· 8 years ago · Apr 22, 2017, 10:48 AM
1The comp.security.pgp FAQ
2
3Wouter Slegers
4
5Copyright � 1996, 1997, 1998, 1999, 2000, 2001 by Arnoud Engelfriet
6
7Copyright � 2002 by Wouter Slegers
8
9
10This FAQ is copyright � 2001 by Wouter Slegers.
11
12It may be distributed freely in online electronic form, provided the copyright
13notice is left intact. Since this FAQ is always available from USENET and the
14PGP network, there should be no problems getting access to it. However mirrors
15with outdated versions can confuse the users, so I request you not to mirror
16this FAQ elsewhere.
17
18If you want to distribute this FAQ on a CD-ROM or similar medium, please
19contact me for permission first (at <faq-admin@mail.pgp.net>). The same applies
20for offline distribution as well as use in printed matter.
21
22-------------------------------------------------------------------------------
23Table of Contents
24Preface
25 1. About this FAQ
26 2. Finding the FAQ
27 3. Revision history
28
29
301. General questions and introduction
312. Common Problems in using PGP
323. Security Questions
334. Keys
345. Message Signatures
356. Key Signatures
367. Revoking a key
378. Public Key Servers
389. Bugs
39Glossary of cryptographic terms
40Colophon
41
42-------------------------------------------------------------------------------
43Preface
44
451. About this FAQ
46
47This comp.security.pgp FAQ is based on Arnoud "Galactus" Engelfriet's FAQ which
48in turn was based on Jeff Licquia's original alt.security.pgp FAQ.
49
50This FAQ is since 2002 maintained by Wouter Slegers, Your Creative Solutions. I
51welcome any comments, suggestions or additions for this FAQ. As always, you can
52send them to <faq-admin@mail.pgp.net>.
53-------------------------------------------------------------------------------
54
552. Finding the FAQ
56
57This FAQ is posted monthly to all comp.security.pgp newsgroups, and the latest
58version will always be available from pgp.net.
59-------------------------------------------------------------------------------
60
613. Revision history
62
63Revision History
64Revision 1.6 30 Jan 2002
65The FAQ's maintainer changed from Arnoud "Galactus" Engelfriet to Wouter
66Slegers. As part of the new maintainership I'm starting a major overhoal of the
67whole FAQ. Including:
68
69��*�Converted sourcefile of FAQ from the HTML+Orb construct it was to DocBook.
70 This allows easier conversion to popular output formats.
71
72��*�Removed many obsolete entries.
73
74��*�Added information on GNU Privacy Guard, PGP 5.x and higher, OpenPGP and
75 other news since the last version.
76
77��*�Checked and updated the references.
78
79��*�Reordered the remaining questions.
80
81��*�Removed all email adresses of contributers from the FAQ (thanks to
82 spammers, such a tribute is now a curse). Should you wish to contact one of
83 these people, email me.
84
85
86The upgrading and restructuring is still far from complete, but the FAQ should
87be usable in this state. In particular what needs to be done at least:
88
89��*�The questions need to be reordered.
90
91��*�The keyserver chapter needs extensive updates.
92
93��*�The outputformats need some cosmetic changes.
94
95
96Expect an updated version soon. Feedback to <faq-admin@mail.pgp.net> is very
97welcome.
98-------------------------------------------------------------------------------
99
100Chapter 1. General questions and introduction
101
102Q: What is PGP?
103Q: Why should I encrypt my mail? I'm not doing anything illegal!
104Q: What's the current version of PGP?
105Q: How much does PGP cost?
106Q: Is encryption legal?
107Q: Is PGP legal?
108Q: What's with the patent on IDEA?
109Q: What's with the patent on RSA?
110Q: Is there an archive site for the comp.security.pgp groups?
111Q: Is PGP available as a programming library, so I can write programs that use
112 it?
113Q: What platforms has PGP been ported to?
114Q: Where can I obtain PGP?
115Q: I want to find out more!
116
117Q: What is PGP?
118
119A: PGP is a program that gives your electronic mail something that it otherwise
120doesn't have: Privacy. It does this by encrypting your mail so that nobody but
121the intended person can read it. When encrypted, the message looks like a
122meaningless jumble of random characters. PGP has proven itself quite capable of
123resisting even the most sophisticated forms of analysis aimed at reading the
124encrypted text.
125
126PGP can also be used to apply a digital signature to a message without
127encrypting it. This is normally used in public postings where you don't want to
128hide what you are saying, but rather want to allow others to verify that the
129message actually came from you. Once a digital signature is created, it is
130impossible for anyone to modify either the message or the signature without the
131modification being detected by PGP.
132
133While PGP seems (and according to many of its users is) easy to use, it does
134give you enough rope so that you can hang yourself. You should become
135thoroughly familiar with the various options in PGP before using it to send
136serious messages. For example, giving the command pgp -sat <filename> will only
137sign and ASCII armor a message, it will not encrypt it. Even though the output
138looks like it is encrypted, it really isn't (it is the ASCII armor that looks
139so though). Anybody in the world would be able to recover the original text
140with a simple pgp <encryptedfilename>.
141
142The graphical userinterface of PGP 5.x and higher also has its pittfalls, as
143Alma Whitten describes in Why Johnny Can't Encrypt - A Usability Evaluation of
144PGP 5.0: even with manuals and an introduction, three of the twelve
145participants accidently sent "secret" information unencrypted.
146
147 WarningMake sure you thoroughly understand how to operate PGP prior to
148 using it for confidential information.
149
150
151
152Q: Why should I encrypt my mail? I'm not doing anything illegal!
153
154A: You should encrypt your e-mail for the same reason that you don't write all
155of your correspondence on the back of a post card. E-mail is actually far less
156secure than the postal system. With the post office, your mail is handled by
157postal workers. Take a look at the header area of any e-mail message that you
158receive and you will see that it has passed through a number of nodes on its
159way to you. Every one of these nodes presents the opportunity for snooping, as
160do all systems that can listen in on the communication between these nodes.
161Encryption in no way implies illegal activity. It is simply intended to keep
162personal thoughts personal.
163
164Xenon puts it like this:
165� Crime? If you are not a politician, research scientist, �
166 investor, CEO, lawyer, celebrity, libertarian in a repressive
167 society, investor, or person having too much fun, and you do
168 not send e-mail about your private sex life, financial/
169 political/legal/scientific plans, or gossip then maybe you
170 don't need PGP, but at least realize that privacy has nothing
171 to do with crime and is in fact what keeps the world from
172 falling apart. Besides, PGP is FUN. You never had a secret
173 decoder ring? Boo!
174 --Xenon <an48138@anon.penet.fi>(Copyright 1993, Xenon) �
175
176
177Q: What's the current version of PGP?
178
179A: There are three different "product-lines" for PGP: PGP 2.x, PGP 5.x and
180higher, and GNU Privacy Guard.
181
182A: All the 2.x versions are derived, more or less, from a common source base:
183PGP 2.3a, the last "guerillaware" version of PGP. Negotiations to make PGP
184legal and "legitimate" have resulted in the differing versions available; all
185of them, for the most part, are approximately equivalent in functionality, and
186they can all work with each other in most respects.
187
188All versions of PGP after 2.3 produce messages that cannot be read by 2.3 or
189earlier (for patent-legal purposes, see Why can't a person using version 2.3
190read my version 2.6 message?>), although the "international" versions have a
191switch to enable the creation of messages in a compatible format. This is the
192legal_kludge=on option in the configuration file.
193
194PGP 2.6.3i ("international") is a version of PGP developed from the source code
195of MIT PGP, which was exported illegally from the United States at some point.
196Basically, it is MIT PGP 2.6.2, but it uses the old encryption routines from
197PGP 2.3a; these routines perform better than RSAREF and in addition do not have
198the usage restrictions in the RSAREF copyright license. It also contains some
199fixes for bugs discovered since the release of MIT PGP 2.6.2, as well as
200several small enhancements. For more information, see the International PGP
201homepage
202
203PGP 2.6ui ("unofficial international") is PGP 2.3a with minor modifications
204made so it can decrypt files encrypted with MIT PGP. It does not contain any of
205the MIT fixes and improvements; it does, however, have other improvements, most
206notably in the Macintosh version.
207
208The 2.6.3(i)n version was developed to fullfill the policy of the Individual
209Network e.V. Certification Hierarchy.
210
211A: The PGP 5.x and higher series include OpenPGP compatibility. Most versions
212include both a command line version (for all platforms) and one with a
213graphical user interface (for the Microsoft Windowses and Mac OS 8.x and 9.x).
214The most recent version is 7.1.2 .
215
216A: GNU Privacy Guard is an OpenPGP compatible program, written from scratch and
217not based on the 2.x sources. For normal uses it is compatible with both the
218PGP 2.x and the PGP 5.x and higher versions. It mostly targets UNIX-like
219systems. The most recent version is 1.0.4.
220
221Q: How much does PGP cost?
222
223A: The PGP 2.x series are freely available as open source software under the
224GNU General Public License, with no real limits on its use, at no cost (except
225the IDEA patent should you opt to include support for it, see What's with the
226patent on IDEA?).
227
228A: GNU Privacy Guard is freely available as open source software, with no real
229limits on its use, at no cost (except the IDEA patent should you opt to include
230support for it, see What's with the patent on IDEA?). The website of the GNU
231Privacy Guard Project is the primary distribution point.
232
233A: PGP 5.x and higher are commercial products. Network Associates bought PGP
234Inc., a company founded by Phil Zimmerman, and sells a whole range of products
235under the brand "PGP". The "original" email and file encryption PGP are called
236PGPmail and PGPfile respectively. See NAI for pricing and availability. There
237is a version available at no cost for strictly non-commercial use on http://
238www.pgp.com/products/freeware/.
239
240Note that the free versions of PGP are free only for noncommercial use. If you
241need to use PGP in a commercial setting you should buy a copy of PGP from NAI.
242This version of PGP has other advantages as well, most notably its integration
243with common MS Windows and Mac OS applications, a limited license to export it
244to foreign branch offices and a license for IDEA. See below, under question
245Where can I obtain PGP?>, for information on how to contact them.
246
247Q: Is encryption legal?
248
249A: In much of the civilized world, the use of encryption is either legal or at
250least tolerated. However, there are a some countries where such activities
251could put you in front of a firing squad! Check with the laws in your own
252country before using PGP or any other encryption product. A couple of the
253countries where the use of encryption is illegal are France, Iran, Russia and
254Iraq.
255
256Export, import or sale of products that contain strong encryption is usually
257also subject to restrictions. These laws are usual implementations of the
258Wassenaar Arrangement, for example the International Traffic in Arms Regulation
259(ITAR). Check the laws of the relevant countries for more details.
260
261The legal status of encryption in many countries has been gathered by Bert-Jaap
262Koops in the Crypto Law Survey.
263
264Q: Is PGP legal?
265
266A: In addition to the comments about encryption listed above (Is encryption
267legal?>) and the licence on the PGP software package you are using, the major
268point of importance is the status of the patents on technologies used in PGP.
269The patent on IDEA is still valid, see What's with the patent on IDEA?>. The
270patent on RSA has expired, but had a significant impact on the development and
271distribution of PGP, see What's with the patent on RSA?.
272
273Q: What's with the patent on IDEA?
274
275A: IDEA is patented in the USA (US 5,214,703), Europe (EP-B-0482154)and Japan
276(JP 3225440) by Ascom Systec AG. This patent expires 25 May 2010 (USA) or 16
277May 2011 (Europe and Japan). For strictly non-commercial use, the licence fee
278is waved by MediaCrypt AG.
279
280If you need to use PGP 2.x or GPG with IDEA (i.e. for compatibility with the
2812.x versions) for commercial use, you should contact MediaCrypt AG who are the
282distributor for the IDEA algorithm license for Ascom Systec AG, the patent
283holders for IDEA. They sell individual and site licenses for using IDEA in PGP.
284Contact:
285
286MediaCrypt�AG
287Technoparkstrasse 1
2888005�Zurich
289Switzerland
290<IDEA@mediacrypt.com>
291Tel ++41 1 445 3070
292Fax ++41 1 445 3071
293
294Q: What's with the patent on RSA?
295
296A: Older versions of PGP (up to 2.3a) were thought to be violating the patent
297on the RSA encryption algorithm held by Public Key Partners (PKP), a patent
298that was only valid in the United States. This was never tested in court,
299however, and later versions of PGP have been made with various agreements and
300licenses in force which effectively settle the patent issue. So-called
301"international" versions and older versions (previous to ViaCrypt PGP 2.4),
302however, were still considered in violation by PKP. If you were in the USA, you
303used them at your own risk!
304
305However, the patent has since expired, so there are no known patent issues with
306RSA now.
307
308Q: Is there an archive site for the comp.security.pgp groups?
309
310A: Not really.
311
312Of course, you can try using Google Groups if you are looking for articles
313about specific topics.
314
315Q: Is PGP available as a programming library, so I can write programs that use
316it?
317
318A: The GNU Privacy Guard project has a C-library for integrating GnuPG in
319applications called GPGME (GnuPG Made Easy). This is mostly targetted at
320UNIX-like platforms.
321
322The CTC program includes a freeware PGP-interoperable C-library called CTClib
323and a Java crypto component called CTCjava.
324
325There is an older PGP 2.x-compatible C-library that can be used in programs
326called PGPlib.
327
328NAI has a PGPsdk. available, but this not a software developer kit! The license
329explicitly restricts the use of the sourcecode to peer review only, development
330of programs with this source is not allowed. As a side note, also note that the
331license forbids you to make public bugs, errors, architecture issues and/or
332other problems with the source or compiled program without prior written
333permission of NAI.
334
335Alternatively, you could write your programs to call the PGP program when
336necessary. In C, for example, you would use the system() or spawn...()
337functions to do this. This is fairly complex to do securely, so make sure you
338know what you are doing.
339
340Q: What platforms has PGP been ported to?
341
342A: PGP 2.x in its many versions has been ported successfully to many different
343platforms, including the various Microsoft Windows versions, DOS, Mac OS, OS/2,
344Unix (just about all flavors), VMS, Atari ST, Acorn RISC OS (Archimedes),
345Commodore Amiga, EPOC and Palm OS. Most are listed on the International PGP
346product page.
347
348For Mac OS 8.x and 9.x there is a freeware PGP-interoperable program called
349MacCTC.
350
351For the EPOC operating system (as run by the Psion 5/5mx/Revo/S7/netBook and
352Nokia 9210) there is a port of PGP 2.6.3ia for EPOC.
353
354If you don't see your favorite platform above, don't despair! It's likely that
355porting PGP 2.x to your platform won't be terribly difficult, considering all
356the platforms it has been ported to. Just ask around to see if there might in
357fact be a port to your system, and if not, try to port it yourself!
358
359A: PGP 5.x and later is available for the various Microsoft Windows versions
360and the Mac OS 8.x/9.x. It is commercially available from NAI.
361
362Note that PGP 7.x does not support Microsoft Windows XP (yet).
363
364A: GNU Privacy Guard mostly targets UNIX-like systems and is known to work on
365GNU/Linux, GNU/Hurd, FreeBSD, OpenBSD, NetBSD and various commercial UNIX-like
366systems. There is also a commandline version for the various Microsoft Windows
367versions.
368
369Q: Where can I obtain PGP?
370
371A: PGP is very widely available, so much so that a separate FAQ has been
372written by Micheal Paul Johnson for answering this question. It is called,
373Where to get the Pretty Good privacy program (PGP); it is posted in
374alt.security.pgp regularly, is in the various FAQ archive sites, and is also
375available online.
376
377In short however:
378
379��*�The PGP 2.x versions can be found at Wiretapped.net and PGPi.net.
380
381��*�The PGP 5.x and later versions are available for download and purchase via
382 NAI.
383
384��*�The GNU Privacy Guard can be found from the GNU Privacy Guard project page.
385
386��*�Many of the previously mentioned versions, as well as older versions, are
387 widely mirrored, for example at Zedz.net.
388
389
390
391
392Q: I want to find out more!
393
394A: If this FAQ doesn't answer your question, there are several places for
395finding out information about PGP. Above all, the accompanying documentation of
396PGP and GPG should not be missed.
397
398World Wide Web
399
400��*�NAI, the company currently selling PGP 5.x through 7.x for commercial use
401
402��*�http://www.stack.nl/~galactus/remailers/bg2pgp.txt
403
404��*�Although the documentation that comes with PGP is very complete, you might
405 also want to read this guide. It covers all the basic steps needed to
406 install and use PGP, and also gives you tips on how to use it more
407 effectively.
408
409��*�http://www.stack.nl/~galactus/remailers/passphrase-faq.html
410
411��*�Your pass phrase is used to protect your PGP secret key. Here's how to
412 generate and manage strong pass phrases. This may also be useful for
413 creating passwords for other purposes.
414
415��*�PGP-related resources
416
417��*�A large collection of PGP-related Web sites, links to front-ends, and more.
418
419��*�http://www.stack.nl/~galactus/remailers/attack-faq.html
420
421��*�A very detailed analysis on the security of PGP and possible attacks.
422
423
424
425-------------------------------------------------------------------------------
426
427Chapter 2. Common Problems in using PGP
428
429Q: Are PGP 2.6.x, PGP 5.x and higher, and GNU Privacy Guard interoperable?
430Q: Why does it take so long to encrypt/decrypt messages?
431Q: How do I create a secondary key file?
432Q: Where can I obtain scripts and programs to integrate pgp with my email or
433 news reading system?
434Q: How can I decrypt messages I've encrypted to others?
435Q: Why can't I generate a key with PGP for Unix?
436Q: When I clearsign a document in PGP, it adds a "dash-space" to several of my
437 lines. Why?
438Q: How do I encrypt more than one file at a time with the commandline version?
439Q: How can I give my passphrase to the commandline PGP automatically?
440Q: How come randseed.bin got "infected" by a virus?
441Q: How do I determine if the PGP commandline worked?
442Q: Why does PGP no longer ask for random keystrokes?
443Q: Why can't a person using version 2.3 read my version 2.6 message?
444Q: Why does PGP 2.x complain about checking signatures every so often?
445
446Q: Are PGP 2.6.x, PGP 5.x and higher, and GNU Privacy Guard interoperable?
447
448A: By and large, all PGP 2.x, 5.x and GPGs kan interoperate if:
449
450 1. Only RSA keys are used, of at most 2048 bits length,
451
452 2. MD5 is used as hash algorithm
453
454 3. IDEA is used for the symmetrical algorithm.
455
456
457For GNU Privacy Guard, this usually means that you need to add the IDEA module
458as detailed in the GPG FAQ. RSA support is included by default as of version
4591.0.3. Newer GPG versions include a --pgp2 option to restrict the output to
460things that PGP 2.x understands.
461
462A: GNU Privacy Guard and PGP 5.x and higher are by and large OpenPGP compliant
463and interoperable.
464
465Q: Why does it take so long to encrypt/decrypt messages?
466
467A: This problem can arise when you have placed the entire public key ring from
468one of the servers into your local pubring.pgp file. PGP may have to search
469through several thousand keys to find the one that it is after. If you need to
470have these large keyrings (e.g. because you cannot count on being able to
471contact the keyservers to look up new keys), the solution to this dilemma is to
472maintain 2 public key rings (See How do I create a secondary key file?). The
473first ring, the normal pubring.pgp file, should contain only those individuals
474that you send messages to quite often. The second key ring can contain all of
475the keys for those occasions when the key you need isn't in your short ring.
476You will, of course, need to specify the key file name whenever encrypting
477messages using keys in your secondary key ring. Now, when encrypting or
478decrypting messages to individuals in your short key ring, the process will be
479a lot faster.
480
481A: Encryption and decryption time also increases with the key size. A 2048 bits
482key will take much longer to work with than, for example, a 512 bits key.
483
484A: It is also possible, although fairly unprobable, that the random pool has
485run empty and PGP is waiting for enough randomness to amass. Remember that PGP
486needs randomness to create cryptographic keys, if these are not sufficiently
487random they could be guessed by an attacker. So to be sure, PGP (or the OS
488supplying it via /dev/random) waits until enough randomness is available. As
489this random pool is filled by events from among others keyboard and mouse,
490wriggling the mouse or tapping keys helps (use the control, alt and shift keys
491if you are worried that the keystrokes might trigger something). As usually
492enough randomness is gathered during normal operation and only a little is used
493each time, this is occurs mostly when large amounts of encryptions are done.
494
495Q: How do I create a secondary key file?
496
497A: First, let's assume that you have all of the mammoth public key ring in your
498default pubring.pgp file. First, you will need to extract all of your commonly
499used keys into separate key files using the -kx option. Next, rename
500pubring.pgp to some other name. For this example, I will use the name
501pubring.big. Next, add each of the individual key files that you previously
502created to a new pubring.pgp using the -ka option. To encrypt a message to
503someone in the short default file, use the command pgp -e <file> <userid>. To
504encrypt a message to someone in the long ring, use the command pgp -e +pubring=
505c:\pgp\pubring.big <file> <userid>. Note that you need to specify the complete
506path and file name for the secondary key ring. It will not be found if you only
507specify the file name.
508
509Q: Where can I obtain scripts and programs to integrate pgp with my email or
510news reading system?
511
512A: There are many scripts and programs available for making PGP 2.x easier to
513use. There is an index to all of these at http://www.hauert.net/pgpmain.html
514and at PGPi.org.
515
516A: Plugins and configurations to use GNU Privacy Guard can be found on the GNU
517Privacy Guard Project website, under Frontends.
518
519A: PGP 5.x and higher already includes a number of plugins for other programs.
520More are listed on at PGPi.org.
521
522Q: How can I decrypt messages I've encrypted to others?
523
524A: With conventional encryption, you can read the message by running PGP on the
525encrypted file and giving the pass phrase you used to encrypt.
526
527A: With PGP's public key encryption, it's only possible if you encrypted to
528yourself as well.
529
530With the PGP 5.x and higher versions, it is the default setting to also encrypt
531to the default key. You can change this under PGP options / General / Always
532encrypt to default key.
533
534For PGP 2.x there is an undocumented setting, EncryptToSelf, which you can set
535in your config.txt or on the command line to on if you want PGP to always
536encrypt your messages to yourself.
537
538Be warned, though; if your secret key is compromised, this means that the
539attacker will be able to decode all the messages you sent as well as the ones
540you've received. Similarly if you are forced to reveal decrypt your data (see
541Can I be forced to reveal my pass phrase in any legal proceedings?>), you can
542now also decrypt the messages you sent, instead of only those you received! On
543the other hand, it allows you to read back the messages you sent in the past.
544
545Q: Why can't I generate a key with PGP for Unix?
546
547A: Most likely this is caused because PGP can't create the public and private
548key ring files. If the environment variable PGPPATH isn't defined, PGP will try
549to put those files in the subdirectory .pgp off your home directory. It will
550not create the directory if needed, so if the directory's not there already,
551PGP will abort after generating the key. This also happens if PGPPATH points to
552a directory for which you don't have write permission.
553
554There are two solutions: set the PGPPATH environment variable to point to the
555location of your key rings, or run mkdir $HOME/.pgp; chmod 700 $HOME/.pgp
556before generating your key.
557
558Q: When I clearsign a document in PGP, it adds a "dash-space" to several of my
559lines. Why?
560
561A: PGP does this because of the "-----BEGIN PGP MESSAGE-----" (and related)
562headers it uses to mark the beginning of PGP messages. To keep it from getting
563confused, it tacks a "- " to the beginning of every line in the regular text
564which has a dash at the start. It strips the extra dash and space when you
565check the message's signature, and writes the original text to the output.
566
567This also happens with several lines that start with "special" phrases, such as
568"From", because those lines are otherwise escaped by mail programs, as required
569by the mail standard. This would change the body of the mail and thereby
570invalidate the signature.
571
572If you use PGP/MIME type signatures, the signature is presented as an
573attachement to receivers that do not have PGP.
574
575For signing files, the accepted method is to use a seperate signature file.
576
577Q: How do I encrypt more than one file at a time with the commandline version?
578
579A: PGP will normally only accept one file to encrypt on the command line. Many
580platforms allow you to call a program in a "batch" sequence. You can use this
581to call PGP on multiple files automatically.
582
583Under MS-DOS and OS/2, this works as follows:
584 for %a in (*.*) do pgp -ea %a userid
585
586You can also do conventional encryption this way, using the undocumented -z
587option to specify the passphrase to encrypt all these files with:
588 for %a in (*.*) do pgp -c %a -z"the passphrase"
589
590Under UNIX, this would be done like this:
591 for a in *
592 do
593 pgp -ea "$a" userid
594 done
595
596Several shells and front-ends will also let you encrypt multiple files at once,
597usually.
598
599Q: How can I give my passphrase to the commandline PGP automatically?
600
601A:
602
603
604 WarningStoring your passphrase like this is very dangerous! Remember that
605 your passphrase is all that protects your secret keys from an attacker
606 snooping around in your system.
607
608There are three ways to do this. The easiest way is probably to set the
609environment variable PGPPASS to contain your pass phrase. Under DOS and UNIX,
610you can just type set PGPPASS=My secret pass phrase to do this.
611
612 WarningThis is very insecure, as anyone who has access to your environment
613 can see what your passphrase is. This includes people who come along during
614 your lunch break and type set at a prompt on your computer. Under several
615 variations of UNIX, it is possible to examine someone else's environment as
616 well.
617
618Another option, especially useful for shells, is to use the -z option. You just
619add the option -z"My secret passphrase" to the PGP command line. Include the
620passphrase in quotes if there are any spaces or "special" characters in it,
621such as a "<" or ">" character which may confuse the command shell.
622
623 WarningThis is even more insecure on a multi-user system as most allow
624 other users to see the command options of programs run by another user.
625
626Everyone else can see what programs you are running, including all the options
627passed to it.
628
629The best, but also the most complicated way is using the PGPPASSFD environment
630variable. This variable should contain a "file descriptor number" pointing to a
631file which contains the passphrase. This will protect the passphrase from
632anyone but the superuser, if you properly set the file's permissions.
633
634� You can find something on this in the appnotes file in the pgp262 �
635 distribution. If you set PGPPASSFD to 0, pgp will read the
636 passphrase from stdin as soon it starts.
637
638 PGPPASSFD=0; export PGPPASSFD
639 echo "PassPhraseHere" | pgp -east file recipient1 recipient2..
640 --Thanks to Jack Gostl for the following. �
641
642� You could also use funky shell redirection to make PGP get the �
643 passphrase from an arbitrary file. The exact command to define a
644 variable depends on the shell; ksh and the likes use export PGPPASSFD=3
645 , and csh and derivates use setenv PGPPASSFD 3.
646 setenv PGPPASSFD 3; pgp -eat file recipient 3 < /my/passphrase/file
647 --Patrick J. LoPresti: �
648This last example has the added advantage that standard input is still
649available to the user, for example to answer Yes or No to certain questions.
650
651Q: How come randseed.bin got "infected" by a virus?
652
653A: The file randseed.bin is used by PGP to store and generate randomness, which
654is used to create new random session keys every time you encrypt something.
655Afterwards, it is filled with new random data. A virus or integrity checker
656will then of course detect that the file has changed. Since the file has a .bin
657extension, some checkers think that it is an executable, and so will inform you
658they have detected a possible virus.
659
660However, this file is only used by PGP to read some random data and will never
661be executed. It is therefore safe to put it in the "exclusion" list of your
662virus scanner, so it will be skipped in future. An alternative is to instruct
663PGP to use a file with another extension, e.g. random.rnd. For the 2.6 versions
664this is done by puttting Randseed=C:\PGP\RANDOM.RND in your config.txt file.
665The PGP 5.x and higher GUI has a similar setting for Random Seed File.
666
667Deleting the random seed file will not do any harm; PGP will just ask you for
668some random keystrokes and generate the file again next time you encrypt
669something.
670
671Q: How do I determine if the PGP commandline worked?
672
673A: Normally, PGP runs in "interactive" mode, and so you can always read on the
674screen what went wrong, where and hopefully why. But if you want to use PGP in
675a batch file, or in the background, you need to find out if the operation was
676successful in another way. The usual approach for this is to use the "exit
677code" returned by PGP.
678
679To be able to detect if PGP could do what you asked, you need to add the
680+batchmode option to the command line. (To avoid getting "stuck" at prompts
681asking you to choose "yes" or "no", add the +force option). PGP will then
682return 0 if everything went ok, and non-zero if something went wrong.
683
684The PGP source contains a list of exit codes that are supposed to be returned
685when the associated events occur. It seems that this does not always work as
686expected. For example, PGP should return exit code 31 when no passphrase was
687specified to decrypt the file, but if you try to check a signature, exit code 1
688is used to indicate any error, including "No key to check signature" and "Bad
689signature".
690
691Q: Why does PGP no longer ask for random keystrokes?
692
693A: The random keystrokes were necessary to generate random events, but newer
694PGPs acquire these events automatically. PGP 5.x and up for the Microsoft
695Windowses and Mac OS uses (the timing of) system events that go on all the time
696to constantly update the random seed file randseed.bin file. These events
697include disk access, keystrokes, mouse movements and other things that are
698reasonably random. If you check, you will see that the randseed.bin's last
699modified date often changes, even if you are not using PGP.
700
701Under UNIX-like systems, PGP 5.x and GNU Privacy Guard use the output of the
702random device /dev/random when available, which gathers randomness in a similar
703way.
704
705Q: Why can't a person using version 2.3 read my version 2.6 message?
706
707A: You are probably using MIT PGP, or possibly some other version of PGP with
708the legal_kludge option turned off.
709
710As part of the agreement made to settle PGP's patent problems, MIT PGP changed
711its format slightly to prevent PGP 2.4 and older versions from decrypting its
712messages. This format change was written into MIT PGP to happen on September 1,
7131994. Thus, all messages encrypted with MIT PGP after that date are unreadable
714by 2.4 (and earlier). The idea was that people using 2.4 and earlier would be
715forced to upgrade, and so the patent violating version would no longer be used
716(see What's with the patent on RSA?).
717
718The best route here is for your friend to upgrade to a newer version of PGP.
719Alternatively, if you are using a non-MIT version, look up the legal_kludge
720option in your documentation; you should be able to configure your copy of PGP
721to generate old-style messages. In 2.6.2i and 2.6.3i, this is done by putting
722Legal_Kludge=off in your config.txt file for PGP.
723
724Note that the "old" output can be read perfectly well by newer versions, so if
725you are corresponding with MIT and 2.3 users, you will be best off with the
726Legal_Kludge=off statement in your config.txt.
727
728Q: Why does PGP 2.x complain about checking signatures every so often?
729
730A: Version 2.3a introduced the "pkcs_compat" option, allowing the format of
731signatures to change slightly to make them more compatible with industry
732standards. MIT PGP, because it uses the RSAREF library, is unable to understand
733the old signature format, so it therefore ignores the signature and warns you
734that it is doing so.
735
736This problem comes up mostly with old key signatures. If your key contains such
737old signatures, try to get those people who signed your key to resign it with a
738newer version of PGP.
739
740If an old signature is still vitally important to check, get a non-MIT version
741of PGP to check it with, such as ViaCrypt's.
742-------------------------------------------------------------------------------
743
744Chapter 3. Security Questions
745
746Q: How secure is PGP?
747Q: Can't you break PGP by trying all of the possible keys?
748Q: How secure is the conventional cryptography option?
749Q: Can the NSA crack PGP (or RSA, DSS, IDEA, 3DES,...)?
750Q: Has RSA ever been cracked publicly?
751Q: What is the best way to crack PGP?
752Q: What if I forget my pass phrase?
753Q: Why do you use the term "pass phrase" instead of "password"?
754Q: If my secret key ring is stolen, can my messages be read?
755Q: How do I choose a pass phrase?
756Q: How do I remember my pass phrase?
757Q: How do I verify that my copy of PGP has not been tampered with?
758Q: How do I know that there is no trap door in the program?
759Q: I heard that the NSA put a back door in MIT PGP, and that they only allowed
760 it to be legal with the back door.
761Q: Is there a back door in the international version?
762Q: Can I put PGP on a multi-user system like a UNIX machine or a mainframe?
763Q: Can I use PGP under a "swapping" operating system like Windows, OS/2 or
764 UNIX?
765Q: Aren't all of these security procedures a little paranoid?
766Q: Can I be forced to reveal my pass phrase in any legal proceedings?
767Q: How secure is the "for your eyes only" option?
768
769Q: How secure is PGP?
770
771A: Very secure against eavesdroppers.
772
773The cryptographic algorithms used for encryption and signing in PGP are very
774well researched and have shown no practical weaknesses (see Can't you break PGP
775by trying all of the possible keys?>).
776
777The big unknown in any encryption scheme based on RSA is whether or not there
778is an efficient way to factor huge numbers, or if there is some backdoor
779algorithm that can break the code without solving the factoring problem. Even
780if no such algorithm exists, it is still believed that RSA is the weakest link
781in the PGP chain.
782
783A: PGP does not protect you if you use your secret key on a compromised system,
784i.e. you type your passphrase and sign or decrypt something, or if you stored
785the passphrase in plaintext on the compromised system (as described in How can
786I give my passphrase to the commandline PGP automatically?).
787
788If you use PGP on a compromised system, the attacker can capture your
789passphrase as you type it. In combination with you secret keyring, this is
790sufficient to decode all messages that where encrypted with your public key and
791signing documents in your name thus impersonating you.
792
793Make sure you keep your system secure from such compromises!
794
795A: These are the most important attacks you should be aware of. It would be
796beyond the goal of this FAQ to discuss all possible attacks against or possible
797flaws in PGP. If you want to know more than what is available in here, see
798infiNity's PGP Attack FAQ.
799
800Q: Can't you break PGP by trying all of the possible keys?
801
802A: This is one of the first questions that people ask when they are first
803introduced to cryptography. They do not understand the size of the problem. For
804the IDEA encryption scheme, a 128 bit key is required. Any one of the 2128
805possible combinations would be legal as a key, and only that one key would
806successfully decrypt the message. Let's say that you had developed a special
807purpose chip that could try a billion keys per second. This is far beyond
808anything that could really be developed today. Let's also say that you could
809afford to throw a billion such chips at the problem at the same time. It would
810still require over 10,000,000,000,000 years to try all of the possible 128 bit
811keys. That is something like a thousand times the age of the known universe!
812While the speed of computers continues to increase and their cost decrease at a
813very rapid pace, it will probably never get to the point that IDEA could be
814broken by the brute force attack.
815
816The only type of attack that might succeed is one that tries to solve the
817problem from a mathematical standpoint by analyzing the transformations that
818take place between plain text blocks and their cipher text equivalents. IDEA is
819a well researched algorithm, and although work still needs to be done on it as
820it relates to complexity theory, so far it appears that there is no algorithm
821much better suited to solving an IDEA cipher than the brute force attack, which
822we have already shown to be unworkable.
823
824Similarly all of the symmetrical algorithms additionally available in the 5.x
825and GNU Privacy Guard are not known to have significant flaws:
826
827��*�3DES is probably the most studied cryptographic algorithm ever. It offers
828 the strength equivalent to a 112-bit block cipher. The best attacks
829 published require massive amounts of storage and still take more than 2108
830 operations.
831
832��*�CAST is a well studied 128-bit algorithm. There is no known way of breaking
833 it faster then brute force.
834
835��*�AES or Rijndael is a newcomer in crypto-algorithms, chosen to replace DES/
836 3DES with larger keys (128, 192 or 256 bit) and higher performance.
837 Although there is a lot of attention to all the AES-contestants and
838 finalists in general and Rijndael in particular, it hasn't had nearly as
839 much scrutiny as the previously mentioned algorithms.
840
841��*�Blowfish and its newer cousin (and AES-finalist) Twofish have gotten much
842 (media) attention but are both still relatively new. Because of they do not
843 seem encumbered by patents and there are no serious, publicly known
844 attacks, these algorithms are popular with many open source projects.
845
846
847
848
849Q: How secure is the conventional cryptography option?
850
851A: Assuming that you are using a good strong random pass phrase, it is actually
852much stronger than the normal mode of encryption because you have removed RSA
853which is believed to be the weakest link in the chain. Of course, in this mode,
854you will need to exchange secret keys ahead of time with each of the recipients
855using some other secure method of communication, such as an inperson meeting or
856trusted courier.
857
858This option is especially useful if you want to back up sensitive files, or
859want to take an encrypted file to another system where you will decrypt it. Now
860you don't have to take your secret key with you. It will also be useful when
861you lose your secret key. And you can even pick a different passphrase for each
862file you encrypt, so that an attacker who manages to get one file decrypted
863can't decrypt all the other files as well.
864
865Q: Can the NSA crack PGP (or RSA, DSS, IDEA, 3DES,...)?
866
867A: This question has been asked many times. If the NSA were able to crack RSA
868or any of the other well known cryptographic algorithms, you would probably
869never hear about it from them. Now that RSA and the other algorithms are very
870widely used, it would be a very closely guarded secret.
871
872The best defense against this is the fact the algorithms are known worldwide.
873There are many competent mathematicians and cryptographers outside the NSA and
874there is much research being done in the field right now. If any of them were
875to discover a hole in one of the algorithms, I'm sure that we would hear about
876it from them via a paper in one of the cryptography conferences.
877
878For this reason, when you read messages saying that "someone told them" that
879the NSA is able to break PGP, take it with a grain of salt and ask for some
880documentation on exactly where the information is coming from. In particular,
881the story called NSA Can Break PGP Encryption is a joke.
882
883Q: Has RSA ever been cracked publicly?
884
885A: Several messages RSA-encrypted with small (< 513 bits) keys have been
886cracked publicly. Further effort is still ongoing, RSA Security offers prizes
887for their RSA factoring challenges.
888
889First was the RSA-129 key. The inventors of RSA published a message encrypted
890with a 129-digits (430 bits) RSA public key, and offered $100 to the first
891person who could decrypt the message. In 1994, an international team
892coordinated by Paul Leyland, Derek Atkins, Arjen Lenstra, and Michael Graff
893successfully factored this public key and recovered the plaintext. The message
894read: "THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE"
895
896They headed a huge volunteer effort in which work was distributed via E-mail,
897fax, and regular mail to workers on the Internet, who processed their portion
898and sent the results back. About 1600 machines took part, with computing power
899ranging from a fax machine to Cray supercomputers. They used the best known
900factoring algorithm of the time; better methods have been discovered since
901then, but the results are still instructive in the amount of work required to
902crack a RSA-encrypted message.
903
904The coordinators have estimated that the project took about eight months of
905real time and used approximately 5000 MIPS-years of computing time.
906
907What does all this have to do with PGP? The RSA-129 key is approximately equal
908in security to a 426-bit PGP key. This has been shown to be easily crackable by
909this project. PGP used to recommend 384-bit keys as "casual grade" security;
910recent versions offer 768 bits as a recommended minimum security level.
911
912Note that this effort cracked only a single RSA key. If this had been a PGP
913key, it would have allowed them to decrypt all messages encrypted to that key.
914Nothing was discovered during the course of the experiment to cause any other
915keys to become less secure than they had been, i.e. it would not make it any
916easier to read messages encrypted to other keys.
917
918A year later, the first real PGP key was cracked. It was the infamous Blacknet
919key, a 384-bits key for the anonymous entity known as "Blacknet". A team
920consisting of Alec Muffett, Paul Leyland, Arjen Lenstra and Jim Gillogly
921managed to use enough computation power (approximately 1300 MIPS) to factor the
922key in three months. It was then used to decrypt a publicly-available message
923encrypted with that key.
924
925The most important thing in this attack is that it was done in almost complete
926secrecy. Unlike with the RSA-129 attack, there was no publicity on the crack
927until it was complete. Most of the computers only worked on it in spare time,
928and the total power is well within reach of a large, perhaps even a medium
929sized organization.
930
931Q: What is the best way to crack PGP?
932
933A: Currently, the best attack possible on PGP itself is a dictionary attack on
934the pass phrase. This is an attack where a program picks words out of a
935dictionary and strings them together in different ways in an attempt to guess
936your pass phrase.
937
938This is why picking a strong pass phrase is so important. Many of these cracker
939programs are very sophisticated and can take advantage of language idioms,
940popular phrases, and rules of grammar in building their guesses. Single-word
941"phrases" proper names (especially famous ones), or famous quotes are almost
942always crackable by a program with any "smarts" in it at all.
943
944There is a program available which can "crack" conventionally encrypted files
945by guessing the passphrase. It does not do any cryptanalysis and works on the
9462.x-format only, so if you pick a strong passphrase your files will still be
947safe. Unfortunately the original website has vanished. The program is still
948widely available, e.g. at zedz.net.
949
950There are also other methods to get at the contents of an encrypted message,
951such as bribery, tapping your keyboard, installing trojan horses, snooping of
952electronic emanation from the computers processing the message (often called a
953TEMPEST attack), blackmail, or rubber-hose cryptoanalysis (beating you with a
954rubber hose until you give the passphrase or similar, see Can I be forced to
955reveal my pass phrase in any legal proceedings?).
956
957Q: What if I forget my pass phrase?
958
959A: In a word: don't. If you forget your pass phrase, there is absolutely no way
960to recover any encrypted files. If you're concerned about forgetting your
961passphrase, you could make a copy of your secret keyring, change its passphrase
962to something else you are sure not to forget, and then store the secret keyring
963with the changed passphrase in a safe location.
964
965Q: Why do you use the term "pass phrase" instead of "password"?
966
967A: This is because most people, when asked to choose a password, select some
968simple common word. This can be cracked by a program that uses a dictionary to
969try out passwords on a system. Since most people really don't want to select a
970truly random password, where the letters and digits are mixed in a nonsense
971pattern, the term pass phrase is used to urge people to at least use several
972unrelated words in sequence as the pass phrase.
973
974Q: If my secret key ring is stolen, can my messages be read?
975
976A: No, not unless they have also stolen your secret pass phrase or you
977foolishly put it in plaintext on the same disk (see How can I give my
978passphrase to the commandline PGP automatically?), or if your pass phrase is
979susceptible to a brute-force attack. Neither part is useful without the other.
980You should, however, revoke that key and generate a fresh key pair using a
981different pass phrase just to be sure. Before revoking your old key, you might
982want to add another user ID that states what your new key id is so that others
983can know of your new address.
984
985Q: How do I choose a pass phrase?
986
987A: All of the security that is available in PGP can be made absolutely useless
988if you don't choose a good pass phrase to encrypt your secret key ring. Too
989many people use their birthday, their telephone number, the name of a loved
990one, or some easy to guess common word. While there are a number of suggestions
991for generating good pass phrases, the ultimate in security is obtained when the
992characters of the pass phrase are chosen completely at random. It may be a
993little harder to remember, but the added security is worth it. As an absolute
994minimum pass phrase, I would suggest a random combination of at least 8 letters
995and digits, with 12 being a better choice. With a 12 character pass phrase made
996up of the lower case letters a-z plus the digits 0-9, you have about 62 bits of
997key, which is 6 bits better than the 56 bit DES keys. If you wish, you can mix
998upper and lower case letters in your pass phrase to cut down the number of
999characters that are required to achieve the same level of security.
1000
1001A pass phrase which is composed of ordinary words without punctuation or
1002special characters is susceptible to a dictionary attack. Transposing
1003characters or mis-spelling words makes your pass phrase less vulnerable, but a
1004professional dictionary attack will cater for this sort of thing.
1005
1006See Randall T. Williams' Passphrase FAQ for a more detailed analysis.
1007
1008Q: How do I remember my pass phrase?
1009
1010A: This can be quite a problem especially if you are like me and have about a
1011dozen different pass phrases that are required in your everyday life. Writing
1012them down someplace so that you can remember them would defeat the whole
1013purpose of pass phrases in the first place. There is really no good way around
1014this. Either remember it, or write it down someplace and risk having it
1015compromised.
1016
1017It may be a good idea to periodically try out all the passphrases, or to
1018iterate them in your mind. Repeating them often enough will help keep them from
1019being completely blanked out when the time comes that you need them.
1020
1021If you use long passphrases, it may be possible to write down the initial
1022portion without risking compromising it, so that you can read the "hint" and
1023remember the rest of the passphrase. If you chose to write down these (partial)
1024passphrases, consider putting them in an tamper evident, non-transparent
1025enveloppe and storing them in a secure place.
1026
1027For a simple way to pick provably strong passphrases that are easy to remember,
1028please see Arnold Reinhold's Diceware website.
1029
1030Q: How do I verify that my copy of PGP has not been tampered with?
1031
1032A: If you do not presently own any copy of PGP, use great care on where you
1033obtain your first copy. What I would suggest is that you get two or more copies
1034from different sources that you feel that you can trust. Compare the copies to
1035see if they are absolutely identical. This won't eliminate the possibility of
1036having a bad copy, but it will greatly reduce the chances.
1037
1038If you already own a trusted version of PGP, it is easy to check the validity
1039of any future version. Newer versions of PGP are distributed in popular archive
1040formats; the archive file you receive will contain only another archive file, a
1041file with the same name as the archive file with the extension .asc, and a
1042setup.doc file. The .asc file is a stand-alone signature file for the inner
1043archive file that was created by the developer in charge of that particular PGP
1044distribution. Since nobody except the developer has access to his/her secret
1045key, nobody can tamper with the archive file without it being detected. Of
1046course, the inner archive file contains the newer PGP distribution.
1047
1048Q: How do I know that there is no trap door in the program?
1049
1050A: The fact that the entire source code for the free versions of PGP is
1051available makes it just about impossible for there to be some hidden trap door.
1052The source code has been examined by countless individuals and no such trap
1053door has been found. To make sure that your executable file actually represents
1054the given source code, all you need to do is to compile the program yourself
1055and use the resulting executable.
1056
1057For the PGP 5.x and higher versions based on the PGPsdk so its sourcecode can
1058be verified, but the use of "home-compiled" binaries seems to be forbidden by
1059the license, even when you bought a commercial license for the same product.
1060Only comparison between a "home-compiled" binary and the binaries as provided
1061in the commercial package seems to be allowed, but this very hard and has not
1062been succesfully done as far as I know (even if exactly the same compiler with
1063exactly the same options would be used, the resulting binary would differ in
1064non-trivial ways). Bottom line: if you do not trust NAI to have sold you the
1065untampered version, you should be using one of the open source versions whose
1066license does allow compilation from source and use of the subsequent binary.
1067
1068Q: I heard that the NSA put a back door in MIT PGP, and that they only allowed
1069it to be legal with the back door.
1070
1071A: First of all, the NSA had nothing to do with PGP becoming "legal". The
1072legality problems solved by MIT PGP had to do with the alleged patent on the
1073RSA algorithm used in PGP.
1074
1075Second, all the freeware versions of PGP are released with full source code to
1076both PGP and to the RSAREF library they use (just as every other freeware
1077version before them was). Thus, it is subject to the same peer review mentioned
1078in the question above. If there were an intentional hole, it would probably be
1079spotted. If you're really paranoid, you can read the code yourself and look for
1080holes!
1081
1082Q: Is there a back door in the international version?
1083
1084A: No. The international version of PGP is based on an illegally exported
1085version of PGP, and uses an RSA encryption/decryption library (MPILIB) which
1086may have violated the RSA patent which is only valid in the USA (see What's
1087with the patent on RSA?).
1088
1089There are no intentional backdoors of any kind in the international version,
1090nor is the encryption strength reduced in any way.
1091
1092Q: Can I put PGP on a multi-user system like a UNIX machine or a mainframe?
1093
1094A: Yes. PGP will compile and run on several high-end operating systems such as
1095Unix and VMS. Other versions may easily be used on machines connected to a
1096network.
1097
1098You should be very careful, however. Your pass phrase may be passed over the
1099network in the clear where it could be intercepted by network monitoring
1100equipment, or the operator on a multi-user machine may install "keyboard
1101sniffers" to record your pass phrase as you type it in. Also, while it is being
1102used by PGP on the host system, it could be caught by some trojan horse
1103program. Also, even though your secret key ring is encrypted, it would not be
1104good practice to leave it lying around for anyone else to look at. Also do not
1105leave the passphrase around (see How can I give my passphrase to the
1106commandline PGP automatically?).
1107
1108So why distribute PGP with directions for making it on Unix and VMS machines at
1109all? The simple answer is that not all Unix and VMS machines are network
1110servers or "mainframes." If you use your machine only from the console (or if
1111you use some network encryption package such as Kerberos, IPSec or SSH), you
1112are the only user, you take reasonable system security measures to prevent
1113unauthorized access, and you are aware of the risks above, you can securely use
1114PGP on one of these systems.
1115
1116You can still use PGP on multi-user systems or networks without a secret key
1117for checking signatures and encrypting. As long as you don't process a private
1118key or type a pass phrase on the multiuser system, you can use PGP securely
1119there.
1120
1121Of course, it all comes down to how important you consider your secret key. If
1122it's only used to sign posts to Usenet, and not for important private
1123correspondence, you don't have to be as paranoid about guarding it. If you
1124trust your system administrators, then you can protect yourself against
1125malicious users by making the directory in which the keyrings are only
1126accessible by you.
1127
1128Q: Can I use PGP under a "swapping" operating system like Windows, OS/2 or
1129UNIX?
1130
1131A: Yes. PGP 2.x runs OK in most "DOS windows" for these systems, and PGP can be
1132built natively for many of them as well.
1133
1134The problem with using PGP on a system that swaps is that the system will often
1135swap PGP out to disk while it is processing your pass phrase. If this happens
1136at the right time, your pass phrase could end up in cleartext in your swap
1137file. How easy it is to swap "at the right time" depends on the operating
1138system; Windows reportedly swaps the pass phrase to disk quite regularly,
1139though it is also one of the most inefficient systems. PGP does make every
1140attempt to not keep the pass phrase in memory by "wiping" memory used to hold
1141the pass phrase before freeing it, but this solution isn't perfect.
1142
1143Because swapfiles shrink, and many applications (e.g. Microsoft Word and
1144Microsoft compilers) grab disk space (and unused memory) and don't always fill
1145it all out, you will regularly get fragments of other work embedded in files
1146unrelated to it.
1147
1148Disabling swapping (after getting more memory) will help, but you should also
1149be cautious about sending binary attachments (like Word DOCs). If you wish to
1150keep your hard-drive more secure, you should consider a sector-level encryptor
1151(such as Scramdisk, SFS or PGPdisk).
1152
1153If you have reason to be concerned about this, you might consider getting a
1154swapfile wiping utility to securely erase any trace of the pass phrase once you
1155are done with the system. Several such utilities exist for Windows and Linux at
1156least. Many of them perform not nearly as well as claimed in the documentation
1157though. Under OpenBSD you can configure the OS to encrypt the swap, preventing
1158this altogether.
1159
1160Q: Aren't all of these security procedures a little paranoid?
1161
1162A: That all depends on how much your privacy means to you! Even apart from the
1163government, there are many people out there who would just love to read your
1164private mail. And many of these individuals would be willing to go to great
1165lengths to compromise your mail. Look at the amount of work that has been put
1166into some of the virus programs that have found their way into various computer
1167systems, including the old "Caligula"-virus that sends the PGP secret keyring
1168to the codebreakers.org site. Even when it doesn't involve money, some people
1169are obsessed with breaking into systems. Once a system is compromised, use of
1170PGP on that system will expose both your pass phrase and secret keyring, giving
1171the attacker everything to he needs to read your secret mail.
1172
1173In addition, don't forget that private keys are useful for more than
1174decrypting. Someone with your private key can also sign items that could later
1175prove to be difficult to deny. Keeping your private key secure can prevent, at
1176the least, a bit of embarassment, and at most could prevent charges of fraud or
1177breach of contract.
1178
1179Besides, many of the above procedures are also effective against some common
1180indirect attacks. As an example, the digital signature also serves as an
1181effective integrity check of the file signed; thus, checking the signature on
1182new copies of PGP ensures that your computer will not get a virus through PGP
1183(unless, of course, the PGP version developer contracts a virus and infects PGP
1184before signing).
1185
1186Q: Can I be forced to reveal my pass phrase in any legal proceedings?
1187
1188A: Bert-Jaap Koops has a Crypto and Self-Incrimination FAQ adressing this
1189issue. The ultra-short version is that no country is known to have a law
1190requiring suspects to decrypt under legal warrant, with the exception of the UK
1191and the Regulation of Investigatory Powers Act 2000.
1192
1193Note that the GNU Privacy Guard has a --show-session-key option specifically
1194for those under the obligation to provide the decryption key. It allows one to
1195disclose the individual session keys of encrypted messages instead of the
1196longlived secret keys. Without disclosure of your secret keys, newly encrypted
1197messages are still safe from all prying eyes.
1198
1199Note that law enforcement agencies have been known to install means to capture
1200your passphrase and/or plaintext, such as keyboard sniffers and trojans, making
1201the self-incrimination question irrelevant.
1202
1203Q: How secure is the "for your eyes only" option?
1204
1205A: It is not secure at all. There are many ways to defeat it. Probably the
1206easiest way is to simply redirect your screen output to a file as follows: pgp
1207[filename] > [diskfile]
1208
1209The "for your eyes" option was not intended as a fail-safe option to prevent
1210plain text files from being generated, but to serve simply as a warning to the
1211person decrypting the file that he probably shouldn't keep a copy of the plain
1212text on his system.
1213-------------------------------------------------------------------------------
1214
1215Chapter 4. Keys
1216
1217Q: Which key size should I use?
1218Q: Can a public key be forged?
1219Q: How do I detect a forged key?
1220Q: Why does PGP take so long to add new keys to my key ring?
1221Q: How can I extract multiple keys into a single armored file with the command
1222 line PGP?
1223Q: I tried encrypting the same message to the same address two times and got
1224 completely different outputs. Why is this?
1225Q: What does the message "Unknown signator, can't be checked" mean?
1226Q: How do I get PGP to display the trust parameters on a key?
1227Q: Should I include my key in every message (e.g. by putting it in my
1228 .signature)?
1229Q: How can I make my key available via finger?
1230Q: How do I specify which key to use when an individual has 2 public keys and
1231 the very same user ID on each, or when 2 different users have the same
1232 name?
1233
1234Q: Which key size should I use?
1235
1236A: PGP gives you choices for RSA and DSA key size ranging from 512 to 2048 or
1237even 4096 bits. The larger the key, the more secure the RSA/DSA portion of the
1238encryption is. The only place where the key size makes a large change in the
1239running time of the program is during key generation. A 1024 bit key can take 8
1240times longer to generate than a 384 bit key. Fortunately, this is a one time
1241process that doesn't need to be repeated unless you wish to generate another
1242key pair.
1243
1244During encryption, only the RSA portion of the encryption process is affected
1245by key size. The RSA portion is only used for encrypting the session key used
1246by the the symmetrical algorithm (IDEA, 3DES, CAST etcetera). The main body of
1247the message is totally unaffected by the choice of RSA key size.
1248
1249Dr Lenstra and Dr Verheul offer their recommendations for keylengths. In their
1250calculation, a 2048 bit key should keep your secrets safe at least until 2020
1251against very highly funded and knowledgable adversaries (i.e. you have the NSA
1252working against you). Against lesser adversaries such as mere multinationals
1253your secret should be safe against bruteforce cryptoanalysis much longer, even
1254with 1024 bit keys.
1255
1256So unless you have a very good reason for doing otherwise, select the 1024 or
12572048 bit key size. Using currently available algorithms for factoring and
1258available computing power, the 384 and 512 bit keys are known to be within
1259reach of adversaries and 768 is questionable (see also Can't you break PGP by
1260trying all of the possible keys?>).
1261
1262Q: Can a public key be forged?
1263
1264A: In short: not completely, but parts may be.
1265
1266There are four components in a public key, each of which has its own
1267weaknesses. The four components are user IDs, key IDs, signatures and the key
1268fingerprint.
1269
1270It is quite easy to create a fake user ID. If a user ID on a key is changed,
1271and the key is then added to another keyring, the changed user ID will be seen
1272as a new user ID and so it gets added to the ones already present. This implies
1273that an unsigned user ID should never be trusted. Question Should I sign my own
1274key?> discusses this in more detail.
1275
1276It is possible to create a key with a chosen key ID.
1277� A PGP key ID is just the bottom 64 bits of the public modulus �
1278 (but only the bottom 32 bits are displayed with pgp -kv). It
1279 is easy to select two primes which when multiplied together
1280 have a specific set of low-order bits.
1281 --Paul Leyland explains: �
1282This makes it possible to create a fake key with the same key ID as an existing
1283one. The fingerprint will still be different, though.
1284
1285By the way, this attack is sometimes referred to as a DEADBEEF attack. This
1286term originates from an example key with key ID 0xDEADBEEF which was created to
1287demonstrate that this was possible.
1288
1289There are currently no methods to create a fake signature for a user ID on
1290someone's key. To create a signature for a user ID, you need the signatory's
1291secret key. A signature actually signs a hash of the user ID it applies to, so
1292you can't copy a signature from one user ID to another or modify a signed user
1293ID without invalidating the signature.
1294
1295Yes, it is possible to create a public key with the same fingerprint as an
1296existing one, thanks to a design misfeature in PGP 2.x when signing RSA keys.
1297The fake key will not be of the same length, so it should be easy to detect.
1298Usually such keys have odd key lengths.
1299
1300� Inside a PGP key, the public modulus and encryption exponent �
1301 are each represented as the size of the quantity in bits,
1302 followed by the bits of the quantity itself. The key
1303 fingerprint, displayed by pgp -kvc, is the MD5 hash of the
1304 bits, but NOT of the lengths. By transferring low-order bits
1305 from the modulus to the high-order portion of the exponent
1306 and altering the two lengths accordingly, it is possible to
1307 create a new key with exactly the same fingerprint.
1308 --Paul Leyland provided the following technical explanation: �
1309
1310
1311Q: How do I detect a forged key?
1312
1313A: As explained in question Can a public key be forged?>, each component of the
1314public key can be faked. It is, however, not possible to create a fake key for
1315which all the components match.
1316
1317For this reason, you should always verify that key ID, fingerprint, and key
1318size correspond when you are about to use someone's key. And when you sign a
1319user ID, make sure it is signed by the key's owner!
1320
1321Similarly, if you want to provide information about your key, include key ID,
1322fingerprint and key size.
1323
1324Q: Why does PGP take so long to add new keys to my key ring?
1325
1326A: The time required to check signatures and add keys to your public key ring
1327tends to grow as the square of the size of your existing public key ring. This
1328can reach extreme proportions, especially if you are trying to add the entire
1329public keyring you retrieved from a keyserver (see What are the Public Key
1330Servers?>) to your own keyring.
1331
1332In this case, it might be faster to rename your public keyring to something
1333else, then name the keyserver's keyring pubring.pgp and add your own keyring to
1334the big one. There is a danger to this, though; the trust parameters to your
1335old keys will be lost, and you will be using the trust parameters from this big
1336keyring. See also How do I create a secondary key file?>.
1337
1338A: If your keyring has been damaged, PGP can also take a while to process it.
1339
1340Q: How can I extract multiple keys into a single armored file with the command
1341line PGP?
1342
1343A: A number of people have more than one public key that they would like to
1344make available. One way of doing this is executing the -kxa command for each
1345key you wish to extract from the key ring into separate armored files, then
1346appending all the individual files into a single long file with multiple
1347armored blocks. This is not as convenient as having all of your keys in a
1348single armored block.
1349
1350Unfortunately, the present version of PGP does not allow you to do this
1351directly. Fortunately, there is an indirect way to do it.
1352 pgp -kx uid1 extract
1353 pgp -kx uid2 extract
1354 pgp -kx uid3 extract
1355
1356This puts all three keys into extract.pgp. To get an ascii amored file, call:
1357pgp -a extract.pgp
1358
1359You get an extract.asc. Someone who does a pgp extract and has either file
1360processes all three keys simultaneously.
1361
1362A Unix script to perform the extraction with a single command would be as
1363follows:
1364 #!/bin/sh
1365 for name in name1 name2 name3 ... ; do
1366 pgp -kx "$name" /tmp/keys.pgp <keyring>
1367 end
1368An equivalent DOS command would be:
1369
1370for %a in (name1 name2 name3 ...) do pgp -kx %a keys.pgp <keyring>
1371
1372Q: I tried encrypting the same message to the same address two times and got
1373completely different outputs. Why is this?
1374
1375A: Every time you run PGP, a different session key is generated. This session
1376key is used as the key for the symmetrical encryption algorithm (IDEA, 3DES
1377etcetera). As a result, the entire header and body of the message changes. You
1378will never see the same output twice, no matter how many times you encrypt the
1379same message to the same address. This adds to the overall security of PGP.
1380
1381To generate this random session key, PGP will try to use information from a
1382file called randseed.bin. If this file does not exist, or for some reason isn't
1383random enough, you are asked to type in some random keystrokes which will then
1384be used as a "seed" for the random number generator.
1385
1386Q: What does the message "Unknown signator, can't be checked" mean?
1387
1388A: It means that the key used to create that signature does not exist in your
1389public keyring, therefor PGP complains that it cannot check the signature. If
1390at sometime in the future, you happen to add that key to your public keyring,
1391then the signature line will read normally. It is completely harmless to leave
1392these non-checkable signatures in your public keyring. They neither add to nor
1393take away from the validity of the key in question.
1394
1395Q: How do I get PGP to display the trust parameters on a key?
1396
1397A: You can only do this when you run the -kc option by itself on the entire
1398database. The parameters will not be shown if you give a specific ID on the
1399command line. The correct command is: pgp -kc. The command pgp -kc smith will
1400not show the trust parameters for "smith".
1401
1402Q: Should I include my key in every message (e.g. by putting it in my
1403.signature)?
1404
1405A: No. Although it is important to spread your key as far as possible, it is a
1406lot better to send it to a keyserver (see What are the Public Key Servers?>) or
1407to make it available via finger (see How can I make my key available via
1408finger?>>), or perhaps as a link off your WWW homepage. This way, people who
1409need your key will be able to get it, and you don't send it out to a lot of
1410uninterested people every time you email or post something.
1411
1412Additionally, keep in mind a snooper reading your outgoing mail can easily
1413switch the public key in there with his own fake key. If this substituted key
1414is used, the snooper can still read the messages sent to you. If the other
1415party gets your key from a different location with a different method, it is a
1416lot harder for that snooper to change the keys. Note that signing the message
1417containing the key will not help; the snooper can easily re-sign the message
1418with his key, see Can a public key be forged?>. So always check the fingerprint
1419as described in How do I detect a forged key?>.
1420
1421Q: How can I make my key available via finger?
1422
1423A: The first step is always to extract the key to an ASCII-armored text file
1424with pgp -kxa. After that, it depends on what type of computer you want your
1425key to be available on. Check the documentation for that computer and/or its
1426networking software.
1427
1428Many computers running a Unix flavor will read information to be displayed via
1429finger from a file in your home directory called .plan. If your computer
1430supports this, you can put your public key in this file. Make sure the file is
1431world-readable, use chmod 644 $HOME/.plan if other people can't get at your
1432plan. The home directory also has to be accessible. Use chmod +x $HOME in your
1433home directory to do this. Contact your system administrator if you have
1434further problems with this.
1435
1436Q: How do I specify which key to use when an individual has 2 public keys and
1437the very same user ID on each, or when 2 different users have the same name?
1438
1439A: Instead of specifying the user's name in the ID field of the PGP command,
1440you can use the key ID number. The format is 0xNNNNNNNN where NNNNNNNN is the
1441user's 8 character key ID number. It should be noted that you don't need to
1442enter the entire ID number, a few consecutive digits from anywhere in the ID
1443should do the trick. The key ID shows up directly after the key size when you
1444do pgp -kv userid.
1445
1446Be careful: If you enter 0x123, you will be matching key IDs 0x12393764,
14470x64931237, or 0x96412373. Any key ID that contains 123 anywhere in it will
1448produce a match. They don't need to be the starting characters of the key ID.
1449You will recognize that this is the format for entering hex numbers in the C
1450programming language. For example, any of the following commands could be used
1451to encrypt a file to my public key:
1452 pgp -e <filename> "Wouter Slegers"
1453 pgp -e <filename> wouter@yourcreativesolutions.nl
1454 pgp -e <filename> 0x5217C2AF
1455This same method of key identification can be used in the config.txt file in
1456the MyName variable to specify exactly which of the keys in the secret key ring
1457should be used for encrypting a message.
1458-------------------------------------------------------------------------------
1459
1460Chapter 5. Message Signatures
1461
1462Q: What is message signing?
1463Q: How do I sign a message and keep it readable?
1464Q: Can't you just forge a signature by copying the signature block to another
1465 message?
1466Q: Are PGP signatures legally binding?
1467Q: Is the date on a PGP signature reliable?
1468
1469Q: What is message signing?
1470
1471A: Let's imagine that you received a letter in the mail from someone you know
1472named John Smith. How do you know that it was really John who sent you the
1473letter and not someone else who simply forged his name? With PGP, it is
1474possible to apply a digital signature to a message that is impossible to forge.
1475If you already have a trusted copy of John's public encryption key, you can use
1476it to check the signature on the message. It would be impossible for anybody
1477but John to have created the signature, since he is the only person with access
1478to the secret key necessary to create the signature. In addition, if anybody
1479has tampered with an otherwise valid message, the digital signature will detect
1480the fact. It protects the entire message against undetectable change.
1481
1482Q: How do I sign a message and keep it readable?
1483
1484A: Sometimes you are not interested in keeping the contents of a message
1485secret, you only want to make sure that nobody tampers with it, and to allow
1486others to verify that the message is really from you. For this, you can use
1487clear signing. Clear signing only works on text files, it will not work on
1488binary files. The command format is:
1489
1490pgp -sat +clearsig=on <filename>
1491
1492The output file will contain your original unmodified text, along with section
1493headers and an armored PGP signature. In this case, PGP is not required to read
1494the file, only to verify the signature.
1495
1496You should be careful when you "clearsign" a text file like this. Some mail
1497programs might alter your message when it is being sent, for example because
1498there are very long lines in the message. This will invalidate the signature on
1499the message. Also, using 8-bit characters in your message can cause problems;
1500some versions of PGP will think the file is actually a binary file, and refuse
1501to clearsign it.
1502
1503For this reason, PGP 2.6.3i will automatically ASCII armor messages with very
1504long lines in it.
1505
1506When using PGP/MIME, the signature is sent as an attachment to the message.
1507This keeps the signed text readable like usual, even to MIME-compatible email
1508programs that do not support PGP.
1509
1510Q: Can't you just forge a signature by copying the signature block to another
1511message?
1512
1513A: No. The reason for this is that the signature contains information (called a
1514message digest or a one-way hash) about the whole message it's signing. When
1515the signature check is made, the message digest from the message is calculated
1516and compared with the one stored in the encrypted signature block. If they
1517don't match, PGP reports that the signature is bad.
1518
1519Q: Are PGP signatures legally binding?
1520
1521A: Simone van der Hof maintains the Digital Signature Law Survey adressing
1522these issues. In short: digital signatures (such as provided by PGP) are only
1523legally binding on their own under very specific situations in a few countries,
1524if at all. In many countries this is rapidly changing though.
1525
1526Even if the digital signature is not binding in itself, in many jurisdictions
1527one can arrange to accept valid digital signatures as binding via a prior
1528agreement in writing. If you are going to be swapping many digitally-signed
1529agreements with another party, this approach may be useful. You might want to
1530check with a lawyer in your country if the digital signatures will be used for
1531important or valuable contracts.
1532
1533Q: Is the date on a PGP signature reliable?
1534
1535A: No. The date and time you see when you verify a PGP signature on a file
1536(often called a timestamp) is the time and date the computer was set to when
1537the signature was created. On most computers, it is extremely easy to reset the
1538date and time to any time you want, so you can generate documents with a forged
1539timestamp.
1540
1541For this reason, you can use a so-called "digital notary" or time-stamping
1542service. This is a system that does nothing but sign documents you send to it,
1543after inserting a date and time somewhere in the text. The service uses a
1544numbering scheme which makes it impossible to insert timestamps at a later
1545time. One such service is run by Matthew Richardson. For more information about
1546it, please see the PGP Digital Timestamping Service website.
1547-------------------------------------------------------------------------------
1548
1549Chapter 6. Key Signatures
1550
1551Q: What is key signing?
1552Q: How do I sign a key?
1553Q: Should I sign my own key?
1554Q: Should I sign X's key?
1555Q: How do I verify someone's identity?
1556Q: How do I know someone hasn't sent me a bogus key to sign?
1557Q: What's a key signing party?
1558Q: How do I organize a key signing party?
1559
1560Q: What is key signing?
1561
1562A: OK, you just got a copy of John Smith's public encryption key. How do you
1563know that the key really belongs to John Smith and not to some impostor? The
1564answer to this is key signatures. They are similar to message signatures in
1565that they can't be forged. Let's say that you don't know that you have John
1566Smith's real key. But let's say that you do have a trusted key from Joe Blow.
1567Let's say that you trust Joe Blow and that he has added his signature to John
1568Smith's key. If you trust Joe to identify John, you can now trust that you have
1569a valid copy of John Smith's key. That is what key signing is all about. This
1570chain of trust can be carried to several levels, such as A trusts B who trusts
1571C who trusts D, therefore A can trust D. You have control in the PGP
1572configuration over exactly how many levels this chain of trust is allowed to
1573proceed.
1574
1575The options in PGP's configuration to control this are:
1576
1577��*�Cert_Dept = n
1578
1579 This indicates the maximum depth of your "web of trust". A key which is n
1580 keys "away" from your own key will not be used to introduce other keys.
1581
1582��*�Completes_Needed = n
1583
1584 This indicates the number of completely trusted keys required to make a key
1585 valid. A key is completely trusted if it is valid, and you choose option 4.
1586 Yes, always when PGP asked you if you trust this person to introduce
1587 others.
1588
1589��*�Marginals_Needed = n
1590
1591 This indicates the number of marginally trusted keys required to make a key
1592 valid. A key is marginally trusted if you answered 3. Sometimes to the
1593 question above. In all other cases, the key is not trusted at all.
1594
1595
1596You can display the trust parameters for a key with pgp -kc. See also question
1597How do I get PGP to display the trust parameters on a key?>. Be careful about
1598keys that are several levels removed from your immediate trust.
1599
1600The PGP trust model is discussed in more detail by Alfarez Abdul-Rahman.
1601
1602Q: How do I sign a key?
1603
1604A: Execute the following command from the command prompt:
1605
1606PGP -ks [-u yourid] <keyid>
1607
1608This adds your signature (signed with the private key for yourid, if you
1609specify it) to the key identified with keyid. If keyid is a user ID, you will
1610sign that particular user ID; otherwise, you will sign the default user ID on
1611that key (the first one you see when you list the key with pgp -kv <keyid>).
1612
1613Next, you should extract a copy of this updated key along with its signatures
1614using the -kxa option. An armored text file will be created. Give this file to
1615the owner of the key so that he may propagate the new signature to whomever he
1616chooses.
1617
1618Be very careful with your secret keyring. Never be tempted to put a copy in
1619somebody else's machine so you can sign their public key: they could have
1620modified PGP to copy your secret key and grab your pass phrase.
1621
1622Q: Should I sign my own key?
1623
1624A: Yes, you should sign each personal ID on your key, which is why in PGP 5.x+
1625and GNU Privacy Guard newly generated keys are signed by default. This will
1626help to prevent anyone from placing a phony address in the ID field of the key
1627and possibly having your mail diverted to them. Of course they can't read the
1628encrypted mail, but you won't see it at all. And even worse, adding a fake user
1629ID reading "Please use key 0x416A1A35 from now on" can mean someone else will
1630use the imposter's key with your name on it, rather than your own.
1631
1632It is very easy to add user IDs to someone else's key. All it takes is a binary
1633editor or some knowledge of the PGP public key format. But since you are the
1634only person who can sign your own user IDs, the fake ones will not be signed,
1635and so anyone who gets the key can immediately spot the fake ones. For example,
1636my entry in the public key ring now appears as follows if you use the -kvv
1637command:
1638 Type Bits/KeyID Date User ID
1639 pub 1024/416A1A35 1994/10/01 Arnoud Engelfriet <galactus@stack.nl>
1640 sig 416A1A35 Arnoud Engelfriet <galactus@stack.nl>
1641 *** <galactus@stack.urc.tue.nl> now INVALID!
1642 sig 416A1A35 Arnoud Engelfriet <galactus@stack.nl>
1643 Galactus <galactus@stack.urc.tue.nl>
1644 sig 3602A619 Stephen Hopkins <shopkins@coventry.ac.uk>
1645 sig DD63EF3D Frank Castle <Frank_Castle@panther.pphost.nl>
1646 sig 416A1A35 Arnoud Engelfriet <galactus@stack.nl>
1647 Arnoud Engelfriet <galactus@stack.urc.tue.nl>
1648 sig 390E3FB1 Martijn Heemels <M.A.L.Heemels@stud.tue.nl>
1649 sig DA87C0C7 Edgar W. Swank <EdgarSwank@Juno.com>
1650 sig 416A1A35 Arnoud Engelfriet <galactus@stack.nl>
1651
1652For a more detailed discussion of why you should sign your own key, see "Why
1653you should sign your own key" by Walther Soldierer.
1654
1655Note that PGP 2.6.3[i], PGP 5.x and GNU Privacy Guard automatically sign each
1656user ID you add to your own key.
1657
1658Q: Should I sign X's key?
1659
1660A: Signing someone's key is your indication to the world that you believe that
1661key to rightfully belong to that person, and that person is who he purports to
1662be. Other people may rely on your signature to decide whether or not a key is
1663valid, so you should not sign capriciously.
1664
1665Some countries require respected professionals such as doctors or engineers to
1666endorse passport photographs as proof of identity for a passport application -
1667you should consider signing someone's key in the same light. Alternatively,
1668when you come to sign someone's key, ask yourself if you would be prepared to
1669swear in a court of law as to that person's identity.
1670
1671Remember that signing a person's key says nothing about whether you actually
1672like or trust that person or approve of his/her actions. It's just like someone
1673pointing to someone else at a party and saying, "Yeah, that's Mallet over
1674there." Mallet may be an ax murderer; you don't become tainted with his crime
1675just because you can pick him out of a crowd.
1676
1677Q: How do I verify someone's identity?
1678
1679A: It all depends on how well you know them. Relatives, friends and colleagues
1680are easy. People you meet at conventions or key-signing sessions require some
1681proof like a driver's license or passport. Do make sure to observe the standard
1682keysigning security steps described in How do I know someone hasn't sent me a
1683bogus key to sign?>.
1684
1685Q: How do I know someone hasn't sent me a bogus key to sign?
1686
1687A: It is very easy for someone to generate a key with a false ID and send
1688e-mail with fraudulent headers, or for a node which routes the e-mail to you to
1689substitute a different key. Finger or keyservers are bit harder to tamper with,
1690but not impossible.
1691
1692If it is a key from someone you know well and whose voice you recognize then it
1693is sufficient to give them a phone call and have them read their key's
1694fingerprint (obtained with pgp -kvc <userid>). To be sure, also ask them for
1695the key size and its key ID. There are ways to create a forged key with an
1696identical fingerprint (see question Can a public key be forged?> for details).
1697You can of course also check these details in another way, for example if he
1698has printed it on his business card.
1699
1700If you don't know the person very well then the only recourse is to exchange
1701keys face-to-face and ask for some proof of identity. Don't be tempted to put
1702your public key disk in their machine so they can add their key, they could
1703maliciously replace your key at the same time. If the user ID includes an
1704e-mail address, verify that address by exchanging an agreed encrypted message
1705before signing. Don't sign any user IDs on that key except those you have
1706verified.
1707
1708Q: What's a key signing party?
1709
1710A: A key signing party is a get-together with various other users of PGP for
1711the purpose of meeting and signing keys. This helps to extend the web of trust
1712to a great degree, making it easier for you to find one or more trusted paths
1713to someone whose public key you didn't have.
1714
1715Kevin Herron has an example of a keysigning party announcement page.
1716
1717Q: How do I organize a key signing party?
1718
1719A: Though the idea is simple, actually doing it is a bit complex, because you
1720don't want to compromise other people's private keys or spread viruses (which
1721is a risk whenever floppies are swapped willy-nilly). Usually, these parties
1722involve meeting everyone at the party, verifying their identity and getting key
1723fingerprints from them, and signing their key at home.
1724
1725Derek Atkins has recommended this method:
1726
1727There are many ways to hold a key-signing session. Many viable suggestions have
1728been given. And, just to add more signal to this newsgroup, I will suggest
1729another one which seems to work very well and also solves the N-squared problem
1730of distributing and signing keys. Here is the process:
1731
1732 1. You announce the keysigning session, and ask everyone who plans to come to
1733 send you (or some single person who will be there) their public key. The
1734 RSVP also allows for a count of the number of people for step 3.
1735
1736 2. You compile the public keys into a single keyring, run pgp -kvc on that
1737 keyring, and save the output to a file.
1738
1739 3. Print out N copies of the pgp -kvc file onto hardcopy, and bring this and
1740 the keyring on media to the meeting.
1741
1742 4. At the meeting, distribute the printouts, and provide a site to retreive
1743 the keyring (an ftp site works, or you can make floppy copies, or whatever
1744 -- it doesn't matter).
1745
1746 5. When you are all in the room, each person stands up, and people vouch for
1747 this person (e.g., "Yes, this really is Derek Atkins -- I went to school
1748 with him for 6 years, and lived with him for 2").
1749
1750 6. Each person securely obtains their own fingerprint, and after being vouched
1751 for, they then read out their fingerprint out loud so everyone can verify
1752 it on the printout they have.
1753
1754 7. After everyone finishes this protocol, they can go home, obtain the
1755 keyring, run pgp -kvc on it themselves, and re-verify the bits, and sign
1756 the keys at their own leisure.
1757
1758 8. To save load on the keyservers, you can optionally send all signatures to
1759 the original person, who can coalate them again into a single keyring and
1760 propagate that single keyring to the keyservers and to each individual.
1761
1762
1763
1764-------------------------------------------------------------------------------
1765
1766Chapter 7. Revoking a key
1767
1768Q: My secret key ring has been stolen or lost, what do I do?
1769Q: I forgot my pass phrase. Can I create a key revocation certificate?
1770Q: How do I create a key revocation certificate?
1771Q: How do I indicate that my key is invalid when I don't have the secret key
1772 anymore?
1773
1774Q: My secret key ring has been stolen or lost, what do I do?
1775
1776A: Assuming that you selected a good solid random pass phrase to encrypt your
1777secret key ring, you are probably still safe. It takes two parts to decrypt a
1778message, the secret key ring, and its pass phrase. The secret key is encrypted
1779with the passphrase before it is stored in the secret keyring.
1780
1781Assuming you have a key revocation certificate previously made (or a backup
1782copy of your secret key ring with which you can generate one now), upload the
1783revocation to one of the public key servers. Prior to uploading the revocation
1784certificate, you might add a new ID to the old key that tells what your new key
1785ID will be. If you don't have a backup copy of your secret key ring, then it
1786will be impossible to create a revocation certificate under the present version
1787of PGP. This is another good reason for keeping a backup copy of your secret
1788key ring (or at the very least generate a revocation certificate).
1789
1790Q: I forgot my pass phrase. Can I create a key revocation certificate?
1791
1792A: As Phil Zimmermann put it: "I'm sorry, you're hosed."
1793
1794You can't, since the pass phrase unlocks the secret key which is required to
1795create the certificate (for signing it).
1796
1797The way to avoid this dilemma is to create a key revocation certificate at the
1798same time that you generate your key pair. Put the revocation certificate away
1799in a safe place and you will have it available should the need arise.
1800
1801Q: How do I create a key revocation certificate?
1802
1803A: The easiest way to do this is:
1804
1805 1. Make a backup of your public and secret keyrings.
1806
1807 2. Revoke your key with pgp -kd youruserid.
1808
1809 3. Extract the revoked key to a file with pgp -kxa youruserid. This file is
1810 what the manual calls the "revocation certificate."
1811
1812 4. Store the certificate in a safe location, for example on a floppy which you
1813 keep someplace else.
1814
1815 5. Restore the backed-up keyrings.
1816
1817
1818
1819
1820Q: How do I indicate that my key is invalid when I don't have the secret key
1821anymore?
1822
1823A: This is a very tricky situation, and should be avoided at all costs. The
1824easiest way is to prepare a key revocation certificate (See How do I create a
1825key revocation certificate?> for details on how to do this) before you need it,
1826so you can always revoke the key, even without the secret key.
1827
1828A: First of all, generate a new key with one of the user IDs stating that Old
1829key 0x12345678 no longer valid: lost secret key. Get this key signed by
1830(preferbly the same) friends and collegues. Add this key to the keyservers so
1831people can start using your new key as soon as possible.
1832
1833To discourage use of your old key, you can use a binary editor to change one of
1834the user IDs on your public key to read "Key invalid; use key 0x12345678" or
1835something to that effect. Keep in mind that the new user ID can't be longer
1836than the old one, unless you know what you are doing. Then extract the key, and
1837send it to the keyserver. It will think this is actually a new user ID, and add
1838it to your key there.
1839
1840However, since anyone can do the above, many people will not trust unsigned
1841user IDs with such statements. As explained in question Should I sign my own
1842key?>, all user IDs on your key should be self-signed. So again, make a key
1843revocation certificate in advance and use that when necessary.
1844-------------------------------------------------------------------------------
1845
1846Chapter 8. Public Key Servers
1847
1848Q: What are the Public Key Servers?
1849Q: What public key servers are available?
1850Q: What is the syntax for the key server commands?
1851
1852Q: What are the Public Key Servers?
1853
1854A: Public Key Servers exist for the purpose of making your public key available
1855in a common database where everybody can have access to it for the purpose of
1856encrypting messages to you. Anyone who wants to write you a message, or to
1857check a signature on a message from you, can get your key from the keyserver,
1858so he doesn't have to bother you with it.
1859
1860While a number of key servers exist, it is only necessary to send your key to
1861one of them. The key server will take care of the job of sending your key to
1862all other known servers.
1863
1864Q: What public key servers are available?
1865
1866A: There is now a clean interface to key servers. The pgp.net domain was
1867founded for this purpose, and offers an easy and fast way to obtain people's
1868public keys.
1869
1870You can access the keyserver in e-mail, by sending mail to <
1871pgp-public-keys@keys.pgp.net> with the command (see What is the syntax for the
1872key server commands?> below) in the Subject line of your message. This message
1873will be sent to one of the keyservers at random, which ensures that an
1874individual server will not be overloaded.
1875
1876If you have WWW access, you can also use the WWW interface.
1877
1878Q: What is the syntax for the key server commands?
1879
1880A: The key server expects to see one of the following commands placed in the
1881subject field. Note that only the ADD command uses the body of the message.
1882 ADD Your PGP public key (key to add is body of msg) (-ka)
1883 INDEX List all PGP keys the server knows about (-kv)
1884 VERBOSE INDEX List all PGP keys, verbose format (-kvv)
1885 GET Get the whole public key ring (-kxa *), in multiple messages
1886 GET <userid> Get just that one key (-kxa <userid>)
1887 LAST <n> Get all keys uploaded during last <n> days
1888
1889Note that instead of a user ID, you can also use a key ID. In this case, you
1890should put "0x" in front of it. By using a key ID rather than a user ID, name
1891or e-mail address, you ensure that you get exactly the key you want. Please see
1892question How do I specify which key to use when an individual has 2 public keys
1893and and the very same user ID on each?> for more information on how to use key
1894IDs.
1895
1896If you wish to get the entire key ring and have access to FTP, it would be a
1897lot more efficient to use FTP rather than e-mail. Download an entire keyring
1898from PGP.net.
1899-------------------------------------------------------------------------------
1900
1901Chapter 9. Bugs
1902
1903Q: Where do I send bug reports?
1904Q: What bugs have been found in PGP?
1905
1906Q: Where do I send bug reports?
1907
1908A: Bugs related to MIT PGP should be sent to pgp-bugs@mit.edu. You will want to
1909check the MIT PGP FAQ with the complete bug list for MIT PGP before reporting a
1910bug to make sure that the bug hasn't been reported already. If it is a serious
1911bug, you should also post it to comp.security.pgp.announce or .tech. Serious
1912bugs are bugs that affect the security of the program, not compile errors or
1913small logic errors.
1914
1915Post all of your bug reports concerning non-MIT versions of PGP to
1916comp.security.pgp.tech, and forward a copy to me for possible inclusion in
1917future releases of the FAQ. Please be aware that the authors of PGP might not
1918acknowledge bug reports sent directly to them. Posting them on USENET will give
1919them the widest possible distribution in the shortest amount of time.
1920
1921Q: What bugs have been found in PGP?
1922
1923A: The following list of bugs is limited to version 2.4 and later, and is
1924limited to the most commonly seen and serious bugs. For bugs in earlier
1925versions, refer to the documentation included with the program. If you find a
1926bug not on this list, follow the procedure above for reporting it.
1927
1928��*�MIT PGP 2.6 had a bug in the key generation process which made keys
1929 generated by it much less random. Fixed in 2.6.1.
1930
1931��*�All versions of PGP except MIT PGP 2.6.2 are susceptible to a "buglet" in
1932 clearsigned messages, making it possible to add text to the beginning of a
1933 clearsigned message. The added text does not appear in the PGP output after
1934 the signature is checked. MIT PGP 2.6.2 now does not allow header lines
1935 before the text of a clearsigned message and enforces RFC 822 syntax on
1936 header lines before the signature. Since this bug appears at checking time,
1937 however, you should be aware of this bug even if you use MIT PGP 2.6.2 -
1938 the reader may check your signed message with a different version and not
1939 read the output.
1940
1941��*�MIT PGP 2.6.1 was supposed to handle keys between 1024 and 2048 bits in
1942 length, but could not. Fixed in 2.6.2.
1943
1944��*�MIT PGP 2.6.2 was supposed to enable the generation of keys up to 2048 bits
1945 after December 25, 1994; a one-off bug puts that upper limit at 2047 bits
1946 instead. It has been reported that this problem does not appear when MIT
1947 PGP is compiled under certain implementations of Unix. The problem is fixed
1948 in versions 2.7.1 and 2.6.2i, as well as the Mac versions.
1949
1950��*�PGP 2.6ui continues to exhibit the bug in 2.3a where conventionally
1951 encrypted messages, when encrypted twice with the same pass phrase, produce
1952 the same ciphertext.
1953
1954��*�The initial release of PGP 2.6.2i contained a bug related to clearsigned
1955 messages; signed messages containing international characters would always
1956 fail. For that reason, it was immediately pulled from distribution and
1957 re-released later, minus the bug. If you have problems with 2.6.2i, make
1958 sure you downloaded your copy after 7 May 1995.
1959
1960��*�As reported by Steven Markowitz, the following bugs exist in PGP 4.0
1961 Business Edition (the commercial version):
1962
1963 1. Signature retirement does not work. When I retire a key signature, PGP
1964 still treats the key as signed. If I remove the signature from
1965 pubring.pgp, but leave the retirement certificate in the keyring, PGP
1966 still treats the key as signed.
1967
1968 2. Although encrypt-only keys cannot be used to sign documents, PGP allows
1969 them to be used to make key signatures.
1970
1971
1972��*�The international version of PGP has the undocumented +makerandom command,
1973 which can generate a file full of random data. Unfortunately, it does not
1974 work as intended, because the random number generator is not initialized
1975 properly. This does not affect normal PGP operation; the bug is only
1976 present when +makerandom is used.
1977
1978
1979
1980
1981Glossary of cryptographic terms
1982
1983Advanced Encryption Standard (AES)
1984 The Advanced Encryption Standard will be the new standard cryptographic
1985 algorithm for use by U.S. government organizations to protect sensitive
1986 (unclassified) information. The algorithm Rijndael was chosen out of a
1987 group of contending algorithms. It is intended as the successor for DES.
1988 Newer versions of PGP and GPG feature support for AES.
1989
1990Chosen Plain Text Attack
1991 This is the next step up from the Known Plain Text Attack. In this version,
1992 the cryptanalyst can choose what plain text message he wishes to encrypt
1993 and view the results, as opposed to simply taking any old plain text that
1994 he might happen to lay his hands on. If he can recover the key, he can use
1995 it to decode all data encrypted under this key. This is a much stronger
1996 form of attack than known plain text. The better encryption systems will
1997 resist this form of attack.
1998
1999Clipper
2000 A chip developed by the United States Government that was to be used as the
2001 standard chip in all encrypted communications. Aside from the fact that all
2002 details of how the Clipper chip work remain classified, the biggest concern
2003 was the fact that it has an acknowledged trap door in it to allow the
2004 government to eavesdrop on anyone using Clipper provided they first
2005 obtained a wiretap warrant. This fact, along with the fact that it can't be
2006 exported from the United States, has led a number of large corporations to
2007 oppose the idea. Clipper uses an 80 bit key to perform a series of
2008 nonlinear transformation on a 64 bit data block.
2009
2010Data Encryption Standard (DES)
2011 A data encryption standard developed by IBM under the auspices of the
2012 United States Government. It was criticized because the research that went
2013 into the development of the standard remained classified. Concerns were
2014 raised that there might be hidden trap doors in the logic that would allow
2015 the government to break anyone's code if they wanted to listen in. DES uses
2016 a 56 bit key to perform a series of nonlinear transformation on a 64 bit
2017 data block. Even when it was first introduced a number of years ago, it was
2018 criticized for not having a long enough key. 56 bits just didn't put it far
2019 enough out of reach of a brute force attack. Today, with the increasing
2020 speed of hardware and its falling cost, it is feasible to build a machine
2021 that could crack a 56 bit key in under a day's time as demonstrated by
2022 EFF's DES Cracker Project.
2023
2024 For this reason, triple-DES or 3DES is introduced. It uses single-DES to
2025 encrypt the data, then to "decrypt" it with another key and encrypt the
2026 result again with another key. The resulting encryption is as strong as a
2027 hypothetical 112-bit DES.
2028
2029Electronic Frontier Foundation (EFF)
2030 The Electronic Frontier Foundation (EFF) was founded in July 1990, to
2031 assure freedom of expression in digital media, with a particular emphasis
2032 on applying the principles embodied in the Constitution and the Bill of
2033 Rights to computer-based communication. For further information, contact:
2034
2035 Electronic�Frontier�Foundation
2036 1001 G St., NW
2037 Suite 950 East
2038 Washington�DC 20001
2039 United States of America
2040 <eff@eff.org>
2041 +1 202 347 5400
2042 +1 202 393 5509
2043
2044International Data Encryption Algorithm (IDEA)
2045 Developed in Switzerland and used in PGP 2.x as the symmetrical encryption
2046 algorithm. For non-commercial use in PGP licensing fees are waved, for
2047 commercial use licenses must be purchased (see What's with the patent on
2048 IDEA?>). IDEA uses a 128 bit user supplied key to perform a series of
2049 nonlinear mathematical transformations on a 64 bit data block.
2050
2051International Traffic in Arms Regulations (ITAR)
2052 ITAR are the regulations covering the export of weapons and weapons related
2053 technology from the United States.
2054
2055Key Escrow
2056 In general, key escrow means that a copy of the secret key needed to
2057 decrypt something is stored with a third party. This can be a notary or a
2058 bank, who will keep it safely for you, in case you lose your key, or when
2059 you die, in which case your relatives might need access to your encrypted
2060 material.
2061
2062 It is also common in business. When an employee has encrypted material on
2063 his company computer, and he leaves, gets fired, or dies unexpectedly, the
2064 company might not be able to decrypt the material. This can cost them a lot
2065 of money, especially when the employee was working on something very
2066 important. For this reason, a copy of the secret key is usually kept by one
2067 or more supervisors, who can then decrypt the material if necessary. To
2068 ensure that a supervisor does not abuse this power, the key can be split
2069 amongst several persons, who have to work together to restore the key.
2070
2071 Thanks to the US Clipper initiative, this term is now more or less
2072 synonymous with government key escrow, where the government keeps a copy of
2073 all the secret keys in the country. This allows them to read all encrypted
2074 messages being sent, usually for reasons of national security. Many people
2075 object to this type of key escrow, as it can be used to invade people's
2076 privacy very easily.
2077
2078Known Plain Text Attack
2079 A method of attack on a crypto system where the cryptanalyst has matching
2080 copies of plain text, and its encrypted version. With weaker encryption
2081 systems, this can improve the chances of cracking the code and getting at
2082 the plain text of other messages where the plain text is not known.
2083
2084Message Digest Algorithm #5 (MD5)
2085 The message digest algorithm used in PGP is the MD5 Message Digest
2086 Algorithm, placed in the public domain by RSA Data Security, Inc.
2087 � It is conjectured that the difficulty of coming up with two �
2088 messages having the same message digest is on the order of
2089 264 operations, and that the difficulty of coming up with
2090 any message having a given message digest is on the order
2091 of 2128 operations. The MD5 algorithm has been carefully
2092 scrutinized for weaknesses. It is, however, a relatively
2093 new algorithm and further security analysis is of course
2094 justified, as is the case with any new proposal of this
2095 sort. The level of security provided by MD5 should be
2096 sufficient for implementing very high security hybrid
2097 digital signature schemes based on MD5 and the RSA
2098 public-key cryptosystem.
2099 --MD5's designer, Ronald Rivest, writes this about MD5: �
2100
2101Million Instructions Per Second (MIPS)
2102 MIPS stands for Million Instructions Per Second. Usually, this is an
2103 indicator of the computer's brute force power. A MIPS-year is approximately
2104 the amount of computing done by a 1 MIPS computer in one year.
2105
2106Multiple Precision Integer Library (MPILIB)
2107 This is the common name for the set of RSA routines used in PGP 2.3a and
2108 previous, as well as the international versions of PGP. It is alleged to
2109 violate PKP's RSA patent in the USA, but is not otherwise restricted in
2110 usage. It retains its popularity abroad because it outperforms RSAREF and
2111 has fewer legal restrictions as well.
2112
2113National Security Agency (NSA)
2114 � The NSA is the official communications security body of the �
2115 U.S. government. It was given its charter by President
2116 Truman in the early 50's, and has continued research in
2117 cryptology till the present. The NSA is known to be the
2118 largest employer of mathematicians in the world, and is
2119 also the largest purchaser of computer hardware in the
2120 world. Governments in general have always been prime
2121 employers of cryptologists. The NSA probably possesses
2122 cryptographic expertise many years ahead of the public
2123 state of the art, and can undoubtedly break many of the
2124 systems used in practice; but for reasons of national
2125 security almost all information about the NSA is
2126 classified.
2127 --The following information is from the sci.crypt FAQ: �
2128
2129One Time Pad (OTP)
2130 The one time pad is the only encryption scheme that can be proven to be
2131 absolutely unbreakable! It is used extensively by spies because it doesn't
2132 require any hardware to implement and because of its absolute security.
2133 This algorithm requires the generation of many sets of matching encryption
2134 keys pads. Each pad consists of a number of random key characters. These
2135 key characters are chosen completely at random using some truly random
2136 process. They are not generated by any kind of cryptographic key generator.
2137 Each party involved receives matching sets of pads. Each key character in
2138 the pad is used to encrypt one and only one plain text character, then the
2139 key character is never used again. Any violation of these conditions
2140 negates the perfect security available in the one time pad.
2141
2142 So why don't we use the one time pad all the time? The answer is that the
2143 number of random key pads that need to be generated must be at least equal
2144 to the volume of plain text messages to be encrypted, and the fact that
2145 these key pads must somehow be exchanged ahead of time. This becomes
2146 totally impractical in modern high speed communications systems.
2147
2148 Among the more famous of the communications links using a one time pad
2149 scheme is the Washington to Moscow hot line.
2150
2151Pretty Good Privacy (PGP)
2152 The program we're discussing. See question What is PGP?>.
2153
2154Rivest-Shamir-Adleman (RSA)
2155 RSA is the public key encryption method used in PGP. RSA are the initials
2156 of the developers of the algorithm. The basic security in RSA comes from
2157 the fact that, while it is relatively easy to multiply two huge prime
2158 numbers together to obtain their product, it is computationally difficult
2159 to go the reverse direction: to find the two prime factors of a given
2160 composite number. It is this one-way nature of RSA that allows an
2161 encryption key to be generated and disclosed to the world, and yet not
2162 allow a message to be decrypted.
2163
2164RSAREF
2165 This is the free library RSA Data Security, Inc., made available for the
2166 purpose of implementing freeware PEM applications. It implements several
2167 encryption algorithms, including (among others) RSA. MIT PGP uses RSAREF's
2168 RSA routines to avoid the alleged patent problems associated with other
2169 versions of PGP.
2170
2171Rubber-hose cryptoanalysis
2172 A term coined by Marcus J. Ranum to describe the method of breaking a
2173 cryptographic key by beating the owner with a rubber hose until he reveals
2174 his key, a method practiced in many repressive regimes. It is also used for
2175 describing other, less brutal, situations where the owner is forced to give
2176 up his keys (see Can I be forced to reveal my pass phrase in any legal
2177 proceedings?>).
2178
2179Skipjack
2180
2181TEMPEST
2182 TEMPEST is a standard for electromagnetic shielding for computer equipment.
2183 It was created in response to the fact that information can be read from
2184 computer radiation (e.g., from a CRT) at quite a distance and with little
2185 effort. Needless to say, encryption doesn't do much good if the cleartext
2186 is available this way. The typical home computer would fail all of the
2187 TEMPEST standards by a long shot. So, if you are doing anything illegal,
2188 don't expect PGP or any other encryption program to save you. The
2189 government could just set up a monitoring van outside your home and read
2190 everything that you are doing on your computer.
2191
2192PGP/MIME
2193 To be done.
2194
2195Blowfish
2196 To be done.
2197
2198Twofish
2199 To be done.
2200
2201CAST
2202 To be done.
2203
2204
2205-------------------------------------------------------------------------------
2206Colophon
2207
2208This FAQ is compiled from a DocBook source file, because managing such a large
2209amount of information over longer periods of time is impossible without a
2210stable and proven file format. The DocBook source is converted to its output
2211formats with proven, open-source tools such as N. Walsh's DocBook stylesheets,
2212OpenJade, tidy, w3m and LaTeX, together a custom Makefile and FreeBSD's
2213doc.docbook.mk Makefiles. This allows me to easily maintain a consistent look
2214throughout this FAQ, and to make sure that internal references stay correct.
2215-------------------------------------------------------------------------------