law Survey.
Yes, you can, but you must obtain a commercial use license from Network Associates Inc. or its authorized representatives. (The GNU Privacy Guard can be used for commercial purposes without any license.) If you are located in the U.S. or Canada, go to: http://www.nai.com/. If you are located elsewhere, go to: http://www.pgpinternational.com/. If you wish to use a PGP-compatible product (i.e., an encryption product that may be interoperable with PGP or based upon the Open-PGP standard, but does not contain software actually owned by PGP to implement its cryptography functions), you may require additional licenses from third parties, such as from Ascom Systec AG in Switzerland if the IDEA algorithm is used in such product or from RSA Data Security, Inc. if the RSA algorithm is used in such product and the product is to be distributed in the United States.
The source code for PGP 2.3a and earlier is distributed under GPL - the General Public License - so it can be used freely in your own programs. The source code for PGP 2.6 and later may be used as a whole in unmodified form in products you write for your own non-commercial use under the terms of PGP's non-commercial source code license for PGP 5.0i. Because of license restrictions, if the IDEA algorithm is included, any modification of the code may require a further license from Ascom Systec AG (see question 2.2). See also: PGP developer's page. Yes. All PGPi freeware versions can be freely redistributed, as long as all the files in the distribution archive are included, and that they are not modified in any way. Specifically, you may:
The only things you can't do with the software, is to:
PGPi is available both as source code and as precompiled binaries for many different platforms. You can get PGP from one of the following sources: WWW: FTP:
PGP 6.x does not include a plugin for Netscape, but there are a couple of 3rd party freeware versions available:
Yes. PGP 6.x for Windows includes a DLL that you can call from within your own programs. Note, however, that the API has changed from PGP 5.x to 6.x, so you shouldn't use the DLL that comes with PGP 5.x. For information on how to use the DLL, see the PGPsdk documentation. There are also other DLLs, SDKs and libraries that you can use for your own program development - see the PGP developer's resources.
Language modules for the command-line versions of PGP can be found here. PGPdisk is a commercial product, and is not included with PGPfreeware (except 6.0.2i, where it was included by a mistake). For more information on how to get PGPdisk, look here.
All the PGPi distribution archives contain one or more signature files so that you can verify that the files have not been tampered with. The signature files have the ".asc" or ".sig" file extension, and are either inside the distribution archive (so that you can check each file in the archive), or in a separate file in the same directory as the archive file (so that you can check the whole archive at once). In order to verify the signatures, you need the signer's public key:
First, make sure that you read the documentation carefully. If you are still having problems, have a look at the support page.
The Outlook Express plugin that comes with PGP 6.0.2i only works with OE version 4. Upgrade to PGP 6.5.1i instead. Yes. Any PGP version can be cracked, provided that the attacker has enough time and resources (= money) for the job. However, a typical 1024-bit PGP message would take about 300,000,000,000 MIPS year to crack, so the ordinary citizen is relatively safe off, at least for the next few decades. See the PGP Attack FAQ for details. If someone really wants to read your PGP encrypted messages, he/she would probably rather steal a copy of your secret key and try to guess your pass phrase or force you to reveal it.
No. PGPi is just as secure as any other version of PGP. Neither Phil Zimmermann, MIT, NSA, myself nor anybody else have put any backdoor into PGPi, lobotomized the random number generator, limited the effecive key size or otherwise done anything to compromise the security of the program. If you don't believe it, download the source code and see for yourself. The PGP source is free for anyone to scrutinize, and has been so for many years now. Still, nobody has been able to find any backdoors. If you're still not convinced, please read what Phil Zimmermann writes about the cryptographic integrity of PGP.
No, not that I am aware of. See question 5.2. The ARR feature explained in question 5.4 is not a back door; it is a well-known and openly discussed feature (though many people dislikes it). You don't have to use it if you don't want to.
Yes. All PGP 5.x and 6.x versions contain a feature known as ADK (Additional Decryption Key), or ARR (Additional Recipient Request). PGP, Inc. implemented this feature in PGP at the demand of companies who wanted to be able to recover messages written by their employees (e.g. when the employees quit). However, they made it entirely optional. It works like this: When you generate a new key using the PGP business edition, you may specify that messages encrypted with this key should also be encrypted with your company's key. When other people later encrypt messages using your key, PGP will request that the messages should also be encrypted using your company's key. It does this by adding your company's key to the recipient list. However, the user may freely remove this key from the recipient list if he/she so wishes. That's why this feature is indeed an Additional Recipient Request; it is not mandatory. NB! There is a bug in all PGP 5.5.x and 6.x versions prior to 6.5.8 with respect to the ADK feature. The problem is that PGP honours the ADK request even if it is not signed. This allows malicious users to add unsigned ADK packets to other people's public keys. It is recommended that all users of the vulnerable versions upgrade to PGP 6.5.8 (available for Windows and MacOS only). For more information on the ADK bug, see the CERT advisory and the security advisory from NAI.
No, it doesn't. PGP 5 and later does, however, contain message recovery features. See question 5.4.
The PGP 5.0 scanning project took many months to complete, but 5.5 and later versions were scanned and proofread in just a couple of weeks. Teun Nijssen explains how this was possible.
No program is 100% error free, and this applies to PGPi as well. To see a list of known bugs and how to fix them, or to report new bugs, refer to the PGP bug page at https://pgpi.didisoft.com/doc/bugs/.
PGPi was published by Ståle Schumacher Ytteborg in Norway. However, this work would not have been possible without the help of many individuals around the world. For more information on the PGPi project, please see here.
There is no support for freeware versions of PGP. If you want support, you'll have to buy one of the commercial versions. Having said that, there are many resources about PGP on the Internet where you can get help if you have problems installing or using PGP. For more information, look here.
Here are some links to get you started:
[ PGPi Home > Documentation > FAQs > PGPi FAQ > English ] |