The expansion of the connectivity of computers make ways of protecting data andmessages from tampering or reading important. Even the US courts have
What follows is a list of freely available crypto systems, with comments based on mylimited reading in books and on the net. I am not an expert in cryptography, and thefollowing comments are therefor not to be taken as anything but an introductory words onthe subject. For another more extensive source for Cryptography available on the net, goto The International CryptographicSoftware Pages...
The
The alt.security.pgp FAQ also gives adetailed discussion of PGP and its workings.
PGP can also be used to sign messages. It does so by first computing a "hash"of the message using the hash function MD5 (Note that MD5 has recently(May 96) been shownto be weak by Hans Dobbetin.Whether this weakness affects its use in signing in PGP is at present unknown, but theweakness is a worry. Future versions will probably use SHA1, a hash algorithm developed byNSA instead) It then encrypts this hash output (128 bits or 16 bytes) with the secretRSA key of the sender. Any recipient can calculate that same hash output of the receivedmessage, use the senders public key to decrypt the signature. If the outpput tothis decryption agrees with the recipients calculated hash output, then the recipientknows both that the sender actually sent that message, and that not a single bit of thatmessage has been changed. Although in theory such a signing is far more secure than anyphysical holographic signing, it has not as far as I know, ever been tested in a court oflaw.
(Note that MD5 has recently(May 96) been shown to be weaker than hoped by
Another thing that such signing makes possible is time stamping services. In this athird party will take your document or a hash thereof, together with that day's date andencrypt it with their private key, as an authentication of the contents of the document asof that date. To ensure that documents cannot be back or forward dated, hashes of all ofthe time stamps for a certain week can be created and published.
For a free time stamp service see PGPDigital Timestamping service of IT Consulting of the Channel Isles
For a commercial timestamping organisation (which does not use PGP but does use RSA) see
An excellent book on the history and theory of PGP and a detailed guide on how to useit, see the book
PGP- Pretty Good Privacy by Simon Garfinkel (1995) O'Reillyand Associates, Inc, Sebastopol, Calif.
For a beginner's guide to PGP, see David Hamilton's
For other pointer to guides for beginners see
One of the principle repositories for such keys is kept by MIT and can be used at:
or by an international email key retrieval system described at
Four11 offers a White Pages email directory whichincludes certified (by them) PGP keys.
The alternative process, advocated by RSADSI, Netscape, IBM, and other providers ofsecure Web Servers is that a commercial company sign the public key as belonging to theperson or company claiming the key. That commercial company demands documentationdemonstrating the relation of the user of the key to the claimed person using the key.This has the advantage of establishing commercial liability but the disadvantage of beingexpensive (of the order of $300). To ensure that a key has not been "taken over"such commercial digital key certificates are valid only for a limited time (eg, a year),after which time they must be reissued. The trust has been transfered from"trustworthy" people to a "trustworthy" company. One such companyoffering signed digital certificates is
spun off from RSADSI. At present these do not seem to be compatible with the form ofsigned key demanded by PGP. This may well change with the next version of PGP however.
Four11Corporation (formerly SLED) offers a PGP Key Certification service in conjunction withtheir "White Pages Email Service". Theydemand faxed driver's license or passport identification before signing a key and puttingit on their service. The charge is US$20/year.
Arge Daten of Austria alsooffers a PGP key signing service, and garrantees the identity of the owner of the key.Price Aust Schill 300.
For a discussion of public keys and the issues surrounding key signing and trust, read
The main site for the non-commercial version of PGP is at
Zimmermann and others formed a commercial company to further the development of PGP,
PGP Inc has just released a new version of PGP, version 5.0. They have released thisonly as compiled versions for Windows operating systems, although other operating systemsare planned. It is available through the MIT site above. They have published what theyclaim to be the source code in book form, which is apparently being scanned into thecomputer by S Schumacher who will apparently release an "international" version.It is claimed that PGP Inc has stated that they will not release the source code in otherthan printed form. Although this version still supports RSA as the public key encryption,they are attempting to establish ElGamal as the prefered public key system for PGP becauseof the licensing problems with RSA.
In order to keep peace with RSADSI, the exclusive licensor of the MIT patent on RSA,the MIT PGP uses subroutines developed by RSADSI. The "exported" version of PGPhas been altered (by Staale Schumacher) by using the original subroutines written byZimmermann. These International versions are distinguished by an i at theend of the version number. The home page of this international version is the
Finally, some people do not like the licensing terms under which the MIT versions (andalso the i versions) have been released, especially their restrictions on non-commercialuse. They have released so called Unofficial International versions, based on the code inPGP 2.3, a version which was largely coded outside the USA and was released under the GnuPublic License. The latest is 2.63ui (which however has nothing to do with the other 2.6.xversions as far as code is concerned, but is supposed to be interoperable with all theother versions. This now appears to be being organised by
Due to the commercialisation of PGP, a European group has developed
For OS2 compiled versions of PGP, go to http://www.gibbon.com/getpgp.html for a USA version 2.6.2 (export restricted) or to ftp://ftp.pgp.net/pub/pgp/pc/os2/ for an international 2.6.3i version.
All of the above free versions of PGP are licensed by all of Zimmermann, Ascom Systec (for IDEA), RSADSI (for RSAREF), and MIT for non-commercial use only. For a discussion of what this means, see
For a version fully licensed by all parties for commercial use but available only to US and Canadian citizens see
The company, PGP, Inc., formed in March 1996 by Phil Zimmermann purchased Viacrypt in June, 96. The policies of PGP,Inc are still being formed at present. Return to Index
For users of the Theory machines you can register by running the program addpgp, and then using the program pgp.
ENTRUST:
Entrust Technologies, a subsidiary of Nortel, has designed, and is selling, a public key crypto system similar to PGP. It uses RSA as the public key system, and a choice of CAST, DES, TripleDES, or RC2 as the conventional encryption system. They have a version, called SOLO, which is free for non-commercial use. At present SOLO is only for Windows95 or NT. Designed in Canada, they claim to be able to sell or send to anyone almost anywhere in the world. They also have a variety of comercial encryption products.
They apparently do not publish their source code, nor do they allow examination of the raw output of the crypto engine to allow verification that the system operates as it should . This is a weakness of the system (shared by almost all commercial crypto providers, including PGP Inc.)
Their full scale commercial version (Entrust) combines a key management/Certification Authority system with a client encryption/decryption. It appears that they solve the problem of how the organisation can ensure that it can recover the material of employees by having only the central authority create and issue encryption/decryption key pairs, and saving these in a database. This clearly provides a single point of attack for an enemy or a rogue employee. If that database is cracked, all keys of the origanisation become compromised. Users however create their own digital signing key pairs, so that neither the central administration not a cracker can compromise the identity of the users from that central database. Return to Index
IDEA:
IDEA is a cryptosystem which was developed by Dr. X. Lai and Prof. J. Massey in Switzerland in the early 1990s to replace the DES standard. It is a symmetric (same key for encryption and decryption) block (operated on one definite sized block of the message at a time) cypher, operating on 8 bytes at a time, just like DES, but with a key of 128 bits. This key length makes it impossible to break by simply trying every key, and no other means of attack is known. Since it is relatively new, it has not had as much study as has DES. It is fast, and has also been implimented in hardware. It was chosen by Phil Zimmermann for PGP after his own attempt at a cypher had been shown to be weak, and apparently because of worries he had about the security and key length of DES. IDEA is patented in Europe [ Austria, France, Germany, Italy, Netherlands, Spain, Sweden, Switzerland, UK] , in the USA and in Japan(pending). Ascom Systec is the holder of the patents. PGP has a license to use it for non-commercial use only. Return to Index
In early 1995 a routine was published anonymously on the Newsgroups claiming to be RC4. It was tested against a valid copy of RC4, and the tests seemed to indicate that it acted identically to the the real RC4. To the extent that this alleged RC4 is identical to the real one, it is no longer a trade secret, and is no longer proprietary.
It is a cypher with a key size of up to 2048 bits (256 bytes), which, on the brief examination given it over the past year or so seems to be a relatively fast and strong cypher. It is a " stream " cypher, creating a stream of random bytes and XORing those bytes with the text. Using it with the same key on two different messages makes it very weak. It is thus useful in situations in which a new key can be chosen for each message.
The source (in C for Unix) for the alleged RC4 can be obtained from
Note that the same warning is also true for the so called encryption routines included in Word Perfect, Word for Windows, PKZip, and others.
RSA:
RSA is a cypher based on the concept of a trapdoor function. This is a function which is easily calculated, but whose inverse is extremely difficult to calculate. In the RSA case, this function is factoring. Take two prime numbers, p and q, (ie numbers which cannot be divided evenly by any other number), and multiply them together to get their product N. This is very easily done. However, if we only know N, then it is extremely difficult to determine what the factors p and q are if N is sufficienlty large. Typically in crypography, N takes a value of greater than 500 bits (150 digits). The message is written as a series of numbers each of which is smaller than N but has approximately the same length as N. Each of these message numbers M are then multiplied by themselves e times. (In PGP ,e is often taken to have the value 17). Then the result of that set of multiplications is divided by N, and only the remainder of that division is kept and is the encrypted message. To decrypt the message, the recipient uses another specially chosen number d, which is typically a very large number (of the order of half the length of N). This number is chosen so that if we now multiply the encrypted message with itself d times, divide by N, and keep only the remainder, then we get the original message back. The only way known to find d is to know p and q. e and N are the public key, which is published, while d is the private key, which must be kept secret. e and d are symmetric in that using either as the encryption key, the other can be used as the decryption key. This is what makes signing possible. RSA is patented in the USA by MIT, who granted exclusive rights to license the product to RSA Data Security, Inc.(RSADSI). Elsewhere in the world RSA is free from proprietary restrictions to the best of my knowledge except for copyright on code written by RSADSI themselves. Return to Index
DH can also be used in a public key crypto system. To use it in this way, the recipient publishes g,m, h1 and the sender chooses a random exponent e2 and sends h2 along with the message encrypted using the private key crypto system and the key k. This system does not have the feature that one can easily sign messages, as with RSA. It has the political advantage that the patent expires in 1997. It also depends for its security on both recipient and sender choosing exponents e1 and e2 in a strong way.
Rumours exist that PGP will use DH and triple DES (perhaps along with RSA and IDEA for backwards compatability) in a future version to get around the licensing problems of RSA and IDEA. Return to Index
Bruce Schneier's page. He is the inventor of the BLOWFISHalgorithm and author of the excellent book Applied Cryptography.
http://www.cs.hut.fi/ssh/crypto/algorithms.html contains a discussion of freelyavailable algorithms more extensive than the one here, and pointers to obtaining them.
SecSplit Splita secret into N parts of which any M parts can be used to reconstruct the secret. Usefulfor giving secrets like encryption keys, to others to store for you , but requiring anumber of them to all get together to reveal the secret.
CryptLib- alibrary of encryption routines and hash algorithms (DES,3DES, IDEA, Blowfish, Blowfish-SK,RC2, RC4, RC5, Safer, Safer-SK, RSA, DSS, MD5, SHA). Written by
Matt Curtin'sBeware of "Snake Oil" (also available from
The non-commercial version of PGP set the standard by releasing the full source codeand allowing the user to compile that code themselves. This is clearly impractical forcommercial software. However, the encryption engines of the software should be accessibleand inspectable, and replaceable if need be. The key point is that by its very design,whether or not the program is secure is almost impossible to determine from the output ofthe program as a whole. It is only if the user has access to each of the parts of theprogram that the user can be assured of the proper operation of the whole. Thus, in PGPfor example, the IDEA encryption engine, the RSA encryption, and the key generationengines should all be in seperate modules with well described entry points for the mainprogram. In this wat the user can test to make sure that the program works as advertised,and that the main program does not insert any additional material into the messages whichcould comprimise security. With the possiblity of people and companies entrusting largesums of money or information to the encryption program, accepting anything less iscompletely irresponsible on the part of the user.
Note that it is not necessary that every user actually test every feature. A few will,and any weaknesses will soon be revealed. It is also crucial to remember that ifcryptography fails, that failure is in general completely invisible to the user. It isonly when the user's security or information have already been comprimised that theweakness may become evident (and ususally not even then).
It is depressing that none of the commercial purveyors of cryptography (includingNetscape, PGP Inc, or RSADSI) seem to recognise the importance of such openess in the saleof cryptography.
As mentioned above, the export of cryptograpy was controlled in the USA by a set ofregulations called ITAR. Athoughdesigned to control military, not civilian, technology, the sudden expansion of the use ofcivilian cryptograpy has left these regulations still controlling it as though it were ofpurely military significance. There is also a feeling that certain branches of the USgovernment would like to keep it this way, despite the overwhelming demand for civiliancryptography. Recently the USA has promulgated a
The above situation changes in the new year (Jan 1997) when control of civiliancryptography was removed from the ITAR regulations and put under the control of the Dept.of Commerce. These new regulations areunfortunately far less readable than are the ITAR regulations so figuring out what isallowed and what not has become far more complicated. These regulations appear to haveexpanded, rather than contracted, the control over cryptography.
However the whole of the regulations controling the export of cryptography in the USAhas been thrown into confusion by the
Canada also has a set of laws governing the export of military technology called the
The status of PGP and other publicly available cryptography under this set ofregulations is somewhat unclear to me. The key sections of relevance to PGP are
Whether or not the above comments have any legal validity, I have no idea. Thus youshould check with competent legal council before exporting PGP or any other cryptographicsoftware from Canada.
Evidence that the Canadian situation may be much freer than the US one is that the
[Note that I am not a lawyer, and base the above interpretation purely on my reading ofthe law as a layman. It is not legal advice, nor should it be taken as such.]
Marc Plumb has tested the ECL by applying for permission to export variouscryptographic products from Canada. For his experience and his comments on the ECL see
Canada is in the process of reviewing its policies on Cryptography. See the paper
For a survey of cryptography laws worldwide see