![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to pgpdoc2.txt CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [PGP] / pgp / doc|
Return to pgpdoc2.txt CVS log | Up to [PGP] / pgp / doc |
1.1.1.7 ! root 1: [Note: The following is the original documentation for MIT's PGP ! 2: 2.6.2, included here in unmodified version. For an explanation on ! 3: how PGP 2.6.3i differs from 2.6.2, see the file readme.1st.] ! 4: ! 5: ! 6: ! 7: Phil's Pretty Good Software ! 8: Presents ! 9: ! 10: ======= ! 11: PGP(tm) ! 12: ======= ! 13: ! 14: Pretty Good(tm) Privacy ! 15: Public Key Encryption for the Masses ! 16: ! 17: ! 18: ------------------------- ! 19: PGP(tm) User's Guide ! 20: Volume II: Special Topics ! 21: ------------------------- ! 22: by Philip Zimmermann ! 23: Revised 11 October 94 ! 24: ! 25: ! 26: PGP Version 2.6.2 - 11 Oct 94 ! 27: Software by ! 28: Philip Zimmermann, and many others. ! 29: ! 30: ! 31: ! 32: ! 33: Synopsis: PGP(tm) uses public-key encryption to protect E-mail and ! 34: data files. Communicate securely with people you've never met, with ! 35: no secure channels needed for prior exchange of keys. PGP is well ! 36: featured and fast, with sophisticated key management, digital ! 37: signatures, data compression, and good ergonomic design. ! 38: ! 39: ! 40: Software and documentation (c) Copyright 1990-1994 Philip Zimmermann. ! 41: All rights reserved. For information on PGP licensing, distribution, ! 42: copyrights, patents, trademarks, liability limitations, and export ! 43: controls, see the "Legal Issues" section. Distributed by the ! 44: Massachusetts Institute of Technology. ! 45: ! 46: ! 47: Contents ! 48: ======== ! 49: ! 50: Quick Overview ! 51: Special Topics ! 52: Selecting Keys via Key ID ! 53: Separating Signatures from Messages ! 54: Decrypting the Message and Leaving the Signature on it ! 55: Sending ASCII Text Files Across Different Machine Environments ! 56: Using PGP as a Better Uuencode ! 57: Leaving No Traces of Plaintext on the Disk ! 58: Displaying Decrypted Plaintext on Your Screen ! 59: Making a Message For Her Eyes Only ! 60: Preserving the Original Plaintext Filename ! 61: Editing Your User ID or Pass Phrase ! 62: Editing the Trust Parameters for a Public Key ! 63: Checking If Everything is OK on Your Public Key Ring ! 64: Verifying a Public Key Over the Phone ! 65: Handling Large Public Keyrings ! 66: Using PGP as a Unix-style Filter ! 67: Suppressing Unnecessary Questions: BATCHMODE ! 68: Force "Yes" Answer to Confirmation Questions: FORCE ! 69: PGP Returns Exit Status to the Shell ! 70: Environmental Variable for Pass Phrase ! 71: Setting Parameters in the PGP Configuration File ! 72: TMP - Directory Pathname for Temporary Files ! 73: LANGUAGE - Foreign Language Selector ! 74: MYNAME - Default User ID for Making Signatures ! 75: TEXTMODE - Assuming Plaintext is a Text File ! 76: CHARSET - Specifies Local Character Set for Text Files ! 77: ARMOR - Enable ASCII Armor Output ! 78: ARMORLINES - Size of ASCII Armor Multipart Files ! 79: KEEPBINARY - Keep Binary Ciphertext Files After Decrypting ! 80: COMPRESS - Enable Compression ! 81: COMPLETES_NEEDED - Number of Completely Trusted Introducers Needed ! 82: MARGINALS_NEEDED - Number of Marginally Trusted Introducers Needed ! 83: CERT_DEPTH - How Deep May Introducers Be Nested ! 84: BAKRING - Filename for Backup Secret Keyring ! 85: PUBRING - Filename for Your Public Keyring ! 86: SECRING - Filename for Your Secret Keyring ! 87: RANDSEED - Filename for Random Number Seed ! 88: PAGER - Selects Shell Command to Display Plaintext Output ! 89: SHOWPASS - Echo Pass Phrase to User ! 90: TZFIX - Timezone Adjustment ! 91: CLEARSIG - Enable Signed Messages to be Encapsulated as Clear Text ! 92: VERBOSE - Quiet, Normal, or Verbose Messages ! 93: INTERACTIVE - Ask for Confirmation for Key Adds ! 94: NOMANUAL - Let PGP Generate Keys Without the Manual ! 95: A Peek Under the Hood ! 96: Random Numbers ! 97: PGP's Conventional Encryption Algorithm ! 98: Data Compression ! 99: Message Digests and Digital Signatures ! 100: Compatibility with Previous and Future Versions of PGP ! 101: Vulnerabilities ! 102: Compromised Pass Phrase and Secret Key ! 103: Public Key Tampering ! 104: "Not Quite Deleted" Files ! 105: Viruses and Trojan Horses ! 106: Physical Security Breach ! 107: Tempest Attacks ! 108: Exposure on Multi-user Systems ! 109: Traffic Analysis ! 110: Protecting Against Bogus Timestamps ! 111: Cryptanalysis ! 112: Legal Issues ! 113: Trademarks, Copyrights, and Warranties ! 114: Patent Rights on the Algorithms ! 115: Freeware Status and Restrictions ! 116: Restrictions on Commercial Use of PGP ! 117: Other Licensing Restrictions ! 118: Distribution ! 119: Export Controls ! 120: Philip Zimmermann's Legal Situation ! 121: Other Sources of Information on PGP ! 122: Where to Get a Commercial Version of PGP ! 123: Reporting PGP Bugs ! 124: Fan Mail, Updates, and News ! 125: Computer-Related Political Groups ! 126: Recommended Readings ! 127: To Contact the Author ! 128: Appendix A: Where to Get PGP ! 129: ! 130: ! 131: Quick Overview ! 132: ============== ! 133: ! 134: Pretty Good(tm) Privacy (PGP), from Phil's Pretty Good Software, is a ! 135: high security cryptographic software application for MSDOS, Unix, ! 136: VAX/VMS, and other computers. PGP combines the convenience of the ! 137: Rivest-Shamir-Adleman (RSA) public key cryptosystem with the speed of ! 138: conventional cryptography, message digests for digital signatures, ! 139: data compression before encryption, good ergonomic design, and ! 140: sophisticated key management. ! 141: ! 142: This volume II of the PGP User's Guide covers advanced topics about ! 143: PGP that were not covered in the "PGP User's Guide, Volume I: ! 144: Essential Topics". You should first read the Essential Topics ! 145: volume, or this manual won't make much sense to you. Reading this ! 146: Special Topics volume is optional, except for the legal issues ! 147: section, which everyone should read. ! 148: ! 149: ! 150: ! 151: Special Topics ! 152: =============== ! 153: ! 154: ! 155: Selecting Keys via Key ID ! 156: ------------------------- ! 157: ! 158: In all commands that let the user type a user ID or fragment of a ! 159: user ID to select a key, the hexadecimal key ID may be used instead. ! 160: Just use the key ID, with a prefix of "0x", in place of the user ID. ! 161: For example: ! 162: ! 163: pgp -kv 0x67F7 ! 164: ! 165: This would display all keys that had 67F7 as part of their key IDs. ! 166: ! 167: This feature is particularly useful if you have two different keys ! 168: from the same person, with the same user ID. You can unambiguously ! 169: pick which key you want by specifying the key ID. ! 170: ! 171: ! 172: Separating Signatures from Messages ! 173: ----------------------------------- ! 174: ! 175: Normally, signature certificates are physically attached to the text ! 176: they sign. This makes it convenient in simple cases to check ! 177: signatures. It is desirable in some circumstances to have signature ! 178: certificates stored separately from the messages they sign. It is ! 179: possible to generate signature certificates that are detached from ! 180: the text they sign. To do this, combine the 'b' (break) option with ! 181: the 's' (sign) option. For example: ! 182: ! 183: pgp -sb letter.txt ! 184: ! 185: This example produces an isolated signature certificate in a file ! 186: called "letter.sig". The contents of letter.txt are not appended to ! 187: the signature certificate. ! 188: ! 189: After creating the signature certificate file (letter.sig in the ! 190: above example), send it along with the original text file to the ! 191: recipient. The recipient must have both files to check the signature ! 192: integrity. When the recipient attempts to process the signature ! 193: file, PGP notices that there is no text in the same file with the ! 194: signature and prompts the user for the filename of the text. Only ! 195: then can PGP properly check the signature integrity. If the ! 196: recipient knows in advance that the signature is detached from the ! 197: text file, she can specify both filenames on the command line: ! 198: ! 199: pgp letter.sig letter.txt ! 200: or: pgp letter letter.txt ! 201: ! 202: PGP will not have to prompt for the text file name in this case. ! 203: ! 204: A detached signature certificate is useful if you want to keep the ! 205: signature certificate in a separate certificate log. A detached ! 206: signature of an executable program is also useful for detecting a ! 207: subsequent virus infection. It is also useful if more than one party ! 208: must sign a document such as a legal contract, without nesting ! 209: signatures. Each person's signature is independent. ! 210: ! 211: If you receive a ciphertext file that has the signature certificate ! 212: glued to the message, you can still pry the signature certificate ! 213: away from the message during the decryption. You can do this with ! 214: the -b option during decrypt, like so: ! 215: ! 216: pgp -b letter ! 217: ! 218: This decrypts the letter.pgp file and if there is a signature in it, ! 219: PGP checks the signature and detaches it from the rest of the ! 220: message, storing it in the file letter.sig. ! 221: ! 222: ! 223: Decrypting the Message and Leaving the Signature on it ! 224: ------------------------------------------------------ ! 225: ! 226: Usually, you want PGP to completely unravel a ciphertext file, ! 227: decrypting it and checking the nested signature if there is one, ! 228: peeling away the layers until you are left with only the original ! 229: plaintext file. ! 230: ! 231: But sometimes you want to decrypt an encrypted file, and leave the ! 232: inner signature still attached, so that you are left with a decrypted ! 233: signed message. This may be useful if you want to send a copy of a ! 234: signed document to a third party, perhaps re-enciphering it. For ! 235: example, suppose you get a message signed by Charlie, encrypted to ! 236: you. You want to decrypt it, and, leaving Charlie's signature on it, ! 237: you want to send it to Alice, perhaps re-enciphering it with Alice's ! 238: public key. No problem. PGP can handle that. ! 239: ! 240: To simply decrypt a message and leave the signature on it intact, ! 241: type: ! 242: ! 243: pgp -d letter ! 244: ! 245: This decrypts letter.pgp, and if there is an inner signature, it is ! 246: left intact with the decrypted plaintext in the output file. ! 247: ! 248: Now you can archive it, or maybe re-encrypt it and send it to someone ! 249: else. ! 250: ! 251: ! 252: ! 253: Sending ASCII Text Files Across Different Machine Environments ! 254: -------------------------------------------------------------- ! 255: ! 256: You may use PGP to encrypt any kind of plaintext file, binary 8-bit ! 257: data or ASCII text. Probably the most common usage of PGP will be for ! 258: E-mail, when the plaintext is ASCII text. ! 259: ! 260: ASCII text is sometimes represented differently on different ! 261: machines. For example, on an MSDOS system, all lines of ASCII text ! 262: are terminated with a carriage return followed by a linefeed. On a ! 263: Unix system, all lines end with just a linefeed. On a Macintosh, all ! 264: lines end with just a carriage return. This is a sad fact of life. ! 265: ! 266: Normal unencrypted ASCII text messages are often automatically ! 267: translated to some common "canonical" form when they are transmitted ! 268: from one machine to another. Canonical text has a carriage return ! 269: and a linefeed at the end of each line of text. For example, the ! 270: popular KERMIT communication protocol can convert text to canonical ! 271: form when transmitting it to another system. This gets converted ! 272: back to local text line terminators by the receiving KERMIT. This ! 273: makes it easy to share text files across different systems. ! 274: ! 275: But encrypted text cannot be automatically converted by a ! 276: communication protocol, because the plaintext is hidden by ! 277: encipherment. To remedy this inconvenience, PGP lets you specify ! 278: that the plaintext should be treated as ASCII text (not binary data) ! 279: and should be converted to canonical text form before it gets ! 280: encrypted. At the receiving end, the decrypted plaintext is ! 281: automatically converted back to whatever text form is appropriate for ! 282: the local environment. ! 283: ! 284: To make PGP assume the plaintext is text that should be converted to ! 285: canonical text before encryption, just add the "t" option when ! 286: encrypting or signing a message, like so: ! 287: ! 288: pgp -et message.txt her_userid ! 289: ! 290: This mode is automatically turned off if PGP detects that the ! 291: plaintext file contains what it thinks is non-text binary data. ! 292: ! 293: If you need to use the -t option a lot, you can just turn on the ! 294: TEXTMODE flag in the PGP configuration file. That's what I do. ! 295: ! 296: For PGP users that use non-English 8-bit character sets, when PGP ! 297: converts text to canonical form, it may convert data from the local ! 298: character set into the LATIN1 (ISO 8859-1 Latin Alphabet 1) character ! 299: set, depending on the setting of the CHARSET parameter in the PGP ! 300: configuration file. LATIN1 is a superset of ASCII, with extra ! 301: characters added for many European languages. ! 302: ! 303: ! 304: ! 305: Using PGP as a Better Uuencode ! 306: ------------------------------ ! 307: ! 308: A lot of people in the Unix world send binary data files through ! 309: E-mail channels by using the Unix "uuencode" utility to convert the ! 310: file into printable ASCII characters that can be sent via email. No ! 311: encryption is involved, so neither the sender nor the recipient need ! 312: any special keys. The uuencode format was designed for a similar ! 313: purpose as PGP's radix-64 ASCII transport armor format described in ! 314: the "Sending Ciphertext Through E-mail Channels: Radix-64 Format" ! 315: section, but not as good. A different radix-64 character set is ! 316: used. Uuencode has its problems, such as 1) several slightly ! 317: incompatible character sets for different versions of uuencode in the ! 318: MSDOS and Unix worlds, and 2) the data can be corrupted by some ! 319: E-mail gateways that strip trailing blanks or do other modifications ! 320: to the character set used by uuencode. ! 321: ! 322: PGP may be used in a manner that offers the same general features as ! 323: uuencode, and then some. You can get PGP to just convert a file into ! 324: PGP's radix-64 ASCII transport armor format, but you don't have to ! 325: encrypt the file or sign it, so no keys are needed by either party. ! 326: Simply use the -a option alone. For example: ! 327: ! 328: pgp -a filename ! 329: ! 330: This would produce a radix-64 armored file called "filename.asc". ! 331: ! 332: If you read the "Sending Ciphertext Through E-mail Channels: Radix-64 ! 333: Format" section, you will see that PGP's approach offers several ! 334: important advantages over the uuencode approach: ! 335: ! 336: * PGP will break big files up into chunks small enough to E-mail. ! 337: * PGP will append a CRC error detection code to each chunk. ! 338: * PGP will attempt to compress the data before converting it to ! 339: radix-64 armor. ! 340: * PGP's radix-64 character set is more resilient to E-mail character ! 341: conversions than the one used by uuencode. ! 342: * Textfiles can be converted by the sender to canonical text ! 343: format, as explained in the "Sending ASCII Text Files Across ! 344: Different Machine Environments" section. ! 345: ! 346: The recipient can restore the sender's original filename by ! 347: unwrapping the message with PGP's -p option. You can use "pgp -a" in ! 348: any situation in which you could have used uuencode, if the recipient ! 349: also has PGP. PGP is a better uuencode than uuencode. ! 350: ! 351: ! 352: ! 353: Leaving No Traces of Plaintext on the Disk ! 354: ------------------------------------------ ! 355: ! 356: After PGP makes a ciphertext file for you, you can have PGP ! 357: automatically overwrite the plaintext file and delete it, leaving no ! 358: trace of plaintext on the disk so that no one can recover it later ! 359: using a disk block scanning utility. This is useful if the plaintext ! 360: file contains sensitive information that you don't want to keep ! 361: around. ! 362: ! 363: To wipe out the plaintext file after producing the ciphertext file, ! 364: just add the "w" (wipe) option when encrypting or signing a message, ! 365: like so: ! 366: ! 367: pgp -esw message.txt her_userid ! 368: ! 369: This example creates the ciphertext file "message.pgp", and the ! 370: plaintext file "message.txt" is destroyed beyond recovery. ! 371: ! 372: Obviously, you should be careful with this option. Also note that ! 373: this will not wipe out any fragments of plaintext that your word ! 374: processor might have created on the disk while you were editing the ! 375: message before running PGP. Most word processors create backup ! 376: files, scratch files, or both. Also, it overwrites the file only ! 377: once, which is enough to thwart conventional disk recovery efforts, ! 378: but not enough to withstand a determined and sophisticated effort to ! 379: recover the faint magnetic traces of the data using special disk ! 380: recovery hardware. ! 381: ! 382: ! 383: ! 384: Displaying Decrypted Plaintext on Your Screen ! 385: --------------------------------------------- ! 386: ! 387: To view the decrypted plaintext output on your screen (like the ! 388: Unix-style "more" command), without writing it to a file, use the -m ! 389: (more) option while decrypting: ! 390: ! 391: pgp -m ciphertextfile ! 392: ! 393: This displays the decrypted plaintext display on your screen one ! 394: screenful at a time. ! 395: ! 396: ! 397: ! 398: Making a Message For Her Eyes Only ! 399: ---------------------------------- ! 400: ! 401: To specify that the recipient's decrypted plaintext will be shown ! 402: ONLY on her screen and will not be saved to disk, add the -m option: ! 403: ! 404: pgp -sem message.txt her_userid ! 405: ! 406: Later, when the recipient decrypts the ciphertext with her secret key ! 407: and pass phrase, the plaintext will be displayed on her screen but ! 408: will not be saved to disk. The text will be displayed as it would if ! 409: she used the Unix "more" command, one screenful at a time. If she ! 410: wants to read the message again, she will have to decrypt the ! 411: ciphertext again. ! 412: ! 413: This feature is the safest way for you to prevent your sensitive ! 414: message from being inadvertently left on the recipient's disk. This ! 415: feature was added at the request of a user who wanted to send ! 416: intimate messages to his lover, but was afraid she might accidentally ! 417: leave the decrypted messages on her husband's computer. ! 418: ! 419: Note that this feature will not prevent a clever and determined ! 420: person from finding a way to save the decrypted plaintext to disk-- ! 421: it's to help prevent a casual user from doing it inadvertently. ! 422: ! 423: ! 424: ! 425: Preserving the Original Plaintext Filename ! 426: ------------------------------------------ ! 427: ! 428: Normally, PGP names the decrypted plaintext output file with a name ! 429: similar to the input ciphertext filename, but dropping the ! 430: extension. Or, you can override that convention by specifying an ! 431: output plaintext filename on the command line with the -o option. ! 432: For most E-mail, this is a reasonable way to name the plaintext file, ! 433: because you get to decide its name when you decipher it, and your ! 434: typical E-mail messages often come from useless original plaintext ! 435: filenames like "to_phil.txt". ! 436: ! 437: But when PGP encrypts a plaintext file, it always saves the original ! 438: filename and attaches it to the plaintext before it compresses and ! 439: encrypts the plaintext. Normally, this hidden original filename is ! 440: discarded by PGP when it decrypts, but you can tell PGP you want to ! 441: preserve the original plaintext filename and use it as the name of ! 442: the decrypted plaintext output file. This is useful if PGP is used ! 443: on files whose names are important to preserve. ! 444: ! 445: To recover the original plaintext filename while decrypting, add ! 446: the -p option, like so: ! 447: ! 448: pgp -p ciphertextfile ! 449: ! 450: I usually don't use this option, because if I did, about half of my ! 451: incoming E-mail would decrypt to the same plaintext filenames of ! 452: "to_phil.txt" or "prz.txt". ! 453: ! 454: ! 455: ! 456: Editing Your User ID or Pass Phrase ! 457: ----------------------------------- ! 458: ! 459: Sometimes you may need to change your pass phrase, perhaps because ! 460: someone looked over your shoulder while you typed it in. ! 461: ! 462: Or you may need to change your user ID, because you got married and ! 463: changed your name, or maybe you changed your E-mail address. Or ! 464: maybe you want to add a second or third user ID to your key, because ! 465: you may be known by more than one name or E-mail address or job ! 466: title. PGP lets you attach more than one user ID to your key, any ! 467: one of which may be used to look up your key on the key ring. ! 468: ! 469: To edit your own userid or pass phrase for your secret key: ! 470: ! 471: pgp -ke userid [keyring] ! 472: ! 473: PGP prompts you for a new user ID or a new pass phrase. ! 474: ! 475: If you edit your user ID, PGP actually adds a new user ID, without ! 476: deleting the old one. If you want to delete an old user ID, you will ! 477: have to do that in a separate operation. ! 478: ! 479: The optional [keyring] parameter, if specified, must be a public ! 480: keyring, not a secret keyring. The userid field must be your own ! 481: userid, which PGP knows is yours because it appears on both your ! 482: public keyring and your secret keyring. Both keyrings will be ! 483: updated, even though you only specified the public keyring. ! 484: ! 485: The -ke command works differently depending on whether you use it on ! 486: a public or secret key. It can also be used to edit the trust ! 487: parameters for a public key. ! 488: ! 489: ! 490: Editing the Trust Parameters for a Public Key ! 491: --------------------------------------------- ! 492: ! 493: Sometimes you need to alter the trust parameters for a public key on ! 494: your public key ring. For a discussion on what these trust ! 495: parameters mean, see the section "How Does PGP Keep Track of Which ! 496: Keys are Valid?" in the Essential Topics volume of the PGP User's ! 497: Guide. ! 498: ! 499: To edit the trust parameters for a public key: ! 500: ! 501: pgp -ke userid [keyring] ! 502: ! 503: The optional [keyring] parameter, if specified, must be a public ! 504: keyring, not a secret keyring. ! 505: ! 506: ! 507: ! 508: Checking If Everything is OK on Your Public Key Ring ! 509: ---------------------------------------------------- ! 510: ! 511: Normally, PGP automatically checks any new keys or signatures on your ! 512: public key ring and updates all the trust parameters and validity ! 513: scores. In theory, it keeps all the key validity status information ! 514: up to date as material is added to or deleted from your public key ! 515: ring. But perhaps you may want to explicitly force PGP to perform a ! 516: comprehensive analysis of your public key ring, checking all the ! 517: certifying signatures, checking the trust parameters, updating all ! 518: the validity scores, and checking your own ultimately-trusted key ! 519: against a backup copy on a write-protected floppy disk. It may be a ! 520: good idea to do this hygienic maintenance periodically to make sure ! 521: nothing is wrong with your public key ring. To force PGP to perform ! 522: a full analysis of your public key ring, use the -kc (key ring check) ! 523: command: ! 524: ! 525: pgp -kc ! 526: ! 527: You can also make PGP check all the signatures for just a single ! 528: selected public key by: ! 529: ! 530: pgp -kc userid [keyring] ! 531: ! 532: For further information on how the backup copy of your own key is ! 533: checked, see the description of the BAKRING parameter in the ! 534: configuration file section of this manual. ! 535: ! 536: ! 537: ! 538: Verifying a Public Key Over the Phone ! 539: ------------------------------------- ! 540: ! 541: If you get a public key from someone that is not certified by anyone ! 542: you trust, how can you tell if it's really their key? The best way ! 543: to verify an uncertified key is to verify it over some independent ! 544: channel other than the one you received the key through. One ! 545: convenient way to tell, if you know this person and would recognize ! 546: them on the phone, is to call them and verify their key over the ! 547: telephone. Rather than reading their whole tiresome (ASCII-armored) ! 548: key to them over the phone, you can just read their key's ! 549: "fingerprint" to them. To see this fingerprint, use the -kvc ! 550: command: ! 551: ! 552: pgp -kvc userid [keyring] ! 553: ! 554: This will display the key with the 16-byte digest of the public key ! 555: components. Read this 16-byte fingerprint to the key's owner on the ! 556: phone, while she checks it against her own, using the same -kvc ! 557: command at her end. ! 558: ! 559: You can both verify each other's keys this way, and then you can sign ! 560: each other's keys with confidence. This is a safe and convenient way ! 561: to get the key trust network started for your circle of friends. ! 562: ! 563: Note that sending a key fingerprint via E-mail is not the best way to ! 564: verify the key, because E-mail can be intercepted and modified. It's ! 565: best to use a different channel than the one that was used to send ! 566: the key itself. A good combination is to send the key via E-mail, ! 567: and the key fingerprint via a voice telephone conversation. Some ! 568: people distribute their key fingerprint on their business cards, ! 569: which looks really cool. ! 570: ! 571: For current versions of PGP, the key fingerprint is computed using ! 572: the MD5 hash function. A future version of PGP will optionally use a ! 573: new and different hash function, SHA, instead of MD5. ! 574: ! 575: If you don't know me, please don't call me to verify my key over the ! 576: phone-- I get too many calls like that. Since every PGP user has a ! 577: copy of my public key, no one could tamper with all the copies that ! 578: are out there. The discrepancy would soon be noticed by someone who ! 579: checked it from more than one source, and word would soon get out on ! 580: the Internet. ! 581: ! 582: For those of you who want to verify my public key (included in the ! 583: standard PGP release package), here are the particulars: ! 584: ! 585: UserID: "Philip R. Zimmermann <[email protected]>" ! 586: Key Size: 1024 bits; Creation date: 21 May 1993; KeyID: C7A966DD ! 587: Key fingerprint: 9E 94 45 13 39 83 5F 70 7B E7 D8 ED C4 BE 5A A6 ! 588: ! 589: The information printed above conceivably could still be tampered ! 590: with in the electronic distribution of the PGP User's Guide. But if ! 591: you read this in the printed version of the manual, available in ! 592: bookstores from MIT Press, it's a safe bet that it really is my own ! 593: key's fingerprint. ! 594: ! 595: ! 596: Handling Large Public Keyrings ! 597: ------------------------------ ! 598: ! 599: PGP was originally designed for handling small personal keyrings for ! 600: keeping all your friends on, like a personal rolodex. A couple ! 601: hundred keys is a reasonable size for such a keyring. But as PGP has ! 602: become more popular, people are now trying to add other large ! 603: keyrings to their own keyring. Sometimes this involves adding ! 604: thousands of keys to your keyring. PGP, in its present form, cannot ! 605: perform this operation in a reasonable period of time, while you wait ! 606: at your keyboard. Not for huge keyrings. ! 607: ! 608: You may want to add a huge "imported" keyring to your own keyring, ! 609: because you are only interested in a few dozen keys on the bigger ! 610: keyring you are bringing in. If that's all you want from the other ! 611: keyring, it would be more efficient if you extract the few keys you ! 612: need from the big foreign keyring, and then add just these few keys ! 613: to your own keyring. Use the -kx command to extract them from the ! 614: foreign keyring, specifying the keyring name on the command line. ! 615: Then add these extracted keys to your own keyring. ! 616: ! 617: The real solution is to improve PGP to use advanced database ! 618: techniques to manage large keyrings efficiently. We are working on ! 619: this, and should have it done Real Soon Now. Until this happens, you ! 620: will just have to use smaller keyrings, or be patient. ! 621: ! 622: ! 623: ! 624: Using PGP as a Unix-style Filter ! 625: -------------------------------- ! 626: ! 627: Unix fans are accustomed to using Unix "pipes" to make two ! 628: applications work together. The output of one application can be ! 629: directly fed through a pipe to be read as input to another ! 630: application. For this to work, the applications must be capable of ! 631: reading the raw material from "standard input" and writing the ! 632: finished output to "standard output". PGP can operate in this mode. ! 633: If you don't understand what this means, then you probably don't need ! 634: this feature. ! 635: ! 636: To use a Unix-style filter mode, reading from standard input and ! 637: writing to standard output, add the -f option, like so: ! 638: ! 639: pgp -feast her_userid <inputfile >outputfile ! 640: ! 641: This feature makes it easier to make PGP work with electronic mail ! 642: applications. ! 643: ! 644: When using PGP in filter mode to decrypt a ciphertext file, you may ! 645: find it useful to use the PGPPASS environmental variable to hold the ! 646: pass phrase, so that you won't be prompted for it. The PGPPASS ! 647: feature is explained below. ! 648: ! 649: ! 650: Suppressing Unnecessary Questions: BATCHMODE ! 651: ---------------------------------------------- ! 652: ! 653: With the BATCHMODE flag enabled on the command line, PGP will not ask ! 654: any unnecessary questions or prompt for alternate filenames. Here ! 655: is an example of how to set this flag: ! 656: ! 657: pgp +batchmode cipherfile ! 658: ! 659: This is useful for running PGP non-interactively from Unix shell ! 660: scripts or MSDOS batch files. Some key management commands still ! 661: need user interaction even when BATCHMODE is on, so shell scripts may ! 662: need to avoid them. ! 663: ! 664: BATCHMODE may also be enabled to check the validity of a signature on ! 665: a file. If there was no signature on the file, the exit code is 1. ! 666: If it had a signature that was good, the exit code is 0. ! 667: ! 668: ! 669: Force "Yes" Answer to Confirmation Questions: FORCE ! 670: ---------------------------------------------------- ! 671: ! 672: This command-line flag makes PGP assume "yes" for the user response ! 673: to the confirmation request to overwrite an existing file, or when ! 674: removing a key from the keyring via the -kr command. Here is an ! 675: example of how to set this flag: ! 676: ! 677: pgp +force cipherfile ! 678: or: ! 679: pgp -kr +force Smith ! 680: ! 681: This feature is useful for running PGP non-interactively from a Unix ! 682: shell script or MSDOS batch file. ! 683: ! 684: ! 685: ! 686: PGP Returns Exit Status to the Shell ! 687: ------------------------------------ ! 688: ! 689: To facilitate running PGP in "batch" mode, such as from an MSDOS ! 690: ".bat" file or from a Unix shell script, PGP returns an error exit ! 691: status to the shell. An exit status code of zero means normal exit, ! 692: while a nonzero exit status indicates some kind of error occurred. ! 693: Different error exit conditions return different exit status codes to ! 694: the shell. ! 695: ! 696: ! 697: ! 698: Environmental Variable for Pass Phrase ! 699: -------------------------------------- ! 700: ! 701: Normally, PGP prompts the user to type a pass phrase whenever PGP ! 702: needs a pass phrase to unlock a secret key. But it is possible to ! 703: store the pass phrase in an environmental variable from your ! 704: operating system's command shell. The environmental variable PGPPASS ! 705: can be used to hold the pass phrase that PGP will attempt to use ! 706: first. If the pass phrase stored in PGPPASS is incorrect, PGP ! 707: recovers by prompting the user for the correct pass phrase. ! 708: ! 709: For example, on MSDOS, the shell command: ! 710: ! 711: SET PGPPASS=zaphod beeblebrox for president ! 712: ! 713: would eliminate the prompt for the pass phrase if the pass phrase ! 714: were indeed "zaphod beeblebrox for president". ! 715: ! 716: This dangerous feature makes your life more convenient if you have to ! 717: regularly deal with a large number of incoming messages addressed to ! 718: your secret key, by eliminating the need for you to repeatedly type ! 719: in your pass phrase every time you run PGP. ! 720: ! 721: I added this feature because of popular demand. However, this is a ! 722: somewhat dangerous feature, because it keeps your precious pass ! 723: phrase stored somewhere other than just in your brain. Even worse, ! 724: if you are particularly reckless, it may even be stored on a disk on ! 725: the same computer as your secret key. It would be particularly ! 726: dangerous and stupid if you were to install this command in a batch ! 727: or script file, such as the MSDOS AUTOEXEC.BAT file. Someone could ! 728: come along on your lunch hour and steal both your secret key ring and ! 729: the file containing your pass phrase. ! 730: ! 731: I can't emphasize the importance of this risk enough. If you are ! 732: contemplating using this feature, be sure to read the sections ! 733: "Exposure on Multi-user Systems" and "How to Protect Secret Keys from ! 734: Disclosure" in this volume and in the Essential Topics volume of the ! 735: PGP User's Guide. ! 736: ! 737: If you must use this feature, the safest way to do it would be to ! 738: just manually type in the shell command to set PGPPASS every time you ! 739: boot your machine to start using PGP, and then erase it or turn off ! 740: your machine when you are done. And you should definitely never do ! 741: it in an environment where someone else may have access to your ! 742: machine. Someone could come along and simply ask your computer to ! 743: display the contents of PGPPASS. ! 744: ! 745: Sometimes you want to pass the pass phrase into PGP from another ! 746: application, such as an E-mail package. In some cases, it may not ! 747: always be desirable to use the PGPPASS variable for that purpose. ! 748: There is another way to pass your pass phrase into PGP from another ! 749: application. Use the "-z" command line option. This option is ! 750: designed primarily for invoking PGP from inside an E-mail package. ! 751: The pass phrase follows the -z option on the command line. There are ! 752: risks associated with using this approach, similar to those risks ! 753: described above for using the PGPPASS variable. ! 754: ! 755: ! 756: Setting Parameters in the PGP Configuration File ! 757: ================================================ ! 758: ! 759: PGP has a number of user-settable parameters that can be defined in a ! 760: special PGP configuration text file called "config.txt", in the ! 761: directory pointed to by the shell environmental variable PGPPATH. ! 762: Having a configuration file enables the user to define various flags ! 763: and parameters for PGP without the burden of having to always define ! 764: these parameters in the PGP command line. ! 765: ! 766: The filename "config.txt" has been in use for a long time by PGP, but ! 767: some folks have pointed out that it may be at odds with naming ! 768: conventions for configuration files for specific operating systems. ! 769: Accordingly, PGP now tries to open this filename only after first ! 770: trying to open the file ".pgprc" on Unix platforms, and "pgp.ini" on ! 771: other platforms, in the same directory that PGP would look for ! 772: "config.txt". ! 773: ! 774: Configuration parameters may be assigned integer values, character ! 775: string values, or on/off values, depending on what kind of ! 776: configuration parameter it is. A sample configuration file is ! 777: provided with PGP, so you can see some examples. ! 778: ! 779: In the configuration file, blank lines are ignored, as is anything ! 780: following the '#' comment character. Keywords are not ! 781: case-sensitive. ! 782: ! 783: Here is a short sample fragment of a typical configuration file: ! 784: ! 785: # TMP is the directory for PGP scratch files, such as a RAM disk. ! 786: TMP = "e:\" # Can be overridden by environment variable TMP. ! 787: Armor = on # Use -a flag for ASCII armor whenever applicable. ! 788: # CERT_DEPTH is how deeply introducers may introduce introducers. ! 789: cert_depth = 3 ! 790: ! 791: If some configuration parameters are not defined in the configuration ! 792: file, or if there is no configuration file, or if PGP can't find the ! 793: configuration file, the values for the configuration parameters ! 794: default to some reasonable value. ! 795: ! 796: Note that it is also possible to set these same configuration ! 797: parameters directly from the PGP command line, by preceding the ! 798: parameter setting with a "+" character. For example, the following ! 799: two PGP commands produce the same effect: ! 800: ! 801: pgp -e +armor=on message.txt smith ! 802: or: pgp -ea message.txt smith ! 803: ! 804: ! 805: The following is a summary of the various parameters than may be ! 806: defined in the configuration file. ! 807: ! 808: ! 809: TMP - Directory Pathname for Temporary Files ! 810: -------------------------------------------- ! 811: ! 812: Default setting: TMP = "" ! 813: ! 814: The configuration parameter TMP specifies what directory to use for ! 815: PGP's temporary scratch files. The best place to put them is on a ! 816: RAM disk, if you have one. That speeds things up quite a bit, and ! 817: increases security somewhat. If TMP is undefined, the temporary ! 818: files go in the current directory. If the shell environmental ! 819: variable TMP is defined, PGP instead uses that to specify where the ! 820: temporary files should go. ! 821: ! 822: ! 823: LANGUAGE - Foreign Language Selector ! 824: ------------------------------------ ! 825: ! 826: Default setting: LANGUAGE = "en" ! 827: ! 828: PGP displays various prompts, warning messages, and advisories to the ! 829: user on the screen. For example, messages such as "File not found.", ! 830: or "Please enter your pass phrase:". These messages are normally in ! 831: English. But it is possible to get PGP to display its messages to ! 832: the user in other languages, without having to modify the PGP ! 833: executable program. ! 834: ! 835: A number of people in various countries have translated all of PGP's ! 836: display messages, warnings, and prompts into their native languages. ! 837: These hundreds of translated message strings have been placed in a ! 838: special text file called "language.txt", distributed with the PGP ! 839: release. The messages are stored in this file in English, Spanish, ! 840: Dutch, German, French, Italian, Russian, Latvian, and Lithuanian. ! 841: Other languages may be added later. ! 842: ! 843: The configuration parameter LANGUAGE specifies what language to ! 844: display these messages in. LANGUAGE may be set to "en" for English, ! 845: "es" for Spanish, "de" for German, "nl" for Dutch, "fr" for French, ! 846: "it" for Italian, "ru" for Russian, "lt3" for Lithuanian, "lv" for ! 847: Latvian, "esp" for Esperanto. For example, if this line appeared in ! 848: the configuration file: ! 849: ! 850: LANGUAGE = "fr" ! 851: ! 852: PGP would select French as the language for its display messages. ! 853: The default setting is English. ! 854: ! 855: When PGP needs to display a message to the user, it looks in the ! 856: "language.txt" file for the equivalent message string in the selected ! 857: foreign language and displays that translated message to the user. ! 858: If PGP can't find the language string file, or if the selected ! 859: language is not in the file, or if that one phrase is not translated ! 860: into the selected language in the file, or if that phrase is missing ! 861: entirely from the file, PGP displays the message in English. ! 862: ! 863: To conserve disk space, most foreign translations are not included ! 864: in the standard PGP release package, but are available separately. ! 865: ! 866: ! 867: MYNAME - Default User ID for Making Signatures ! 868: ---------------------------------------------- ! 869: ! 870: Default setting: MYNAME = "" ! 871: ! 872: The configuration parameter MYNAME specifies the default user ID to ! 873: use to select the secret key for making signatures. If MYNAME is not ! 874: defined, the most recent secret key you installed on your secret key ! 875: ring will be used. The user may also override this setting by ! 876: specifying a user ID on the PGP command line with the -u option. ! 877: ! 878: ! 879: TEXTMODE - Assuming Plaintext is a Text File ! 880: -------------------------------------------- ! 881: ! 882: Default setting: TEXTMODE = off ! 883: ! 884: The configuration parameter TEXTMODE is equivalent to the -t command ! 885: line option. If enabled, it causes PGP to assume the plaintext is a ! 886: text file, not a binary file, and converts it to "canonical text" ! 887: before encrypting it. Canonical text has a carriage return and a ! 888: linefeed at the end of each line of text. ! 889: ! 890: This mode will be automatically turned off if PGP detects that the ! 891: plaintext file contains what it thinks is non-text binary data. If ! 892: you intend to use PGP primarily for E-mail purposes, you should turn ! 893: TEXTMODE=ON. ! 894: ! 895: For VAX/VMS systems, the current version of PGP defaults TEXTMODE=ON. ! 896: ! 897: For further details, see the section "Sending ASCII Text Files Across ! 898: Different Machine Environments". ! 899: ! 900: ! 901: CHARSET - Specifies Local Character Set for Text Files ! 902: ------------------------------------------------------ ! 903: ! 904: Default setting: CHARSET = NOCONV ! 905: ! 906: Because PGP must process messages in many non-English languages with ! 907: non-ASCII character sets, you may have a need to tell PGP what local ! 908: character set your machine uses. This determines what character ! 909: conversions are performed when converting plaintext files to and from ! 910: canonical text format. This is only a concern if you are in a ! 911: non-English non-ASCII environment. ! 912: ! 913: The configuration parameter CHARSET selects the local character set. ! 914: The choices are NOCONV (no conversion), LATIN1 (ISO 8859-1 Latin ! 915: Alphabet 1), KOI8 (used by most Russian Unix systems), ALT_CODES ! 916: (used by Russian MSDOS systems), ASCII, and CP850 (used by most ! 917: western European languages on standard MSDOS PCs). ! 918: ! 919: LATIN1 is the internal representation used by PGP for canonical text, ! 920: so if you select LATIN1, no conversion is done. Note also that PGP ! 921: treats KOI8 as LATIN1, even though it is a completely different ! 922: character set (Russian), because trying to convert KOI8 to either ! 923: LATIN1 or CP850 would be futile anyway. This means that setting ! 924: CHARSET to NOCONV, LATIN1, or KOI8 are all equivalent to PGP. ! 925: ! 926: If you use MSDOS and expect to send or receive traffic in western ! 927: European languages, set CHARSET = "CP850". This will make PGP ! 928: convert incoming canonical text messages from LATIN1 to CP850 after ! 929: decryption. If you use the -t (textmode) option to convert to ! 930: canonical text, PGP will convert your CP850 text to LATIN1 before ! 931: encrypting it. ! 932: ! 933: For further details, see the section "Sending ASCII Text Files Across ! 934: Different Machine Environments". ! 935: ! 936: ! 937: ARMOR - Enable ASCII Armor Output ! 938: --------------------------------- ! 939: ! 940: Default setting: ARMOR = off ! 941: ! 942: The configuration parameter ARMOR is equivalent to the -a command ! 943: line option. If enabled, it causes PGP to emit ciphertext or keys in ! 944: ASCII Radix-64 format suitable for transporting through E-mail ! 945: channels. Output files are named with the ".asc" extension. ! 946: ! 947: If you intend to use PGP primarily for E-mail purposes, you should ! 948: turn ARMOR=ON. ! 949: ! 950: For further details, see the section "Sending Ciphertext Through ! 951: E-mail Channels: Radix-64 Format" in the Essential Topics volume. ! 952: ! 953: ! 954: ARMORLINES - Size of ASCII Armor Multipart Files ! 955: ------------------------------------------------ ! 956: ! 957: Default setting: ARMORLINES = 720 ! 958: ! 959: When PGP creates a very large ".asc" radix-64 file for sending ! 960: ciphertext or keys through the E-mail, it breaks the file up into ! 961: separate chunks small enough to send through Internet mail ! 962: utilities. Normally, Internet mailers prohibit files larger than ! 963: about 50000 bytes, which means that if we restrict the number of ! 964: lines to about 720, we'll be well within the limit. The file chunks ! 965: are named with suffixes ".as1", ".as2", ".as3", ... ! 966: ! 967: The configuration parameter ARMORLINES specifies the maximum number ! 968: of lines to make each chunk in a multipart ".asc" file sequence. If ! 969: you set it to zero, PGP will not break up the file into chunks. ! 970: ! 971: Fidonet E-mail files usually have an upper limit of about 32K bytes, ! 972: so 450 lines would be appropriate for Fidonet environments. ! 973: ! 974: For further details, see the section "Sending Ciphertext Through ! 975: E-mail Channels: Radix-64 Format" in the Essential Topics volume. ! 976: ! 977: ! 978: KEEPBINARY - Keep Binary Ciphertext Files After Decrypting ! 979: ---------------------------------------------------------- ! 980: ! 981: Default setting: KEEPBINARY = off ! 982: ! 983: When PGP reads a ".asc" file, it recognizes that the file is in ! 984: radix-64 format and will convert it back to binary before processing ! 985: as it normally does, producing as a by-product a ".pgp" ciphertext ! 986: file in binary form. After further processing to decrypt the ".pgp" ! 987: file, the final output file will be in normal plaintext form. ! 988: ! 989: You may want to delete the binary ".pgp" intermediate file, or you ! 990: may want PGP to delete it for you automatically. You can still rerun ! 991: PGP on the original ".asc" file. ! 992: ! 993: The configuration parameter KEEPBINARY enables or disables keeping ! 994: the intermediate ".pgp" file during decryption. ! 995: ! 996: For further details, see the section "Sending Ciphertext Through ! 997: E-mail Channels: Radix-64 Format" in the Essential Topics volume. ! 998: ! 999: ! 1000: COMPRESS - Enable Compression ! 1001: ----------------------------- ! 1002: ! 1003: Default setting: COMPRESS = on ! 1004: ! 1005: The configuration parameter COMPRESS enables or disables data ! 1006: compression before encryption. It is used mainly for debugging PGP. ! 1007: Normally, PGP attempts to compress the plaintext before it encrypts ! 1008: it. Generally, you should leave this alone and let PGP attempt to ! 1009: compress the plaintext. ! 1010: ! 1011: ! 1012: COMPLETES_NEEDED - Number of Completely Trusted Introducers Needed ! 1013: ------------------------------------------------------------------ ! 1014: ! 1015: Default setting: COMPLETES_NEEDED = 1 ! 1016: ! 1017: The configuration parameter COMPLETES_NEEDED specifies the minimum ! 1018: number of completely trusted introducers required to fully certify a ! 1019: public key on your public key ring. This gives you a way of tuning ! 1020: PGP's skepticism. ! 1021: ! 1022: For further details, see the section "How Does PGP Keep Track of ! 1023: Which Keys are Valid?" in the Essential Topics volume. ! 1024: ! 1025: ! 1026: MARGINALS_NEEDED - Number of Marginally Trusted Introducers Needed ! 1027: ------------------------------------------------------------------ ! 1028: ! 1029: Default setting: MARGINALS_NEEDED = 2 ! 1030: ! 1031: The configuration parameter MARGINALS_NEEDED specifies the minimum ! 1032: number of marginally trusted introducers required to fully certify a ! 1033: public key on your public key ring. This gives you a way of tuning ! 1034: PGP's skepticism. ! 1035: ! 1036: For further details, see the section "How Does PGP Keep Track of ! 1037: Which Keys are Valid?" in the Essential Topics volume. ! 1038: ! 1039: ! 1040: CERT_DEPTH - How Deep May Introducers Be Nested ! 1041: ----------------------------------------------- ! 1042: ! 1043: Default setting: CERT_DEPTH = 4 ! 1044: ! 1045: The configuration parameter CERT_DEPTH specifies how many levels deep ! 1046: you may nest introducers to certify other introducers to certify ! 1047: public keys on your public key ring. For example, If CERT_DEPTH is ! 1048: set to 1, there may only be one layer of introducers below your own ! 1049: ultimately-trusted key. If that were the case, you would be required ! 1050: to directly certify the public keys of all trusted introducers on ! 1051: your key ring. If you set CERT_DEPTH to 0, you could have no ! 1052: introducers at all, and you would have to directly certify each and ! 1053: every key on your public key ring in order to use it. The minimum ! 1054: CERT_DEPTH is 0, the maximum is 8. ! 1055: ! 1056: For further details, see the section "How Does PGP Keep Track of ! 1057: Which Keys are Valid?" in the Essential Topics volume. ! 1058: ! 1059: ! 1060: BAKRING - Filename for Backup Secret Keyring ! 1061: -------------------------------------------- ! 1062: ! 1063: Default setting: BAKRING = "" ! 1064: ! 1065: All of the key certification that PGP does on your public key ring ! 1066: ultimately depends on your own ultimately-trusted public key (or ! 1067: keys). To detect any tampering of your public key ring, PGP must ! 1068: check that your own key has not been tampered with. To do this, PGP ! 1069: must compare your public key against a backup copy of your secret key ! 1070: on some tamper-resistant media, such as a write-protected floppy ! 1071: disk. A secret key contains all the information that your public key ! 1072: has, plus some secret components. This means PGP can check your ! 1073: public key against a backup copy of your secret key. ! 1074: ! 1075: The configuration parameter BAKRING specifies what pathname to use ! 1076: for PGP's trusted backup copy of your secret key ring. On MSDOS, you ! 1077: could set it to "a:\secring.pgp" to point it at a write-protected ! 1078: backup copy of your secret key ring on your floppy drive. This check ! 1079: is performed only when you execute the PGP -kc option to check your ! 1080: whole public key ring. ! 1081: ! 1082: If BAKRING is not defined, PGP will not check your own key against ! 1083: any backup copy. ! 1084: ! 1085: For further details, see the sections "How to Protect Public Keys ! 1086: from Tampering" and "How Does PGP Keep Track of Which Keys are ! 1087: Valid?" in the Essential Topics volume. ! 1088: ! 1089: ! 1090: PUBRING - Filename for Your Public Keyring ! 1091: ------------------------------------------ ! 1092: ! 1093: Default setting: PUBRING = "$PGPPATH/pubring.pgp" ! 1094: ! 1095: You may want to keep your public keyring in a directory separate from ! 1096: your PGP configuration file in the directory specified by your ! 1097: $PGPPATH environmental variable. You may specify the full path and ! 1098: filename for your public keyring by setting the PUBRING parameter. ! 1099: For example, on an MSDOS system, you might want to keep your public ! 1100: keyring on a floppy disk by: ! 1101: ! 1102: PUBRING = "a:pubring.pgp" ! 1103: ! 1104: This feature is especially handy for specifying an alternative ! 1105: keyring on the command line. ! 1106: ! 1107: ! 1108: SECRING - Filename for Your Secret Keyring ! 1109: ------------------------------------------ ! 1110: ! 1111: Default setting: SECRING = "$PGPPATH/secring.pgp" ! 1112: ! 1113: You may want to keep your secret keyring in a directory separate from ! 1114: your PGP configuration file in the directory specified by your ! 1115: $PGPPATH environmental variable. This comes in handy for putting ! 1116: your secret keyring in a directory or device that is more protected ! 1117: than your public keyring. You may specify the full path and filename ! 1118: for your secret keyring by setting the SECRING parameter. For ! 1119: example, on an MSDOS system, you might want to keep your secret ! 1120: keyring on a floppy disk by: ! 1121: ! 1122: SECRING = "a:secring.pgp" ! 1123: ! 1124: ! 1125: RANDSEED - Filename for Random Number Seed ! 1126: ------------------------------------------ ! 1127: ! 1128: Default setting: RANDSEED = "$PGPPATH/randseed.bin" ! 1129: ! 1130: You may want to keep your random number seed file (for generation of ! 1131: session keys) in a directory separate from your PGP configuration file ! 1132: in the directory specified by your $PGPPATH environmental variable. ! 1133: This comes in handy for putting your random number seed file in a ! 1134: directory or device that is more protected than your public keyring. ! 1135: You may specify the full path and filename for your random seed file ! 1136: by setting the RANDSEED parameter. For example, on an MSDOS system, ! 1137: you might want to keep it on a floppy disk by: ! 1138: ! 1139: RANDSEED = "a:randseed.bin" ! 1140: ! 1141: ! 1142: PAGER - Selects Shell Command to Display Plaintext Output ! 1143: --------------------------------------------------------- ! 1144: ! 1145: Default setting: PAGER = "" ! 1146: ! 1147: PGP lets you view the decrypted plaintext output on your screen (like ! 1148: the Unix-style "more" command), without writing it to a file, if you ! 1149: use the -m (more) option while decrypting. This displays the ! 1150: decrypted plaintext display on your screen one screenful at a time. ! 1151: ! 1152: If you prefer to use a fancier page display utility, rather than ! 1153: PGP's built-in one, you can specify the name of a shell command that ! 1154: PGP will invoke to display your plaintext output file. The ! 1155: configuration parameter PAGER specifies the shell command to invoke ! 1156: to display the file. For example, on MSDOS systems, you might want ! 1157: to use the popular shareware program "list.com" to display your ! 1158: plaintext message. Assuming you have a copy of "list.com", you may ! 1159: set PAGER accordingly: ! 1160: ! 1161: PAGER = "list" ! 1162: ! 1163: However, if the sender specified that this file is for your eyes ! 1164: only, and may not be written to disk, PGP always uses its own ! 1165: built-in display function. ! 1166: ! 1167: For further details, see the section "Displaying Decrypted Plaintext ! 1168: on Your Screen". ! 1169: ! 1170: ! 1171: SHOWPASS - Echo Pass Phrase to User ! 1172: ----------------------------------- ! 1173: ! 1174: Default setting: SHOWPASS = off ! 1175: ! 1176: Normally, PGP does not let you see your pass phrase as you type it ! 1177: in. This makes it harder for someone to look over your shoulder ! 1178: while you type and learn your pass phrase. But some typing-impaired ! 1179: people have problems typing their pass phrase without seeing what ! 1180: they are typing, and they may be typing in the privacy of their own ! 1181: homes. So they asked if PGP can be configured to let them see what ! 1182: they type when they type in their pass phrase. ! 1183: ! 1184: The configuration parameter SHOWPASS enables PGP to echo your typing ! 1185: during pass phrase entry. ! 1186: ! 1187: ! 1188: TZFIX - Timezone Adjustment ! 1189: --------------------------- ! 1190: ! 1191: Default setting: TZFIX = 0 ! 1192: ! 1193: PGP provides timestamps for keys and signature certificates in ! 1194: Greenwich Mean Time (GMT), or Coordinated Universal Time (UTC), which ! 1195: means the same thing for our purposes. When PGP asks the system for ! 1196: the time of day, the system is supposed to provide it in GMT. ! 1197: ! 1198: But sometimes, because of improperly configured MSDOS systems, the ! 1199: system time is returned in US Pacific Standard Time time plus 8 ! 1200: hours. Sounds weird, doesn't it? Perhaps because of some sort of US ! 1201: west-coast jingoism, MSDOS presumes local time is US Pacific time, ! 1202: and pre-corrects Pacific time to GMT. This adversely affects the ! 1203: behavior of the internal MSDOS GMT time function that PGP calls. ! 1204: However, if your MSDOS environmental variable TZ is already properly ! 1205: defined for your timezone, this corrects the misconception MSDOS has ! 1206: that the whole world lives on the US west coast. ! 1207: ! 1208: The configuration parameter TZFIX specifies the number of hours to ! 1209: add to the system time function to get GMT, for GMT timestamps on ! 1210: keys and signatures. If the MSDOS environmental variable TZ is ! 1211: defined properly, you can leave TZFIX=0. Unix systems usually ! 1212: shouldn't need to worry about setting TZFIX at all. But if you are ! 1213: using some other obscure operating system that doesn't know about ! 1214: GMT, you may have to use TZFIX to adjust the system time to GMT. ! 1215: ! 1216: On MSDOS systems that do not have TZ defined in the environment, you ! 1217: should make TZFIX=0 for California, -1 for Colorado, -2 for Chicago, ! 1218: -3 for New York, -8 for London, -9 for Amsterdam. In the summer, ! 1219: TZFIX should be manually decremented from these values. What a mess. ! 1220: ! 1221: It would be much cleaner to set your MSDOS environmental variable TZ ! 1222: in your AUTOEXEC.BAT file, and not use the TZFIX correction. Then ! 1223: MSDOS gives you good GMT timestamps, and will handle daylight savings ! 1224: time adjustments for you. Here are some sample lines to insert into ! 1225: AUTOEXEC.BAT, depending on your time zone: ! 1226: ! 1227: For Los Angeles: SET TZ=PST8PDT ! 1228: For Denver: SET TZ=MST7MDT ! 1229: For Arizona: SET TZ=MST7 ! 1230: (Arizona never uses daylight savings time) ! 1231: For Chicago: SET TZ=CST6CDT ! 1232: For New York: SET TZ=EST5EDT ! 1233: For London: SET TZ=GMT0BST ! 1234: For Amsterdam: SET TZ=MET-1DST ! 1235: For Moscow: SET TZ=MSK-3MSD ! 1236: For Aukland: SET TZ=NZT-13 ! 1237: ! 1238: ! 1239: CLEARSIG - Enable Signed Messages to be Encapsulated as Clear Text ! 1240: ------------------------------------------------------------------ ! 1241: ! 1242: Default setting: CLEARSIG = on ! 1243: ! 1244: Normally, unencrypted PGP signed messages have a signature ! 1245: certificate prepended in binary form. Also, the signed message is ! 1246: compressed, rendering the message unreadable to casual human eyes, ! 1247: even though the message is not actually encrypted. To send this ! 1248: binary data through a 7-bit E-mail channel, radix-64 ASCII armor is ! 1249: applied (see the ARMOR parameter). Even if PGP didn't compress the ! 1250: message, the ASCII armor would still render the message unreadable to ! 1251: human eyes. The recipient must use PGP to strip the armor off and ! 1252: decompress it before reading the message. ! 1253: ! 1254: If the original plaintext message is in text (not binary) form, there ! 1255: is a way to send a signed message through an E-mail channel in such a ! 1256: way that the signed message is not compressed and the ASCII armor is ! 1257: applied only to the binary signature certificate, but not to the ! 1258: plaintext message. The CLEARSIG flag provides this useful feature, ! 1259: making it possible to generate a signed message that can be read with ! 1260: human eyes, without the aid of PGP. Of course, you still need PGP to ! 1261: actually check the signature. ! 1262: ! 1263: The CLEARSIG flag is preset to "on" beginning with PGP version 2.5. ! 1264: To enable the full CLEARSIG behavior, the ARMOR and TEXTMODE flags ! 1265: must also be turned on. Set ARMOR=ON (or use the -a option), and set ! 1266: TEXTMODE=ON (or use the -t option). If your config file has CLEARSIG ! 1267: turned off, you can turn it back on again directly on the command ! 1268: line, like so: ! 1269: ! 1270: pgp -sta +clearsig=on message.txt ! 1271: ! 1272: This message representation is analogous to the MIC-CLEAR message type ! 1273: used in Internet Privacy Enhanced Mail (PEM). It is important to ! 1274: note that since this method only applies ASCII armor to the binary ! 1275: signature certificate, and not to the message text itself, there is ! 1276: some risk that the unarmored message may suffer some accidental ! 1277: molestation while en route. This can happen if it passes through ! 1278: some E-mail gateway that performs character set conversions, or in ! 1279: some cases extra spaces may be added to or stripped from the ends of ! 1280: lines. If this occurs, the signature will fail to verify, which may ! 1281: give a false indication of intentional tampering. But since PEM ! 1282: lives under a similar vulnerability, it seems worth having this ! 1283: feature despite the risks. ! 1284: ! 1285: Beginning with PGP version 2.2, trailing blanks are ignored on each ! 1286: line in calculating the signature for text in CLEARSIG mode. ! 1287: ! 1288: ! 1289: VERBOSE - Quiet, Normal, or Verbose Messages ! 1290: -------------------------------------------- ! 1291: ! 1292: Default setting: VERBOSE = 1 ! 1293: ! 1294: VERBOSE may be set to 0, 1, or 2, depending on how much detail you ! 1295: want to see from PGP diagnostic messages. The settings are: ! 1296: ! 1297: 0 - Display messages only if there is a problem. Unix fans wanted ! 1298: this "quiet mode" setting. ! 1299: ! 1300: 1 - Normal default setting. Displays a reasonable amount of detail ! 1301: in diagnostic or advisory messages. ! 1302: ! 1303: 2 - Displays maximum information, usually to help diagnose problems ! 1304: in PGP. Not recommended for normal use. Besides, PGP doesn't have ! 1305: any problems, right? ! 1306: ! 1307: ! 1308: INTERACTIVE - Ask for Confirmation for Key Adds ! 1309: ----------------------------------------------- ! 1310: ! 1311: Default Setting: INTERACTIVE = off ! 1312: ! 1313: Enabling this mode will mean that if you add a key file containing ! 1314: multiple keys to your key ring, PGP will ask for confirmation for ! 1315: each key before adding it to your key ring. ! 1316: ! 1317: ! 1318: NOMANUAL - Let PGP Generate Keys Without the Manual ! 1319: --------------------------------------------------- ! 1320: ! 1321: Default Setting: NOMANUAL = off ! 1322: ! 1323: It is important that the freeware version of PGP not be distributed ! 1324: without the user documentation, which normally comes with it in the ! 1325: standard release package. This manual contains important information ! 1326: for using PGP, as well as important legal notices. But some people ! 1327: have distributed previous versions of PGP without the manual, causing ! 1328: a lot of problems for a lot of people who get it. To discourage the ! 1329: distribution of PGP without the required documentation, PGP has been ! 1330: changed to require the PGP User's Guide to be found somewhere on your ! 1331: computer (like in your PGP directory) before PGP will let you generate ! 1332: a key pair. However, some users like to use PGP on tiny palmtop ! 1333: computers with limited storage capacity, so they like to run PGP ! 1334: without the documentation present on their systems. To satisfy these ! 1335: users, PGP can be made to relax its requirement that the manual be ! 1336: present, by enabling the NOMANUAL flag on the command line during key ! 1337: generation, like so: ! 1338: ! 1339: pgp -kg +nomanual ! 1340: ! 1341: The NOMANUAL flag can only be set on the command line, not in the ! 1342: config file. Since you must read this manual to learn how to enable ! 1343: this simple override feature, I hope this will still be effective in ! 1344: discouraging the distribution of PGP without the manual. ! 1345: ! 1346: Some people may object to PGP insisting on finding the manual ! 1347: somewhere in the neighborhood to generate a key. They bristle ! 1348: against this seemingly authoritarian attitude. Some people have even ! 1349: modified PGP to defeat this feature, and redistributed their hotwired ! 1350: version to others. That creates problems for me. Before I added ! 1351: this feature, there were maimed versions of the PGP distribution ! 1352: package floating around that lacked the manual. One of them was ! 1353: uploaded to Compuserve, and was distributed to countless users who ! 1354: called me on the phone to ask me why such a complicated program had ! 1355: no manual. It spread out to BBS systems around the country. And a ! 1356: freeware distributor got hold of the package from Compuserve and ! 1357: enshrined it on CD-ROM, distributing thousands of copies without the ! 1358: manual. What a mess. ! 1359: ! 1360: ! 1361: A Peek Under the Hood ! 1362: ===================== ! 1363: ! 1364: Let's take a look at a few internal features of PGP. ! 1365: ! 1366: ! 1367: Random Numbers ! 1368: -------------- ! 1369: ! 1370: PGP uses a cryptographically strong pseudorandom number generator for ! 1371: creating temporary conventional session keys. The seed file for this ! 1372: is called "randseed.bin". It too can be kept in whatever directory ! 1373: is indicated by the PGPPATH environmental variable. If this random ! 1374: seed file does not exist, it is automatically created and seeded with ! 1375: truly random numbers derived from timing your keystroke latencies. ! 1376: ! 1377: This generator reseeds the disk file each time it is used by mixing ! 1378: in new key material partially derived with the time of day and other ! 1379: truly random sources. It uses the conventional encryption algorithm ! 1380: as an engine for the random number generator. The seed file contains ! 1381: both random seed material and random key material to key the ! 1382: conventional encryption engine for the random generator. ! 1383: ! 1384: This random seed file should be at least slightly protected from ! 1385: disclosure, to reduce the risk of an attacker deriving your next or ! 1386: previous session keys. The attacker would have a very hard time ! 1387: getting anything useful from capturing this random seed file, because ! 1388: the file is cryptographically laundered before and after each use. ! 1389: Nonetheless, it seems prudent to at least try to keep it from falling ! 1390: into the wrong hands. ! 1391: ! 1392: If you feel uneasy about trusting any algorithmically derived random ! 1393: number source however strong, keep in mind that you already trust the ! 1394: strength of the same conventional cipher to protect your messages. ! 1395: If it's strong enough for that, then it should be strong enough to ! 1396: use as a source of random numbers for temporary session keys. Note ! 1397: that PGP still uses truly random numbers from physical sources ! 1398: (mainly keyboard timings) to generate long-term public/secret key ! 1399: pairs. ! 1400: ! 1401: ! 1402: ! 1403: PGP's Conventional Encryption Algorithm ! 1404: --------------------------------------- ! 1405: ! 1406: As described earlier, PGP "bootstraps" into a conventional single-key ! 1407: encryption algorithm by using a public key algorithm to encipher the ! 1408: conventional session key and then switching to fast conventional ! 1409: cryptography. So let's talk about this conventional encryption ! 1410: algorithm. It isn't the DES. ! 1411: ! 1412: The Federal Data Encryption Standard (DES) used to be a good ! 1413: algorithm for most commercial applications. But the Government never ! 1414: did trust the DES to protect its own classified data, because the DES ! 1415: key length is only 56 bits, short enough for a brute force attack. ! 1416: Also, the full 16-round DES has been attacked with some success by ! 1417: Biham and Shamir using differential cryptanalysis, and by Matsui ! 1418: using linear cryptanalysis. ! 1419: ! 1420: The most devastating practical attack on the DES was described at the ! 1421: Crypto '93 conference, where Michael Wiener of Bell Northern Research ! 1422: presented a paper on how to crack the DES with a special machine. He ! 1423: has fully designed and tested a chip that guesses 50 million DES keys ! 1424: per second until it finds the right one. Although he has refrained ! 1425: from building the real chips so far, he can get these chips ! 1426: manufactured for $10.50 each, and can build 57000 of them into a ! 1427: special machine for $1 million that can try every DES key in 7 hours, ! 1428: averaging a solution in 3.5 hours. $1 million can be hidden in the ! 1429: budget of many companies. For $10 million, it takes 21 minutes to ! 1430: crack, and for $100 million, just two minutes. With any major ! 1431: government's budget for examining DES traffic, it can be cracked in ! 1432: seconds. This means that straight 56-bit DES is now effectively dead ! 1433: for purposes of serious data security applications. ! 1434: ! 1435: A possible successor to DES may be a variation known as "triple DES", ! 1436: which uses two DES keys to encrypt three times, achieving an ! 1437: effective key space of 112 bits. But this approach is three times ! 1438: slower than normal DES. A future version of PGP may support triple ! 1439: DES as an option. ! 1440: ! 1441: PGP does not use the DES as its conventional single-key algorithm to ! 1442: encrypt messages. Instead, PGP uses a different conventional ! 1443: single-key block encryption algorithm, called IDEA(tm). ! 1444: ! 1445: For the cryptographically curious, the IDEA cipher has a 64-bit block ! 1446: size for the plaintext and the ciphertext. It uses a key size of 128 ! 1447: bits. It is based on the design concept of "mixing operations from ! 1448: different algebraic groups". It runs much faster in software than ! 1449: the DES. Like the DES, it can be used in cipher feedback (CFB) and ! 1450: cipher block chaining (CBC) modes. PGP uses it in 64-bit CFB mode. ! 1451: ! 1452: The IPES/IDEA block cipher was developed at ETH in Zurich by James L. ! 1453: Massey and Xuejia Lai, and published in 1990. This is not a ! 1454: "home-grown" algorithm. Its designers have a distinguished ! 1455: reputation in the cryptologic community. Early published papers on ! 1456: the algorithm called it IPES (Improved Proposed Encryption Standard), ! 1457: but they later changed the name to IDEA (International Data ! 1458: Encryption Algorithm). So far, IDEA has resisted attack much better ! 1459: than other ciphers such as FEAL, REDOC-II, LOKI, Snefru and Khafre. ! 1460: And recent evidence suggests that IDEA is more resistant than the DES ! 1461: to Biham & Shamir's highly successful differential cryptanalysis ! 1462: attack. Biham and Shamir have been examining the IDEA cipher for ! 1463: weaknesses, without success. Academic cryptanalyst groups in ! 1464: Belgium, England, and Germany are also attempting to attack it, as ! 1465: well as the military services from several European countries. As ! 1466: this new cipher continues to attract attack efforts from the most ! 1467: formidable quarters of the cryptanalytic world, confidence in IDEA is ! 1468: growing with the passage of time. ! 1469: ! 1470: Every once in a while, I get a letter from someone who has just ! 1471: learned the awful truth that PGP does not use pure RSA to encrypt ! 1472: bulk data. They are concerned that the whole package is weakened if ! 1473: we use a hybrid public-key and conventional scheme just to speed ! 1474: things up. After all, a chain is only as strong as its weakest ! 1475: link. They demand an explanation for this apparent "compromise" in ! 1476: the strength of PGP. This may be because they have been caught up in ! 1477: the public's reverence and awe for the strength and mystique of RSA, ! 1478: mistakenly believing that RSA is intrinsically stronger than any ! 1479: conventional cipher. Well, it's not. ! 1480: ! 1481: People who work in factoring research say that the workload to ! 1482: exhaust all the possible 128-bit keys in the IDEA cipher would ! 1483: roughly equal the factoring workload to crack a 3100-bit RSA key, ! 1484: which is quite a bit bigger than the 1024-bit RSA key size that most ! 1485: people use for high security applications. Given this range of key ! 1486: sizes, and assuming there are no hidden weaknesses in the ! 1487: conventional cipher, the weak link in this hybrid approach is in the ! 1488: public key algorithm, not the conventional cipher. ! 1489: ! 1490: It is not ergonomically practical to use pure RSA with large keys to ! 1491: encrypt and decrypt long messages. A 1024-bit RSA key would decrypt ! 1492: messages about 4000 times slower than the IDEA cipher. Absolutely no ! 1493: one does it that way in the real world. Many people less experienced ! 1494: in cryptography do not realize that the attraction of public key ! 1495: cryptography is not because it is intrinsically stronger than a ! 1496: conventional cipher-- its appeal is because it helps you manage keys ! 1497: more conveniently. ! 1498: ! 1499: Not only is RSA too slow to use on bulk data, but it even has certain ! 1500: weaknesses that can be exploited in some special cases of particular ! 1501: kinds of messages that are fed to the RSA cipher, even for large ! 1502: keys. These special cases can be avoided by using the hybrid ! 1503: approach of using RSA to encrypt random session keys for a ! 1504: conventional cipher, like PGP does. So the bottom line is this: ! 1505: Using pure RSA on bulk data is the wrong approach, period. It's too ! 1506: slow, it's not stronger, and may even be weaker. If you find a ! 1507: software application that uses pure RSA on bulk data, it probably ! 1508: means the implementor does not understand these issues, which could ! 1509: imply he doesn't understand other important concepts of cryptography. ! 1510: ! 1511: ! 1512: ! 1513: Data Compression ! 1514: ---------------- ! 1515: ! 1516: PGP normally compresses the plaintext before encrypting it. It's too ! 1517: late to compress it after it has been encrypted; encrypted data is ! 1518: incompressible. Data compression saves modem transmission time and ! 1519: disk space and more importantly strengthens cryptographic security. ! 1520: Most cryptanalysis techniques exploit redundancies found in the ! 1521: plaintext to crack the cipher. Data compression reduces this ! 1522: redundancy in the plaintext, thereby greatly enhancing resistance to ! 1523: cryptanalysis. It takes extra time to compress the plaintext, but ! 1524: from a security point of view it seems worth it, at least in my ! 1525: cautious opinion. ! 1526: ! 1527: Files that are too short to compress or just don't compress well are ! 1528: not compressed by PGP. ! 1529: ! 1530: If you prefer, you can use PKZIP to compress the plaintext before ! 1531: encrypting it. PKZIP is a widely-available and effective MSDOS ! 1532: shareware compression utility from PKWare, Inc. Or you can use ZIP, ! 1533: a PKZIP-compatible freeware compression utility on Unix and other ! 1534: systems, available from Jean-Loup Gailly. There is some advantage in ! 1535: using PKZIP or ZIP in certain cases, because unlike PGP's built-in ! 1536: compression algorithm, PKZIP and ZIP have the nice feature of ! 1537: compressing multiple files into a single compressed file, which is ! 1538: reconstituted again into separate files when decompressed. PGP will ! 1539: not try to compress a plaintext file that has already been ! 1540: compressed. After decrypting, the recipient can decompress the ! 1541: plaintext with PKUNZIP. If the decrypted plaintext is a PKZIP ! 1542: compressed file, PGP automatically recognizes this and advises the ! 1543: recipient that the decrypted plaintext appears to be a PKZIP file. ! 1544: ! 1545: For the technically curious readers, the current version of PGP uses ! 1546: the freeware ZIP compression routines written by Jean-loup Gailly, ! 1547: Mark Adler, and Richard B. Wales. This ZIP software uses ! 1548: functionally-equivalent compression algorithms as those used by ! 1549: PKWare's new PKZIP 2.0. This ZIP compression software was selected ! 1550: for PGP mainly because of its free portable C source code ! 1551: availability, and because it has a really good compression ratio, and ! 1552: because it's fast. ! 1553: ! 1554: Peter Gutmann has also written a nice compression utility called ! 1555: HPACK, available for free from many Internet FTP sites. It encrypts ! 1556: the compressed archives, using PGP data formats and key rings. He ! 1557: wanted me to mention that here. ! 1558: ! 1559: ! 1560: ! 1561: Message Digests and Digital Signatures ! 1562: -------------------------------------- ! 1563: ! 1564: To create a digital signature, PGP encrypts with your secret key. ! 1565: But PGP doesn't actually encrypt your entire message with your secret ! 1566: key-- that would take too long. Instead, PGP encrypts a "message ! 1567: digest". ! 1568: ! 1569: The message digest is a compact (128 bit) "distillate" of your ! 1570: message, similar in concept to a checksum. You can also think of it ! 1571: as a "fingerprint" of the message. The message digest "represents" ! 1572: your message, such that if the message were altered in any way, a ! 1573: different message digest would be computed from it. This makes it ! 1574: possible to detect any changes made to the message by a forger. A ! 1575: message digest is computed using a cryptographically strong one-way ! 1576: hash function of the message. It would be computationally infeasible ! 1577: for an attacker to devise a substitute message that would produce an ! 1578: identical message digest. In that respect, a message digest is much ! 1579: better than a checksum, because it is easy to devise a different ! 1580: message that would produce the same checksum. But like a checksum, ! 1581: you can't derive the original message from its message digest. ! 1582: ! 1583: A message digest alone is not enough to authenticate a message. The ! 1584: message digest algorithm is publicly known, and does not require ! 1585: knowledge of any secret keys to calculate. If all we did was attach ! 1586: a message digest to a message, then a forger could alter a message ! 1587: and simply attach a new message digest calculated from the new ! 1588: altered message. To provide real authentication, the sender has to ! 1589: encrypt (sign) the message digest with his secret key. ! 1590: ! 1591: A message digest is calculated from the message by the sender. The ! 1592: sender's secret key is used to encrypt the message digest and an ! 1593: electronic timestamp, forming a digital signature, or signature ! 1594: certificate. The sender sends the digital signature along with the ! 1595: message. The receiver receives the message and the digital ! 1596: signature, and recovers the original message digest from the digital ! 1597: signature by decrypting it with the sender's public key. The ! 1598: receiver computes a new message digest from the message, and checks ! 1599: to see if it matches the one recovered from the digital signature. If ! 1600: it matches, then that proves the message was not altered, and it came ! 1601: from the sender who owns the public key used to check the signature. ! 1602: ! 1603: A potential forger would have to either produce an altered message ! 1604: that produces an identical message digest (which is infeasible), or ! 1605: he would have to create a new digital signature from a different ! 1606: message digest (also infeasible, without knowing the true sender's ! 1607: secret key). ! 1608: ! 1609: Digital signatures prove who sent the message, and that the message ! 1610: was not altered either by error or design. It also provides ! 1611: non-repudiation, which means the sender cannot easily disavow his ! 1612: signature on the message. ! 1613: ! 1614: Using message digests to form digital signatures has other advantages ! 1615: besides being faster than directly signing the entire actual message ! 1616: with the secret key. Using message digests allows signatures to be ! 1617: of a standard small fixed size, regardless of the size of the actual ! 1618: message. It also allows the software to check the message integrity ! 1619: automatically, in a manner similar to using checksums. And it allows ! 1620: signatures to be stored separately from messages, perhaps even in a ! 1621: public archive, without revealing sensitive information about the ! 1622: actual messages, because no one can derive any message content from a ! 1623: message digest. ! 1624: ! 1625: The message digest algorithm used here is the MD5 Message Digest ! 1626: Algorithm, placed in the public domain by RSA Data Security, Inc. ! 1627: MD5's designer, Ronald Rivest, writes this about MD5: ! 1628: ! 1629: "It is conjectured that the difficulty of coming up with two messages ! 1630: having the same message digest is on the order of 2^64 operations, ! 1631: and that the difficulty of coming up with any message having a given ! 1632: message digest is on the order of 2^128 operations. The MD5 ! 1633: algorithm has been carefully scrutinized for weaknesses. It is, ! 1634: however, a relatively new algorithm and further security analysis is ! 1635: of course justified, as is the case with any new proposal of this ! 1636: sort. The level of security provided by MD5 should be sufficient for ! 1637: implementing very high security hybrid digital signature schemes ! 1638: based on MD5 and the RSA public-key cryptosystem." ! 1639: ! 1640: ! 1641: ! 1642: Compatibility with Previous and Future Versions of PGP ! 1643: ====================================================== ! 1644: ! 1645: PGP version 2.6 can read anything produced by versions 2.3 through ! 1646: 2.7. However, because of a negotiated agreement between MIT and RSA ! 1647: Data Security, PGP 2.6 was programmed to change its behavior slightly ! 1648: on 1 September 1994, triggered by a built-in software timer. On that ! 1649: date, version 2.6 started producing a new and slightly different data ! 1650: format for messages, signatures and keys. PGP 2.6 will still be able ! 1651: to read and process messages, signatures, and keys produced under the ! 1652: old format, but it will generate the new format. This change is ! 1653: intended to discourage people from continuing to use the older (2.3a ! 1654: and earlier) versions of PGP, which Public Key Partners contends ! 1655: infringes its RSA patent (see the section on Legal Issues). ViaCrypt ! 1656: PGP (see the section Where to Get a Commercial Version of PGP), ! 1657: versions 2.4 and 2.7, avoids questions of infringement through ! 1658: Viacrypt's license arrangement with Public Key Partners. PGP 2.5 and ! 1659: 2.6 avoid questions of infringement by using the RSAREF(TM) ! 1660: Cryptographic Toolkit, under license from RSA Data Security, Inc. ! 1661: ! 1662: Outside the United States, the RSA patent is not in force, so PGP ! 1663: users there are free to use implementations of PGP that do not rely ! 1664: on RSAREF and its restrictions. See the notes on foreign versions in ! 1665: the Legal Issues section later in this manual. It seems likely that ! 1666: any versions of PGP prepared outside the US will accept the new ! 1667: format, whose detailed description is available from MIT. If ! 1668: everyone upgrades before September 1994, or soon thereafter, there ! 1669: will be little interoperability problems. ! 1670: ! 1671: This format change beginning with 2.6 is similar to the process that ! 1672: naturally happens when new features are added, causing older versions ! 1673: of PGP to be unable to read stuff from the newer PGP, while the newer ! 1674: version can still read the old stuff. The only difference is that ! 1675: this is a "legal upgrade", instead of a technical one. It's a ! 1676: worthwhile change, if it can achieve peace in our time. ! 1677: ! 1678: According to ViaCrypt, which sells a commercial version of PGP, ! 1679: ViaCrypt PGP will evolve to maintain interoperability with new ! 1680: freeware versions of PGP. ! 1681: ! 1682: There is a another change that effects interoperability with earlier ! 1683: versions of PGP. Unfortunately, due to data format limitations ! 1684: imposed by RSAREF, PGP 2.5 and 2.6 cannot interpret any messages or ! 1685: signatures made with PGP version 2.2 or earlier. Since we had no ! 1686: choice but to use the new data formats, because of the need to switch ! 1687: to RSAREF, we can't do anything about this problem. ! 1688: ! 1689: Beginning with version 2.4 (which was ViaCrypt's first version) ! 1690: through at least 2.6, PGP does not allow you to generate RSA keys ! 1691: bigger than 1024 bits. The upper limit was always intended to be ! 1692: 1024 bits -- there had to be some kind of upper limit, for ! 1693: performance and interoperability reasons. But because of a bug in ! 1694: earlier versions of PGP, it was possible to generate keys larger than ! 1695: 1024 bits. These larger keys caused interoperability problems ! 1696: between different older versions of PGP that used different ! 1697: arithmetic algorithms with different native word sizes. On some ! 1698: platforms, PGP choked on the larger keys. In addition to these older ! 1699: key size problems, the 1024-bit limit is now enforced by RSAREF. A ! 1700: 1024-bit key is very likely to be well out of reach of attacks by ! 1701: major governments. In a future version, PGP will support bigger keys. ! 1702: ! 1703: In general, there is compatibility from version 2.0 upwards through ! 1704: 2.4. Because new features are added, older versions may not always be ! 1705: able to handle some files created with newer versions. Because of ! 1706: massive changes to all the algorithms and data structures, PGP version ! 1707: 2.0 (and later) is not even slightly compatible with PGP version 1.0, ! 1708: which no one uses anymore anyway. ! 1709: ! 1710: Future versions of PGP may have to change the data formats for ! 1711: messages, signatures, keys and key rings, in order to provide ! 1712: important new features. We will endeavor to make future versions ! 1713: handle keys, signatures, and messages from this version, but this is ! 1714: not guaranteed. Future releases may provide conversion utilities to ! 1715: convert old keys, but you may have to dispose of old messages created ! 1716: with the old PGP. Also, this current version may not be able to read ! 1717: stuff produced from all future versions. ! 1718: ! 1719: ! 1720: Vulnerabilities ! 1721: =============== ! 1722: ! 1723: No data security system is impenetrable. PGP can be circumvented in ! 1724: a variety of ways. In any data security system, you have to ask ! 1725: yourself if the information you are trying to protect is more ! 1726: valuable to your attacker than the cost of the attack. This should ! 1727: lead you to protecting yourself from the cheapest attacks, while not ! 1728: worrying about the more expensive attacks. ! 1729: ! 1730: Some of the discussion that follows may seem unduly paranoid, but ! 1731: such an attitude is appropriate for a reasonable discussion of ! 1732: vulnerability issues. ! 1733: ! 1734: ! 1735: Compromised Pass Phrase and Secret Key ! 1736: -------------------------------------- ! 1737: ! 1738: Probably the simplest attack is if you leave your pass phrase for ! 1739: your secret key written down somewhere. If someone gets it and also ! 1740: gets your secret key file, they can read your messages and make ! 1741: signatures in your name. ! 1742: ! 1743: Don't use obvious passwords that can be easily guessed, such as the ! 1744: names of your kids or spouse. If you make your pass phrase a single ! 1745: word, it can be easily guessed by having a computer try all the words ! 1746: in the dictionary until it finds your password. That's why a pass ! 1747: phrase is so much better than a password. A more sophisticated ! 1748: attacker may have his computer scan a book of famous quotations to ! 1749: find your pass phrase. An easy to remember but hard to guess pass ! 1750: phrase can be easily constructed by some creatively nonsensical ! 1751: sayings or very obscure literary quotes. ! 1752: ! 1753: For further details, see the section "How to Protect Secret Keys from ! 1754: Disclosure" in the Essential Topics volume of the PGP User's Guide. ! 1755: ! 1756: ! 1757: Public Key Tampering ! 1758: -------------------- ! 1759: ! 1760: A major vulnerability exists if public keys are tampered with. This ! 1761: may be the most crucially important vulnerability of a public key ! 1762: cryptosystem, in part because most novices don't immediately ! 1763: recognize it. The importance of this vulnerability, and appropriate ! 1764: hygienic countermeasures, are detailed in the section "How to Protect ! 1765: Public Keys from Tampering" in the Essential Topics volume. ! 1766: ! 1767: To summarize: When you use someone's public key, make certain it has ! 1768: not been tampered with. A new public key from someone else should be ! 1769: trusted only if you got it directly from its owner, or if it has been ! 1770: signed by someone you trust. Make sure no one else can tamper with ! 1771: your own public key ring. Maintain physical control of both your ! 1772: public key ring and your secret key ring, preferably on your own ! 1773: personal computer rather than on a remote timesharing system. Keep a ! 1774: backup copy of both key rings. ! 1775: ! 1776: ! 1777: "Not Quite Deleted" Files ! 1778: ------------------------- ! 1779: ! 1780: Another potential security problem is caused by how most operating ! 1781: systems delete files. When you encrypt a file and then delete the ! 1782: original plaintext file, the operating system doesn't actually ! 1783: physically erase the data. It merely marks those disk blocks as ! 1784: deleted, allowing the space to be reused later. It's sort of like ! 1785: discarding sensitive paper documents in the paper recycling bin ! 1786: instead of the paper shredder. The disk blocks still contain the ! 1787: original sensitive data you wanted to erase, and will probably ! 1788: eventually be overwritten by new data at some point in the future. ! 1789: If an attacker reads these deleted disk blocks soon after they have ! 1790: been deallocated, he could recover your plaintext. ! 1791: ! 1792: In fact this could even happen accidentally, if for some reason ! 1793: something went wrong with the disk and some files were accidentally ! 1794: deleted or corrupted. A disk recovery program may be run to recover ! 1795: the damaged files, but this often means some previously deleted files ! 1796: are resurrected along with everything else. Your confidential files ! 1797: that you thought were gone forever could then reappear and be ! 1798: inspected by whomever is attempting to recover your damaged disk. ! 1799: Even while you are creating the original message with a word ! 1800: processor or text editor, the editor may be creating multiple ! 1801: temporary copies of your text on the disk, just because of its ! 1802: internal workings. These temporary copies of your text are deleted ! 1803: by the word processor when it's done, but these sensitive fragments ! 1804: are still on your disk somewhere. ! 1805: ! 1806: Let me tell you a true horror story. I had a friend, married with ! 1807: young children, who once had a brief and not very serious affair. ! 1808: She wrote a letter to her lover on her word processor, and deleted ! 1809: the letter after she sent it. Later, after the affair was over, the ! 1810: floppy disk got damaged somehow and she had to recover it because it ! 1811: contained other important documents. She asked her husband to ! 1812: salvage the disk, which seemed perfectly safe because she knew she ! 1813: had deleted the incriminating letter. Her husband ran a commercial ! 1814: disk recovery software package to salvage the files. It recovered ! 1815: the files alright, including the deleted letter. He read it, which ! 1816: set off a tragic chain of events. ! 1817: ! 1818: The only way to prevent the plaintext from reappearing is to somehow ! 1819: cause the deleted plaintext files to be overwritten. Unless you know ! 1820: for sure that all the deleted disk blocks will soon be reused, you ! 1821: must take positive steps to overwrite the plaintext file, and also ! 1822: any fragments of it on the disk left by your word processor. You can ! 1823: overwrite the original plaintext file after encryption by using the ! 1824: PGP -w (wipe) option. You can take care of any fragments of the ! 1825: plaintext left on the disk by using any of the disk utilities ! 1826: available that can overwrite all of the unused blocks on a disk. For ! 1827: example, the Norton Utilities for MSDOS can do this. ! 1828: ! 1829: Even if you overwrite the plaintext data on the disk, it may still be ! 1830: possible for a resourceful and determined attacker to recover the ! 1831: data. Faint magnetic traces of the original data remain on the disk ! 1832: after it has been overwritten. Special sophisticated disk recovery ! 1833: hardware can sometimes be used to recover the data. ! 1834: ! 1835: ! 1836: Viruses and Trojan Horses ! 1837: ------------------------- ! 1838: ! 1839: Another attack could involve a specially-tailored hostile computer ! 1840: virus or worm that might infect PGP or your operating system. This ! 1841: hypothetical virus could be designed to capture your pass phrase or ! 1842: secret key or deciphered messages, and covertly write the captured ! 1843: information to a file or send it through a network to the virus's ! 1844: owner. Or it might alter PGP's behavior so that signatures are not ! 1845: properly checked. This attack is cheaper than cryptanalytic attacks. ! 1846: ! 1847: Defending against this falls under the category of defending against ! 1848: viral infection generally. There are some moderately capable ! 1849: anti-viral products commercially available, and there are hygienic ! 1850: procedures to follow that can greatly reduce the chances of viral ! 1851: infection. A complete treatment of anti-viral and anti-worm ! 1852: countermeasures is beyond the scope of this document. PGP has no ! 1853: defenses against viruses, and assumes your own personal computer is a ! 1854: trustworthy execution environment. If such a virus or worm actually ! 1855: appeared, hopefully word would soon get around warning everyone. ! 1856: ! 1857: Another similar attack involves someone creating a clever imitation ! 1858: of PGP that behaves like PGP in most respects, but doesn't work the ! 1859: way it's supposed to. For example, it might be deliberately crippled ! 1860: to not check signatures properly, allowing bogus key certificates to ! 1861: be accepted. This "Trojan horse" version of PGP is not hard for an ! 1862: attacker to create, because PGP source code is widely available, so ! 1863: anyone could modify the source code and produce a lobotomized zombie ! 1864: imitation PGP that looks real but does the bidding of its diabolical ! 1865: master. This Trojan horse version of PGP could then be widely ! 1866: circulated, claiming to be from me. How insidious. ! 1867: ! 1868: You should make an effort to get your copy of PGP from a reliable ! 1869: source, whatever that means. Or perhaps from more than one ! 1870: independent source, and compare them with a file comparison utility. ! 1871: ! 1872: There are other ways to check PGP for tampering, using digital ! 1873: signatures. If someone you trust signs the executable version of ! 1874: PGP, vouching for the fact that it has not been infected or tampered ! 1875: with, you can be reasonably sure that you have a good copy. You ! 1876: could use an earlier trusted version of PGP to check the signature on ! 1877: a later suspect version of PGP. But this will not help at all if ! 1878: your operating system is infected, nor will it detect if your ! 1879: original copy of PGP.EXE has been maliciously altered in such a way ! 1880: as to compromise its own ability to check signatures. This test also ! 1881: assumes that you have a good trusted copy of the public key that you ! 1882: use to check the signature on the PGP executable. ! 1883: ! 1884: I recommend you not trust your copy of PGP unless it was originally ! 1885: distributed by MIT or ViaCrypt, or unless it comes with a digitally ! 1886: signed endorsement from me. Every new version comes with one or more ! 1887: digital signatures in the distribution package, signed by the ! 1888: originator of that release package. This is usually someone ! 1889: representing MIT or ViaCrypt, or whoever released that version. ! 1890: Check the signatures on the version that you get. I have actually ! 1891: seen several bogus versions of PGP distribution packages, even from ! 1892: apparantly reliable freeware distribution channels such as CD-ROM ! 1893: distributors and Compuserve. Always check the signature when you get ! 1894: a new version. ! 1895: ! 1896: ! 1897: Physical Security Breach ! 1898: ------------------------ ! 1899: ! 1900: A physical security breach may allow someone to physically acquire ! 1901: your plaintext files or printed messages. A determined opponent ! 1902: might accomplish this through burglary, trash-picking, unreasonable ! 1903: search and seizure, or bribery, blackmail or infiltration of your ! 1904: staff. Some of these attacks may be especially feasible against ! 1905: grassroots political organizations that depend on a largely volunteer ! 1906: staff. It has been widely reported in the press that the FBI's ! 1907: COINTELPRO program used burglary, infiltration, and illegal bugging ! 1908: against antiwar and civil rights groups. And look what happened at ! 1909: the Watergate Hotel. ! 1910: ! 1911: Don't be lulled into a false sense of security just because you have ! 1912: a cryptographic tool. Cryptographic techniques protect data only ! 1913: while it's encrypted-- direct physical security violations can still ! 1914: compromise plaintext data or written or spoken information. ! 1915: ! 1916: This kind of attack is cheaper than cryptanalytic attacks on PGP. ! 1917: ! 1918: ! 1919: Tempest Attacks ! 1920: --------------- ! 1921: ! 1922: Another kind of attack that has been used by well-equipped opponents ! 1923: involves the remote detection of the electromagnetic signals from ! 1924: your computer. This expensive and somewhat labor-intensive attack is ! 1925: probably still cheaper than direct cryptanalytic attacks. An ! 1926: appropriately instrumented van can park near your office and remotely ! 1927: pick up all of your keystrokes and messages displayed on your ! 1928: computer video screen. This would compromise all of your passwords, ! 1929: messages, etc. This attack can be thwarted by properly shielding all ! 1930: of your computer equipment and network cabling so that it does not ! 1931: emit these signals. This shielding technology is known as "Tempest", ! 1932: and is used by some Government agencies and defense contractors. ! 1933: There are hardware vendors who supply Tempest shielding commercially, ! 1934: although it may be subject to some kind of Government licensing. Now ! 1935: why do you suppose the Government would restrict access to Tempest ! 1936: shielding? ! 1937: ! 1938: ! 1939: Exposure on Multi-user Systems ! 1940: ------------------------------ ! 1941: ! 1942: PGP was originally designed for a single-user MSDOS machine under ! 1943: your direct physical control. I run PGP at home on my own PC, and ! 1944: unless someone breaks into my house or monitors my electromagnetic ! 1945: emissions, they probably can't see my plaintext files or secret keys. ! 1946: ! 1947: But now PGP also runs on multi-user systems such as Unix and VAX/VMS. ! 1948: On multi-user systems, there are much greater risks of your plaintext ! 1949: or keys or passwords being exposed. The Unix system administrator or ! 1950: a clever intruder can read your plaintext files, or perhaps even use ! 1951: special software to covertly monitor your keystrokes or read what's ! 1952: on your screen. On a Unix system, any other user can read your ! 1953: environment information remotely by simply using the Unix "ps" ! 1954: command. Similar problems exist for MSDOS machines connected on a ! 1955: local area network. The actual security risk is dependent on your ! 1956: particular situation. Some multi-user systems may be safe because ! 1957: all the users are trusted, or because they have system security ! 1958: measures that are safe enough to withstand the attacks available to ! 1959: the intruders, or because there just aren't any sufficiently ! 1960: interested intruders. Some Unix systems are safe because they are ! 1961: only used by one user-- there are even some notebook computers ! 1962: running Unix. It would be unreasonable to simply exclude PGP from ! 1963: running on all Unix systems. ! 1964: ! 1965: PGP is not designed to protect your data while it is in plaintext ! 1966: form on a compromised system. Nor can it prevent an intruder from ! 1967: using sophisticated measures to read your secret key while it is ! 1968: being used. You will just have to recognize these risks on ! 1969: multi-user systems, and adjust your expectations and behavior ! 1970: accordingly. Perhaps your situation is such that you should consider ! 1971: running PGP only on an isolated single-user system under your direct ! 1972: physical control. That's what I do, and that's what I recommend. ! 1973: ! 1974: ! 1975: Traffic Analysis ! 1976: ---------------- ! 1977: ! 1978: Even if the attacker cannot read the contents of your encrypted ! 1979: messages, he may be able to infer at least some useful information by ! 1980: observing where the messages come from and where they are going, the ! 1981: size of the messages, and the time of day the messages are sent. ! 1982: This is analogous to the attacker looking at your long distance phone ! 1983: bill to see who you called and when and for how long, even though the ! 1984: actual content of your calls is unknown to the attacker. This is ! 1985: called traffic analysis. PGP alone does not protect against traffic ! 1986: analysis. Solving this problem would require specialized ! 1987: communication protocols designed to reduce exposure to traffic ! 1988: analysis in your communication environment, possibly with some ! 1989: cryptographic assistance. ! 1990: ! 1991: ! 1992: Protecting Against Bogus Timestamps ! 1993: ----------------------------------- ! 1994: ! 1995: A somewhat obscure vulnerability of PGP involves dishonest users ! 1996: creating bogus timestamps on their own public key certificates and ! 1997: signatures. You can skip over this section if you are a casual user ! 1998: and aren't deeply into obscure public key protocols. ! 1999: ! 2000: There's nothing to stop a dishonest user from altering the date and ! 2001: time setting of his own system's clock, and generating his own public ! 2002: key certificates and signatures that appear to have been created at a ! 2003: different time. He can make it appear that he signed something ! 2004: earlier or later than he actually did, or that his public/secret key ! 2005: pair was created earlier or later. This may have some legal or ! 2006: financial benefit to him, for example by creating some kind of ! 2007: loophole that might allow him to repudiate a signature. ! 2008: ! 2009: I think this problem of falsified timestamps in digital signatures is ! 2010: no worse than it is already in handwritten signatures. Anyone may ! 2011: write a date next to their handwritten signature on a contract with ! 2012: any date they choose, yet no one seems to be alarmed over this state ! 2013: of affairs. In some cases, an "incorrect" date on a handwritten ! 2014: signature might not be associated with actual fraud. The timestamp ! 2015: might be when the signator asserts that he signed a document, or ! 2016: maybe when he wants the signature to go into effect. ! 2017: ! 2018: In situations where it is critical that a signature be trusted to ! 2019: have the actual correct date, people can simply use notaries to ! 2020: witness and date a handwritten signature. The analog to this in ! 2021: digital signatures is to get a trusted third party to sign a ! 2022: signature certificate, applying a trusted timestamp. No exotic or ! 2023: overly formal protocols are needed for this. Witnessed signatures ! 2024: have long been recognized as a legitimate way of determining when a ! 2025: document was signed. ! 2026: ! 2027: A trustworthy Certifying Authority or notary could create notarized ! 2028: signatures with a trustworthy timestamp. This would not necessarily ! 2029: require a centralized authority. Perhaps any trusted introducer or ! 2030: disinterested party could serve this function, the same way real ! 2031: notary publics do now. When a notary signs other people's ! 2032: signatures, it creates a signature certificate of a signature ! 2033: certificate. This would serve as a witness to the signature the same ! 2034: way real notaries now witness handwritten signatures. The notary ! 2035: could enter the detached signature certificate (without the actual ! 2036: whole document that was signed) into a special log controlled by the ! 2037: notary. Anyone can read this log. The notary's signature would have ! 2038: a trusted timestamp, which might have greater credibility or more ! 2039: legal significance than the timestamp in the original signature. ! 2040: ! 2041: There is a good treatment of this topic in Denning's 1983 article in ! 2042: IEEE Computer (see references). Future enhancements to PGP might ! 2043: have features to easily manage notarized signatures of signatures, ! 2044: with trusted timestamps. ! 2045: ! 2046: ! 2047: Cryptanalysis ! 2048: ------------- ! 2049: ! 2050: An expensive and formidable cryptanalytic attack could possibly be ! 2051: mounted by someone with vast supercomputer resources, such as a ! 2052: Government intelligence agency. They might crack your RSA key by ! 2053: using some new secret factoring breakthrough. Perhaps so, but it is ! 2054: noteworthy that the US Government trusts the RSA algorithm enough in ! 2055: some cases to use it to protect its own nuclear weapons, according to ! 2056: Ron Rivest. And civilian academia has been intensively attacking it ! 2057: without success since 1978. ! 2058: ! 2059: Perhaps the Government has some classified methods of cracking the ! 2060: IDEA(tm) conventional encryption algorithm used in PGP. This is ! 2061: every cryptographer's worst nightmare. There can be no absolute ! 2062: security guarantees in practical cryptographic implementations. ! 2063: ! 2064: Still, some optimism seems justified. The IDEA algorithm's designers ! 2065: are among the best cryptographers in Europe. It has had extensive ! 2066: security analysis and peer review from some of the best cryptanalysts ! 2067: in the unclassified world. It appears to have some design advantages ! 2068: over the DES in withstanding differential and linear cryptanalysis, ! 2069: which have both been used to crack the DES. ! 2070: ! 2071: Besides, even if this algorithm has some subtle unknown weaknesses, ! 2072: PGP compresses the plaintext before encryption, which should greatly ! 2073: reduce those weaknesses. The computational workload to crack it is ! 2074: likely to be much more expensive than the value of the message. ! 2075: ! 2076: If your situation justifies worrying about very formidable attacks of ! 2077: this caliber, then perhaps you should contact a data security ! 2078: consultant for some customized data security approaches tailored to ! 2079: your special needs. Boulder Software Engineering, whose address and ! 2080: phone are given at the end of this document, can provide such ! 2081: services. ! 2082: ! 2083: ! 2084: In summary, without good cryptographic protection of your data ! 2085: communications, it may have been practically effortless and perhaps ! 2086: even routine for an opponent to intercept your messages, especially ! 2087: those sent through a modem or E-mail system. If you use PGP and ! 2088: follow reasonable precautions, the attacker will have to expend far ! 2089: more effort and expense to violate your privacy. ! 2090: ! 2091: If you protect yourself against the simplest attacks, and you feel ! 2092: confident that your privacy is not going to be violated by a ! 2093: determined and highly resourceful attacker, then you'll probably be ! 2094: safe using PGP. PGP gives you Pretty Good Privacy. ! 2095: ! 2096: ! 2097: Legal Issues ! 2098: ============ ! 2099: ! 2100: ! 2101: Trademarks, Copyrights, and Warranties ! 2102: -------------------------------------- ! 2103: ! 2104: "PGP", "Pretty Good Privacy", "Phil's Pretty Good Software", and the ! 2105: "Pretty Good" label for computer software and hardware products are ! 2106: all trademarks of Philip R. Zimmermann. ! 2107: ! 2108: PGP is (c) Copyright Philip R. Zimmermann, 1990-1994. All rights ! 2109: reserved. The PGP User's Guide is also copyright Philip Zimmermann, ! 2110: 1990-1994. All rights reserved. These rights include but are not ! 2111: limited to any foreign language translations of the manual or the ! 2112: software, and all derivative works of both. ! 2113: ! 2114: MIT may have a copyright on the particular software distribution ! 2115: package that they distribute from the MIT FTP site. This copyright ! 2116: on the "compilation" of the distribution package in no way implies ! 2117: that MIT has a copyright on PGP itself, or its user documentation. ! 2118: ! 2119: The author assumes no liability for damages resulting from the use of ! 2120: this software, even if the damage results from defects in this ! 2121: software, and makes no representations concerning the merchantability ! 2122: of this software or its suitability for any specific purpose. It is ! 2123: provided "as is" without express or implied warranty of any kind. ! 2124: Because certain actions may delete files or render them ! 2125: unrecoverable, the author assumes no responsibility for the loss or ! 2126: modification of any data. ! 2127: ! 2128: ! 2129: ! 2130: Patent Rights on the Algorithms ! 2131: ------------------------------- ! 2132: ! 2133: The RSA public key cryptosystem was developed at MIT, which holds a ! 2134: patent on it (U.S. patent #4,405,829, issued 20 Sep 1983). A company ! 2135: in California called Public Key Partners (PKP) holds the exclusive ! 2136: commercial license to sell and sub-license the RSA public key ! 2137: cryptosystem. MIT distributes a freeware version of PGP under the ! 2138: terms of the RSAREF license from RSA Data Security, Inc. (RSADSI). ! 2139: ! 2140: At the time of this writing (September 1994), it appears that PKP may ! 2141: be breaking up soon, in which case the patents they hold may fall ! 2142: into other hands. The RSA patent may end up with RSADSI. ! 2143: ! 2144: Non-US users of earlier versions of PGP should note that the RSA ! 2145: patent does not apply outside the US, and at least at the time of ! 2146: this writing, the author is not aware of any RSA patent in any other ! 2147: country. Federal agencies may use the RSA algorithm, because the ! 2148: Government paid for the development of RSA with grants from the ! 2149: National Science Foundation and the Navy. But despite the fact of ! 2150: Government users having free access to the RSA algorithm, Government ! 2151: use of PGP has additional restrictions imposed by the agreement I ! 2152: have with ViaCrypt, as explained later. ! 2153: ! 2154: I wrote my PGP software from scratch, with my own independently ! 2155: developed implementation of the RSA algorithm. Before publishing PGP ! 2156: in 1991, I got a formal written legal opinion from a patent attorney ! 2157: with extensive experience in software patents. I'm convinced that ! 2158: publishing PGP the way I did does not violate patent law. ! 2159: ! 2160: Not only did PKP acquire the exclusive patent rights for the RSA ! 2161: cryptosystem, but they also acquired the exclusive rights to three ! 2162: other patents covering other public key schemes invented by others at ! 2163: Stanford University, also developed with federal funding. This ! 2164: one company claims to have a legal lock in the USA on nearly all ! 2165: practical public key cryptosystems. They even appear to be claiming ! 2166: patent rights on the very concept of public key cryptography, ! 2167: regardless of what clever new original algorithms are independently ! 2168: invented by others. I find such a comprehensive monopoly troubling, ! 2169: because I think public key cryptography is destined to become a ! 2170: crucial technology in the protection of our civil liberties and ! 2171: privacy in our increasingly connected society. At the very least, ! 2172: it places these vital tools at risk by affording to the Government ! 2173: a single pressure point of influence. ! 2174: ! 2175: Beginning with PGP version 2.5 (distributed by MIT, the holders of ! 2176: the original RSA patent), the freeware version of PGP uses the RSAREF ! 2177: subroutine library to perform its RSA calculations, under the RSAREF ! 2178: license, which allows noncommercial use in the USA. RSAREF is a ! 2179: subroutine package from RSA Data Security Inc, that implements the ! 2180: RSA algorithm. The RSAREF subroutines are used instead of PGP's ! 2181: original subroutines to implement the RSA functions in PGP. See the ! 2182: RSAREF license for terms and conditions of use of RSAREF ! 2183: applications. ! 2184: ! 2185: PGP 2.5 was released by MIT for a brief test period in May, 1994 ! 2186: before releasing 2.6. PGP 2.5 was released under the 16 March, 1994 ! 2187: RSAREF license, which is a perpetual license, so it may legally be ! 2188: used forever in the US. But it would be better for PGP's legal and ! 2189: political future for users in the United States to upgrade to version ! 2190: 2.6 or later to facilitate the demise of PGP 2.3a and earlier ! 2191: versions. Also, PGP 2.5 has bugs that are corrected in 2.6, and 2.5 ! 2192: will not read the new data format after September 1, 1994. (See the ! 2193: section on Compatibility with Previous and Future Versions of PGP.) ! 2194: ! 2195: The PGP 2.0 release was a joint effort of an international team of ! 2196: software engineers, implementing enhancements to the original PGP ! 2197: with design guidance from me. It was released by Branko Lankester in ! 2198: The Netherlands and Peter Gutmann in New Zealand, out of reach of US ! 2199: patent law. Although released only in Europe and New Zealand, it ! 2200: spontaneously spread to the USA without help from me or the PGP ! 2201: development team. ! 2202: ! 2203: The IDEA(tm) conventional block cipher used by PGP is covered by a ! 2204: patent in Europe, held by ETH and a Swiss company called Ascom-Tech ! 2205: AG. The US Patent number is 5,214,703, and the European patent ! 2206: number is EP 0 482 154 B1. IDEA(tm) is a trademark of Ascom-Tech AG. ! 2207: There is no license fee required for noncommercial use of IDEA. ! 2208: Commercial users of IDEA may obtain licensing details from Dieter ! 2209: Profos, Ascom Tech AG, Teleservices Section, Postfach 151, 4502 ! 2210: Solothurn, Switzerland, Tel +41 65 242885, Fax +41 65 235761. ! 2211: ! 2212: Ascom-Tech AG has granted permission for the freeware version PGP to ! 2213: use the IDEA cipher in non-commercial uses, everywhere. In the US ! 2214: and Canada, all commercial or Government users must obtain a licensed ! 2215: version from ViaCrypt, who has a license from Ascom-Tech for the IDEA ! 2216: cipher. ! 2217: ! 2218: Ascom-Tech has recently been changing its policies regarding the use ! 2219: of IDEA in PGP for commercial use outside the US, and that policy ! 2220: still seems to be in flux. They tell me that their current thinking ! 2221: is as follows: They will allow commercial users of PGP outside the ! 2222: US or Canada to use IDEA in PGP without paying royalties to ! 2223: Ascom-Tech, because it is not currently possible for commercial users ! 2224: to buy a licensed version of PGP outside the US or Canada. If the ! 2225: legal situation in the USA changes in the future, so that users ! 2226: outside the US or Canada can buy a licensed version of PGP (either ! 2227: from ViaCrypt, or from me, or from a foreign enterprise licensed by ! 2228: me), then Ascom-Tech will begin enforcing its patent licensing ! 2229: policies on commercial users who are in a position to buy a licensed ! 2230: version of PGP. To get a more up-to-date report on this, contact ! 2231: Ascom-Tech AG. ! 2232: ! 2233: The ZIP compression routines in PGP come from freeware source code, ! 2234: with the author's permission. I'm not aware of any patents on the ! 2235: compression algorithms used in the ZIP routines. ! 2236: ! 2237: ! 2238: Freeware Status and Restrictions ! 2239: -------------------------------- ! 2240: ! 2241: PGP is not shareware, it's freeware. Published as a community ! 2242: service. Giving PGP away for free will encourage far more people to ! 2243: use it, which will have a greater social impact. Feel free to ! 2244: disseminate the complete unmodified PGP release package as widely as ! 2245: possible, but be careful not to violate U.S. export controls if you ! 2246: live in the USA. Give it to all your friends. If you have access to ! 2247: any electronic Bulletin Board Systems, please upload the complete PGP ! 2248: executable object release package to as many BBS's as possible. ! 2249: ! 2250: You may also disseminate the source code release package. PGP's ! 2251: source code is published to assist public scrutiny of PGP to show that ! 2252: it has no hidden weaknesses or back doors, and to help people to find ! 2253: bugs and report them. Recompile it and port it to new target ! 2254: machines. Experiment with the code and learn from it. ! 2255: ! 2256: I place no restraints on your modifying the source code for your own ! 2257: use. However, do not distribute a modified version of PGP under the ! 2258: name "PGP" without first getting permission from me. Please respect ! 2259: this restriction. PGP's reputation for cryptographic integrity ! 2260: depends on maintaining strict quality control on PGP's cryptographic ! 2261: algorithms and protocols. Beyond that, ad hoc "improvements" to PGP ! 2262: can affect interoperability, which creates user confusion and ! 2263: compatability problems that could damage PGP's (and my own) ! 2264: reputation and undermine the good will earned by the PGP trademark. ! 2265: ! 2266: This has already started to happen, which is why I'm making a point ! 2267: of it here. This creates technical support headaches, and I get ! 2268: phone calls from confused users who run into problems either because ! 2269: they have a mutant strain of PGP, or are trying to process a key, ! 2270: signature, or message that came from an incompatible mutant strain of ! 2271: PGP. The source code to PGP was not published to help spawn these ! 2272: mutant strains. ! 2273: ! 2274: If you want to distribute a modified version of PGP, or use a modified ! 2275: version to send messages to other people, you should name the program ! 2276: in such a way that no one could mistake it for PGP. The messages, ! 2277: signatures, and keys it produces must also be labeled in such a way ! 2278: that no one could mistake them for material produced by PGP. If you ! 2279: feel you must modify your copy of PGP, and there is any chance that ! 2280: the modified version could escape into the environment, please contact ! 2281: me first to discuss some easy methods for how to prevent people from ! 2282: confusing your version with the standard PGP. Perhaps we'll even ! 2283: decide that your changes are appropriate for incorporating into the ! 2284: standard PGP release. ! 2285: ! 2286: Also, you should note that official executable versions of PGP are ! 2287: always released signed by the PGP developers, so you can verify their ! 2288: authenticity. If you find a corrupted copy of PGP, or notice one ! 2289: being distributed, please contact the people doing the distribution ! 2290: and suggest that they replace this with an authentic version. ! 2291: ! 2292: Some older versions of PGP were published under the terms of the ! 2293: General Public License (GPL), a license designed by the Free Software ! 2294: Foundation to protect the status of free software. Newer freeware ! 2295: versions of PGP are no longer published under the GPL. The RSAREF ! 2296: licensing terms are more stringent than those of the GPL. But even ! 2297: if a version of PGP is published without RSAREF, in a situation or ! 2298: place where the RSA patent does not apply, I still do not want the ! 2299: GPL to apply to PGP, for a variety of reasons, not the least of which ! 2300: is because the GPL is not optimal for protecting PGP from being ! 2301: republished with ad-hoc "improvements". ! 2302: ! 2303: Outside the United States, the RSA patent is not in force, so PGP ! 2304: users there are free to use implementations of PGP that do not rely ! 2305: on RSAREF and its restrictions. Canadians may use PGP without using ! 2306: RSAREF, and there are legal ways to export PGP to Canada. In Canada, ! 2307: where RSAREF is not needed, it is easy to modify and recompile the ! 2308: current PGP source code to perform the RSA calculations without using ! 2309: the RSAREF library, just as it was done in PGP 2.3a. In such a case, ! 2310: this modified PGP may be re-released under the identical licensing ! 2311: terms as the current official freeware PGP release, but without the ! 2312: RSAREF-specific restrictions. It may not be re-released under the ! 2313: GPL, as certain older versions were. And this manual must accompany ! 2314: it. That modified version of PGP may not be used in environments ! 2315: where RSAREF would be needed. ! 2316: ! 2317: ! 2318: Restrictions on Commercial Use of PGP ! 2319: ------------------------------------- ! 2320: ! 2321: The freeware version of PGP is for personal, non-commercial use. For ! 2322: commercial use in the USA or Canada, contact ViaCrypt in Phoenix, ! 2323: Arizona (phone 602 944-0773, or email [email protected]). ! 2324: ! 2325: I made an agreement with ViaCrypt in the summer of 1993 to license the ! 2326: exclusive commercial rights to PGP, so that there would be a way for ! 2327: corporations to use PGP without risk of a patent infringement lawsuit ! 2328: from PKP. For PGP to succeed in the long term as a viable industry ! 2329: standard, the legal stigma associated with the RSA patent rights had ! 2330: to be resolved. ViaCrypt had already obtained a patent license from ! 2331: PKP to make, use, and sell products that practice the RSA patents. ! 2332: ViaCrypt offered a way out of the patent quagmire for PGP to penetrate ! 2333: the corporate environment. They could sell a fully-licensed version ! 2334: of PGP, but only if I licensed it to them under these terms. So we ! 2335: entered into an agreement to do that, opening the door for PGP's ! 2336: future in the commercial sector, which was necessary for PGP's ! 2337: long-term political future. ! 2338: ! 2339: Therefore, regardless of the complexities and partially overlapping ! 2340: restrictions from all the other terms and conditions imposed by the ! 2341: various patent and copyright licenses (RSA, RSAREF, and IDEA) from ! 2342: various third parties, an additional overriding restriction on PGP ! 2343: usage is imposed by my own agreement with ViaCrypt: The freeware ! 2344: version of PGP is only for personal, non-commercial use -- all other ! 2345: users in the USA and Canada must obtain a fully licensed version of ! 2346: PGP from ViaCrypt. The restrictions imposed by my agreement with ! 2347: ViaCrypt do not apply outside the USA or Canada. ! 2348: ! 2349: Finally, if you want to turn PGP into a commercial product and make ! 2350: money selling it, then we must agree on a way for me to also make ! 2351: money on it. If you use PGP in such a manner that you must pay ! 2352: patent royalties or any other software licensing fees to the patent ! 2353: holders for any cryptographic algorithms used by PGP, then we must ! 2354: agree on a way for me to also be paid in some manner. Buying PGP ! 2355: from ViaCrypt is one way to meet this requirement. ! 2356: ! 2357: ! 2358: Other Licensing Restrictions ! 2359: ---------------------------- ! 2360: ! 2361: Under no circumstances may PGP be distributed without the PGP ! 2362: documentation, including this PGP User's Guide. And, assuming this is ! 2363: an RSAREF version of PGP, the RSAREF license agreement must be kept ! 2364: with it. You must also keep the copyright, patent, and trademark ! 2365: notices on PGP and its documentation. ! 2366: ! 2367: The standard freeware PGP release is primarily distributed in ! 2368: electronic form, as a single compressed archive file, containing a ! 2369: collection of files in a "shrink-wrapped" package. This package ! 2370: should not be broken up and the components separately distributed -- ! 2371: in the interests of quality control, we want to make it difficult for ! 2372: users to obtain PGP without getting the full release package. ! 2373: ! 2374: ! 2375: Distribution ! 2376: ------------ ! 2377: ! 2378: In the USA, PGP is available for free from the Massachusetts Institute ! 2379: of Technology, under the restrictions described above. ! 2380: ! 2381: The primary release site for PGP is the Massachusetts Institute of ! 2382: Technology, at their FTP site "net-dist.mit.edu", in the /pub/PGP ! 2383: directory. You may obtain free copies or updates to PGP from this ! 2384: site, or any other Internet FTP site or BBS that PGP has spread to. ! 2385: Don't ask me for a copy directly from me, especially if you live ! 2386: outside the US or Canada. I recommend that you not use any modified ! 2387: version of PGP that comes from any other source, other than MIT, ! 2388: ViaCrypt, or me, unless it is accompanied by a signed endorsement ! 2389: from me personally. You can get the official release software from ! 2390: many other distribution sites "downstream" from MIT. Hopefully, all ! 2391: these other sites are adhering to US export controls. ! 2392: ! 2393: The PGP version 2.6.2 executable object release package for MSDOS ! 2394: contains the PGP executable software, documentation, RSAREF license, ! 2395: sample key rings including my own public key, and signatures for the ! 2396: software and this manual, all in one PKZIP compressed file called ! 2397: pgp262.zip. The PGP source release package for MSDOS contains all ! 2398: the C source files in one PKZIP compressed file called pgp262s.zip. ! 2399: The filename for the release package is derived from the version ! 2400: number of the release. ! 2401: ! 2402: ! 2403: Export Controls ! 2404: --------------- ! 2405: ! 2406: The U.S. Government has made it illegal in most cases to export good ! 2407: cryptographic technology, and that may include PGP. They regard this ! 2408: kind of software just like they regard munitions. This is determined ! 2409: not by legislation, but by administrative policies of the State ! 2410: Department, Defense Department and Commerce Department. ! 2411: ! 2412: The U.S. Government is using export restrictions as a means of ! 2413: suppressing both domestic and foreign availability of cryptographic ! 2414: technology. In particular, it is trying to suppress the emergence of ! 2415: an international standard for cryptographic protocols, until it can ! 2416: establish the Escrowed Encryption Standard (the Clipper chip) as the ! 2417: dominant standard. ! 2418: ! 2419: Any export restrictions on PGP are imposed by the US Government. ! 2420: This does not imply that I or MIT agree with these restrictions. We ! 2421: just comply with them. We do not impose additional licensing ! 2422: restrictions of our own on the use of PGP outside of the US, other ! 2423: than those restrictions that already apply inside the US. PGP may be ! 2424: subject to export controls. Anyone wishing to export it should first ! 2425: consult the State Department's Office of Defense Trade Controls. ! 2426: ! 2427: I will not export this software out of the US or Canada in cases when ! 2428: it is illegal to do so under US controls, and I urge other people not ! 2429: to export it on their own. If you live outside the US or Canada, I ! 2430: urge you not to violate US export laws by getting any version of PGP ! 2431: in a way that violates those laws. Since thousands of domestic users ! 2432: got the first version after its initial publication, it somehow ! 2433: leaked out of the US and spread itself widely abroad, like dandelion ! 2434: seeds blowing in the wind. ! 2435: ! 2436: Starting with PGP version 2.0 through version 2.3a, the release point ! 2437: of the software has been outside the US, on publicly-accessible ! 2438: computers in Europe. Each release was electronically sent back into ! 2439: the US and posted on publicly-accessible computers in the US by PGP ! 2440: privacy activists in foreign countries. There are some restrictions ! 2441: in the US regarding the import of munitions, but I'm not aware of any ! 2442: cases where this was ever enforced for importing cryptographic ! 2443: software into the US. I imagine that a legal action of that type ! 2444: would be quite a spectacle of controversy. ! 2445: ! 2446: ViaCrypt PGP is sold in the United States and Canada and is not for ! 2447: export. The following language was supplied by the US Government to ! 2448: ViaCrypt for inclusion in the ViaCrypt PGP documentation: "PGP is ! 2449: export restricted by the Office of Export Administration, United ! 2450: States Department of Commerce and the Offices of Defense Trade ! 2451: Controls and Munitions Control, United States Department of State. ! 2452: PGP cannot be exported or reexported, directly or indirectly, (a) ! 2453: without all export or reexport licenses and governmental approvals ! 2454: required by any applicable laws, or (b) in violation of any ! 2455: prohibition against the export or reexport of any part of PGP." The ! 2456: Government may take the position that the freeware PGP versions are ! 2457: also subject to those controls. ! 2458: ! 2459: The freeware PGP versions 2.5 and 2.6 were released through a posting ! 2460: on a controlled FTP site maintained by MIT. This site has ! 2461: restrictions and limitations which have been used on other FTP sites ! 2462: to comply with export control requirements with respect to other ! 2463: encryption software such as Kerberos and software from RSA Data ! 2464: Security, Inc. I urge you not to do anything which would weaken ! 2465: those controls or facilitate any improper export of PGP. ! 2466: ! 2467: Although PGP has become a worldwide de facto standard for E-mail ! 2468: encryption, and is widely available overseas, I still get calls from ! 2469: people outside the US who ask me if it is legal to use it in their ! 2470: own country, for versions that are already available there. Please ! 2471: don't contact me to ask me if it is legal to use PGP in your country ! 2472: if you live outside the US. That question is not up to me. I've got ! 2473: enough legal problems of my own with export control issues, without ! 2474: getting involved in giving you legal advice over my phone. It might ! 2475: even put me at some legal risk to simply answer a question like that ! 2476: for a foreigner. If this question concerns you, ask someone else, ! 2477: like a lawyer. ! 2478: ! 2479: You may have a need to use PGP in a commercial application outside ! 2480: the US or Canada. Unfortunately, at the time of this writing, there ! 2481: is no current commercial source for PGP outside the US or Canada. I ! 2482: am trying to find a US-legal way to make a commercially licensed ! 2483: version available abroad, but right now the US export restrictions ! 2484: make that difficult without putting me at legal risk. This situation ! 2485: may change. ! 2486: ! 2487: Some foreign governments impose serious penalties on anyone inside ! 2488: their country for merely using encrypted communications. In some ! 2489: countries they might even shoot you for that. But if you live in ! 2490: that kind of country, perhaps you need PGP even more. ! 2491: ! 2492: ! 2493: ! 2494: Philip Zimmermann's Legal Situation ! 2495: ----------------------------------- ! 2496: ! 2497: At the time of this writing, I am the target of a US Customs criminal ! 2498: investigation in the Northern District of California. A criminal ! 2499: investigation is not a civil lawsuit. Civil lawsuits do not involve ! 2500: prison terms. My defense attorney has been told by the Assistant US ! 2501: Attorney that the area of law of interest to the investigation has to ! 2502: do with the export controls on encryption software. The federal ! 2503: mandatory sentencing guidelines for this offense are 41 to 51 months ! 2504: in a federal prison. US Customs appears to be taking the position ! 2505: that electronic domestic publication of encryption software is the ! 2506: same as exporting it. The prosecutor has issued a number of federal ! 2507: grand jury subpoenas. It may be months before a decision is reached ! 2508: on whether to seek indictment. This situation may change at any ! 2509: time, so this description may be out of date by the time you read ! 2510: it. Watch the news for further developments. If I am indicted and ! 2511: this goes to trial, it will be a major test case. ! 2512: ! 2513: I have a legal defense fund set up for this case. So far, no other ! 2514: organization is doing the fundraising for me, so I am depending on ! 2515: people like you to contribute directly to this cause. If you care ! 2516: about the future of your civil liberties in the information age, then ! 2517: perhaps you will care about this case. The legal fees are expensive, ! 2518: the meter is running, and I need your help. The fund is run by my ! 2519: lead defense attorney, Phil Dubois, here in Boulder. Please send ! 2520: your contributions to: ! 2521: ! 2522: Philip L. Dubois, Lawyer ! 2523: 2305 Broadway ! 2524: Boulder, Colorado 80304 USA ! 2525: Phone (303) 444-3885 ! 2526: E-mail: [email protected] ! 2527: ! 2528: You can also phone in your donation and put it on Mastercard or Visa. ! 2529: If you want to be really cool, you can use Internet E-mail to send in ! 2530: your contribution, encrypting your message with PGP so that no one ! 2531: can intercept your credit card number. Include in your E-mail ! 2532: message your Mastercard or Visa number, expiration date, name on the ! 2533: card, and amount of donation. Then sign it with your own key and ! 2534: encrypt it with Phil Dubois's public key (his key is included in the ! 2535: standard PGP distribution package, in the "keys.asc" file). Put a ! 2536: note on the subject line that this is a donation to my legal defense ! 2537: fund, so that Mr. Dubois will decrypt it promptly. Please don't send ! 2538: a lot of casual encrypted E-mail to him -- I'd rather he use his ! 2539: valuable time to work on my case. ! 2540: ! 2541: If you want to read some press stories to find out why this is an ! 2542: important case, see the following references: ! 2543: ! 2544: 1) William Bulkeley, "Cipher Probe", Wall Street Journal, Thursday ! 2545: 28 April 1994, front page. ! 2546: 2) John Cary, "Spy vs. Computer Nerd: The Fight Over Data ! 2547: Security", Business Week, 4 Oct 1993, page 43. ! 2548: 3) Jon Erickson, "Cryptography Fires Up the Feds", Dr. Dobb's ! 2549: Journal, December 1993, page 6. ! 2550: 4) John Markoff, "Federal Inquiry on Software Examines Privacy ! 2551: Programs", New York Times, Tuesday 21 Sep 1993, page C1. ! 2552: 5) Kurt Kleiner, "Punks and Privacy", Mother Jones Magazine, ! 2553: Jan/Feb 1994, page 17. ! 2554: 6) Steven Levy, "Battle of the Clipper Chip", New York Times ! 2555: Magazine, Sunday 12 Jun 1994, page 44. ! 2556: 7) Steven Levy, "Crypto Rebels", WIRED, May/Jun 1993, page 54. ! 2557: 8) John Markoff, "Cyberspace Under Lock and Key", New York Times, ! 2558: Sunday 13 Feb 1994. ! 2559: 9) Philip Elmer-DeWitt, "Who Should Keep the Keys", Time, 14 Mar ! 2560: 1994, page 90. ! 2561: ! 2562: There are a great many other articles on PGP from around the world. ! 2563: I'm keeping a scrapbook. ! 2564: ! 2565: ! 2566: Other Sources of Information on PGP ! 2567: =================================== ! 2568: ! 2569: ! 2570: Where to Get a Commercial Version of PGP ! 2571: ---------------------------------------- ! 2572: ! 2573: To get a fully licensed version of PGP for use in the USA or Canada, ! 2574: contact: ! 2575: ! 2576: ViaCrypt ! 2577: 9033 North 24th Avenue, Suite 7 ! 2578: Phoenix, Arizona 85021 USA ! 2579: Phone: (602) 944-0773, or (800) 536-2664 ! 2580: Fax: (602) 943-2601 ! 2581: E-mail: [email protected] ! 2582: ! 2583: ViaCrypt has a version of PGP for MSDOS, and a number of Unix ! 2584: platforms. They also have a Windows shell version, and other ! 2585: versions are under development, including Macintosh. If you have a ! 2586: need to use PGP in a commercial or Government setting, and ViaCrypt ! 2587: has a version of PGP for your hardware platform, you should get ! 2588: ViaCrypt PGP. ! 2589: ! 2590: ViaCrypt has obtained all the necessary licenses from PKP, Ascom-Tech ! 2591: AG, and Philip Zimmermann to sell PGP for use in commercial or ! 2592: government environments. ViaCrypt PGP is every bit as secure as the ! 2593: freeware PGP, and is entirely compatible in both directions with the ! 2594: freeware version of PGP. ViaCrypt PGP is the perfect way to get a ! 2595: fully licensed version of PGP into your corporate environment. ! 2596: ! 2597: If you work in a large company and you are a fan of PGP, I urge you ! 2598: to try to persuade your company to buy lots of copies of PGP from ! 2599: ViaCrypt. Not just because that will earn royalties for me. If ! 2600: ViaCrypt can make PGP a commercial success, it will go a long way ! 2601: toward cementing PGP's political future as an unstoppable standard ! 2602: for E-mail encryption in the corporate world. The corporate world is ! 2603: where the money is, and that affects public policy like nothing ! 2604: else. And that includes Government policy to suppress strong ! 2605: cryptography. ! 2606: ! 2607: ! 2608: ! 2609: Reporting PGP Bugs ! 2610: ------------------ ! 2611: ! 2612: Bugs in PGP should be reported via E-mail to MIT, the official ! 2613: distribution site of PGP. The E-mail address for bug reports is ! 2614: [email protected]. MIT will forward a copy of your bug report to me. ! 2615: When you report bugs, be sure to specify what machine and operating ! 2616: system you are using and what version of PGP you have, and provide ! 2617: enough detail to reproduce the problem. It would also be a good idea ! 2618: to find out if you have the latest version of PGP, in case the bug ! 2619: has already been fixed. Also, it's a good idea to make sure it ! 2620: really is a bug before you report it. RTFM. ! 2621: ! 2622: ! 2623: ! 2624: Fan Mail, Updates, and News ! 2625: --------------------------- ! 2626: ! 2627: After all this work I have to admit I wouldn't mind getting some fan ! 2628: mail for PGP, to gauge its popularity. Let me know what you think ! 2629: about it and how many of your friends use it. Bug reports and ! 2630: suggestions for enhancing PGP are welcome, too. Perhaps a future PGP ! 2631: release will reflect your suggestions. ! 2632: ! 2633: This project has not been funded and the project has nearly eaten me ! 2634: alive. This means you usually won't get a reply to your mail, unless ! 2635: you only need a short written reply and you include a stamped ! 2636: self-addressed envelope. But I often do reply to E-mail. Please ! 2637: keep it in English, as my foreign language skills are weak. If you ! 2638: call and I'm not in, it's best to just try again later. I usually ! 2639: don't return long distance phone calls, unless you leave a message ! 2640: that I can call you collect, and even then I might not return your ! 2641: call. If you need any significant amount of my time, I am available ! 2642: on a paid consulting basis, and I always return those calls. ! 2643: ! 2644: The most inconvenient mail I get is for some well-intentioned person ! 2645: to send me a few dollars asking me for a copy of PGP. I don't send ! 2646: it to them because I'd rather avoid any legal problems with PKP. Or ! 2647: worse, sometimes these requests are from foreign countries, and I ! 2648: would be risking a violation of US cryptographic export control ! 2649: laws. Even if there were no legal hassles involved in sending PGP to ! 2650: them, they usually don't send enough money to make it worth my time. ! 2651: I'm just not set up as a low cost low volume mail order business. I ! 2652: can't just ignore the request and keep the money, because they ! 2653: probably regard the money as a fee for me to fulfill their request. ! 2654: If I return the money, I might have to get in my car and drive down ! 2655: to the post office and buy some postage stamps, because these ! 2656: requests rarely include a stamped self-addressed envelope. And I ! 2657: have to take the time to write a polite reply that I can't do it. If ! 2658: I postpone the reply and set the letter down on my desk, it might be ! 2659: buried within minutes and won't see the light of day again for ! 2660: months. Multiply these minor inconveniences by the number of ! 2661: requests I get, and you can see the problem. Isn't it enough that ! 2662: the software is free? It would be nicer if people could try to get ! 2663: PGP from any of the myriad other sources. If you don't have a modem, ! 2664: ask a friend to get it for you. If you can't find it yourself, I ! 2665: don't mind answering a quick phone call. ! 2666: ! 2667: If anyone wants to volunteer to improve PGP, please let me know. It ! 2668: could certainly use some more work. Some features were deferred to ! 2669: get it out the door. A number of PGP users have since donated their ! 2670: time to port PGP to Unix on Sun SPARCstations, to Ultrix, to VAX/VMS, ! 2671: to OS/2, to the Amiga, and to the Atari ST. Perhaps you can help ! 2672: port it to some new environments. But please let me know if you plan ! 2673: to port or add enhancements to PGP, to avoid duplication of effort, ! 2674: and to avoid starting with an obsolete version of the source code. ! 2675: ! 2676: Because so many foreign language translations of PGP have been ! 2677: produced, most of them are not distributed with the regular PGP ! 2678: release package because it would require too much disk space. ! 2679: Separate language translation "kits" are available from a number of ! 2680: independent sources, and are sometimes available separately from the ! 2681: same distribution centers that carry the regular PGP release ! 2682: software. These kits include translated versions of the file ! 2683: LANGUAGE.TXT, PGP.HLP, and the PGP User's Guide. If you want to ! 2684: produce a translation for your own native language, contact me first ! 2685: to get the latest information and standard guidelines, and to find ! 2686: out if it's been translated to your language already. To find out ! 2687: where to get a foreign language kit for your language, you might ! 2688: check on the Internet newsgroups, or get it from Mike Johnson ! 2689: ([email protected]). ! 2690: ! 2691: If you have access to the Internet, watch for announcements of new ! 2692: releases of PGP on the Internet newsgroups "sci.crypt" and PGP's own ! 2693: newsgroup, "alt.security.pgp". If you want to know where to get PGP, ! 2694: MIT is the primary FTP distribution site (net-dist.mit.edu). Or ask ! 2695: Mike Johnson ([email protected]) for a list of Internet FTP sites and BBS ! 2696: phone numbers. ! 2697: ! 2698: ! 2699: ! 2700: Computer-Related Political Groups ! 2701: --------------------------------- ! 2702: ! 2703: PGP is a very political piece of software. It seems appropriate to ! 2704: mention here some computer-related activist groups. Full details on ! 2705: these groups, and how to join them, is provided in a separate ! 2706: document file in the PGP release package. ! 2707: ! 2708: The Electronic Privacy Information Center (EPIC) is a public interest ! 2709: research center in Washington, DC. It was established in 1994 to ! 2710: focus public attention on emerging privacy issues relating to the ! 2711: National Information Infrastructure, such as the Clipper Chip, the ! 2712: Digital Telephony proposal, medical record privacy, and the sale of ! 2713: consumer data. EPIC is sponsored by the Fund for Constitutional ! 2714: Government and Computer Professionals for Social Responsibility. ! 2715: EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of ! 2716: Information Act litigation, and conducts policy research on emerging ! 2717: privacy issues. For more information email [email protected], or write ! 2718: EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. ! 2719: +1 202 544 9240 (tel), +1 202 547 5482 (fax). ! 2720: ! 2721: The Electronic Frontier Foundation (EFF) was founded in 1990 to ! 2722: assure freedom of expression in digital media, with a particular ! 2723: emphasis on applying the principles embodied in the US Constitution ! 2724: and the Bill of Rights to computer-based communication. They can be ! 2725: reached in Washington DC, at (202) 347-5400. Internet E-mail address: ! 2726: [email protected]. ! 2727: ! 2728: Computer Professionals For Social Responsibility (CPSR) empowers ! 2729: computer professionals and computer users to advocate for the ! 2730: responsible use of information technology and empowers all who use ! 2731: computer technology to participate in public policy debates on the ! 2732: impacts of computers on society. They can be reached at: ! 2733: (415) 322-3778 in Palo Alto, E-mail address [email protected]. ! 2734: ! 2735: The League for Programming Freedom (LPF) is a grass-roots ! 2736: organization of professors, students, businessmen, programmers and ! 2737: users dedicated to bringing back the freedom to write programs. They ! 2738: regard patents on computer algorithms as harmful to the US software ! 2739: industry (and so do I!). They can be reached at (617) 433-7071. ! 2740: E-mail address: [email protected]. ! 2741: ! 2742: For more details on these groups, see the accompanying document in ! 2743: the PGP release package. ! 2744: ! 2745: ! 2746: ! 2747: Recommended Readings ! 2748: -------------------- ! 2749: ! 2750: ! 2751: Introductory Readings ! 2752: ! 2753: 1) Bruce Schneier, "Applied Cryptography: Protocols, Algorithms, and ! 2754: Source Code in C", John Wiley & Sons, 1993 ! 2755: (This book is a watershed work on the subject.) ! 2756: 2) Dorothy Denning, "Cryptography and Data Security", Addison-Wesley, ! 2757: Reading, MA 1982 ! 2758: 3) Dorothy Denning, "Protecting Public Keys and Signature Keys", ! 2759: IEEE Computer, Feb 1983 ! 2760: 4) Martin E. Hellman, "The Mathematics of Public-Key Cryptography," ! 2761: Scientific American, Aug 1979 ! 2762: 5) Steven Levy, "Crypto Rebels", WIRED, May/Jun 1993, page 54. ! 2763: (A "must-read" article on PGP and other related topics.) ! 2764: 6) Steven Levy, "Battle of the Clipper Chip", New York Times ! 2765: Magazine, Sunday 12 Jun 1994, page 44. (Great article, great ! 2766: photos.) ! 2767: 7) William Bulkeley, "Cipher Probe", Wall Street Journal, 28 April ! 2768: 1994, front page. (An article on PGP and Zimmermann.) ! 2769: ! 2770: ! 2771: Other Readings ! 2772: ! 2773: 8) Ronald Rivest, "The MD5 Message Digest Algorithm", MIT Laboratory ! 2774: for Computer Science, 1991 ! 2775: 9) Xuejia Lai, "On the Design and Security of Block Ciphers", ! 2776: ETH Series on Information Processing (Ed. J. L. Massey), ! 2777: Vol. 1, Hartung-Gorre Verlag, Konstanz, Switzerland, 1992 ! 2778: 10) Philip Zimmermann, "A Proposed Standard Format for RSA ! 2779: Cryptosystems", Advances in Computer Security, Vol III, edited by ! 2780: Rein Turn, Artech House, 1988 ! 2781: 11) Paul Wallich, "Electronic Envelopes", Scientific American, Feb ! 2782: 1993, page 30. (An article on PGP) ! 2783: 12) William Stallings, "Pretty Good Privacy", BYTE, July 1994, page ! 2784: 193 ! 2785: 13) Philip Zimmermann, "The Official PGP User's Guide", MIT Press, ! 2786: 1994 (in press) ! 2787: 14) Philip Zimmermann, "PGP Source Code and Internals", MIT Press, ! 2788: 1994 (in press) ! 2789: ! 2790: ! 2791: ! 2792: To Contact the Author ! 2793: --------------------- ! 2794: ! 2795: Philip Zimmermann may be reached at: ! 2796: ! 2797: Boulder Software Engineering ! 2798: 3021 Eleventh Street ! 2799: Boulder, Colorado 80304 USA ! 2800: Internet: [email protected] ! 2801: Phone (303) 541-0140 (voice) (10:00am - 7:00pm Mountain Time) ! 2802: Fax available, if you arrange it via voice line. ! 2803: ! 2804: ! 2805: Appendix A: Where to Get PGP ! 2806: ============================= ! 2807: ! 2808: The following describes how to get the freeware public key ! 2809: cryptographic software PGP (Pretty Good Privacy) from an anonymous ! 2810: FTP site on Internet, or from other sources. ! 2811: ! 2812: PGP has become a worldwide de facto standard for E-mail encryption. ! 2813: PGP has sophisticated key management, an RSA/conventional hybrid ! 2814: encryption scheme, message digests for digital signatures, data ! 2815: compression before encryption, and good ergonomic design. PGP is ! 2816: well featured and fast, and has excellent user documentation. Source ! 2817: code is free. ! 2818: ! 2819: The Massachusetts Institute of Technology is the distributor of PGP ! 2820: version 2.6, for distribution in the USA only. It is available from ! 2821: "net-dist.mit.edu," a controlled FTP site that has restrictions and ! 2822: limitations, similar to those used by RSA Data Security, Inc., to comply ! 2823: with export control requirements. The software resides in the directory ! 2824: /pub/PGP. ! 2825: ! 2826: A reminder: Set mode to binary or image when doing an FTP transfer. ! 2827: And when doing a kermit download to your PC, specify 8-bit binary ! 2828: mode at both ends. ! 2829: ! 2830: There are two compressed archive files in the standard release, with ! 2831: the file name derived from the release version number. For PGP ! 2832: version 2.6.2, you must get pgp262.zip which contains the MSDOS ! 2833: binary executable and the PGP User's Guide, and you can optionally ! 2834: get pgp262s.zip which contains all the source code. These files can ! 2835: be decompressed with the MSDOS shareware archive decompression ! 2836: utility PKUNZIP.EXE, version 1.10 or later. For Unix users who lack ! 2837: an implementation of UNZIP, the source code can also be found in the ! 2838: compressed tar file pgp262s.tar.Z. ! 2839: ! 2840: If you don't have any local BBS phone numbers handy, here is a BBS ! 2841: you might try. The Catacombs BBS, operated by Mike Johnson in ! 2842: Longmont, Colorado, has PGP available for download by people in the US ! 2843: or Canada only. The BBS phone number is 303-772-1062. Mike ! 2844: Johnson's voice phone number is 303 772-1773, and his E-mail address ! 2845: is [email protected]. Mike also has PGP available on an Internet FTP site ! 2846: for users in the US or Canada only; the site name is csn.org, in ! 2847: directory /mpj/, and you must read the README.MPJ file to get it. ! 2848: ! 2849: To get a fully licensed version of PGP for use in the USA or Canada, ! 2850: contact ViaCrypt in Phoenix, Arizona. Their phone number is ! 2851: 602-944-0773. ViaCrypt has obtained all the necessary licenses from ! 2852: PKP, Ascom-Tech AG, and Philip Zimmermann to sell PGP for use in ! 2853: commercial or Government environments. ViaCrypt PGP is every bit as ! 2854: secure as the freeware PGP, and is entirely compatible in both ! 2855: directions with the freeware version of PGP. ViaCrypt PGP is the ! 2856: perfect way to get a fully licensed version of PGP into your ! 2857: corporate or Government environment. ! 2858: ! 2859: Here are a few people and their E-mail addresses or phone numbers you ! 2860: can contact in some countries to get information on local PGP ! 2861: availability for versions earlier than 2.5: ! 2862: ! 2863: Peter Gutmann Hugh Kennedy ! 2864: [email protected] [email protected] ! 2865: New Zealand Germany ! 2866: ! 2867: Branko Lankester Miguel Angel Gallardo ! 2868: [email protected] [email protected] ! 2869: +31 2159 42242 (341) 474 38 09 ! 2870: The Netherlands Spain ! 2871: ! 2872: Hugh Miller Colin Plumb ! 2873: [email protected] [email protected] ! 2874: (312) 508-2727 Toronto, Ontario, Canada ! 2875: USA ! 2876: ! 2877: Jean-loup Gailly ! 2878: [email protected] ! 2879: France ! 2880:
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.