PGP Frequently Asked Questions with Answers
Introductory Questions
- 1.1. What is PGP?
- 1.2. Why should I encrypt my mail? I'm not doing anything illegal!
- 1.3. What are public keys and private keys?
- 1.4. How much does PGP cost?
- 1.5. Is encryption legal?
- 1.6. Is PGP legal?
- 1.7. What's the current version of PGP?
- 1.8. Is there an archive site for alt.security.pgp?
- 1.9. Is there a commercial version of PGP available?
- 1.10. Is PGP available as a programming library, so I can write
programs that use it?
- 1.11. What platforms has PGP been ported to?
- 1.12. Where can I obtain PGP?
- 1.13. I want to find out more!
========
1. Introductory Questions
========
1.1. What is PGP?
PGP is a program that gives your electronic mail something that it
otherwise doesn't have: Privacy. It does this by encrypting your mail
so that nobody but the intended person can read it. When encrypted,
the message looks like a meaningless jumble of random characters. PGP
has proven itself quite capable of resisting even the most
sophisticated forms of analysis aimed at reading the encrypted text.
PGP can also be used to apply a digital signature to a message without
encrypting it. This is normally used in public postings where you
don't want to hide what you are saying, but rather want to allow
others to confirm that the message actually came from you. Once a
digital signature is created, it is impossible for anyone to modify
either the message or the signature without the modification being
detected by PGP.
While PGP is easy to use, it does give you enough rope so that you can
hang yourself. You should become thoroughly familiar with the various
options in PGP before using it to send serious messages. For example,
giving the command "PGP -sat " will only sign a message, it
will not encrypt it. Even though the output looks like it is
encrypted, it really isn't. Anybody in the world would be able to
recover the original text.
========
1.2. Why should I encrypt my mail? I'm not doing anything illegal!
You should encrypt your e-mail for the same reason that you don't
write all of your correspondence on the back of a post card. E-mail is
actually far less secure than the postal system. With the post office,
you at least put your letter inside an envelope to hide it from casual
snooping. Take a look at the header area of any e-mail message that
you receive and you will see that it has passed through a number of
nodes on its way to you. Every one of these nodes presents the
opportunity for snooping. Encryption in no way should imply illegal
activity. It is simply intended to keep personal thoughts personal.
Xenon puts it like this:
Crime? If you are not a politician, research scientist, investor, CEO,
lawyer, celebrity, libertarian in a repressive society, investor, or
person having too much fun, and you do not send e-mail about your
private sex life, financial/political/legal/scientific plans, or
gossip then maybe you don't need PGP, but at least realize that
privacy has nothing to do with crime and is in fact what keeps the
world from falling apart. Besides, PGP is FUN. You never had a secret
decoder ring? Boo! -Xenon (Copyright 1993, Xenon)
========
1.3. What are public keys and private keys?
With conventional encryption schemes, keys must be exchanged with
everyone you wish to talk to by some other secure method such as face
to face meetings, or via a trusted courier. The problem is that you
need a secure channel before you can establish a secure channel! With
conventional encryption, either the same key is used for both
encryption and decryption or it is easy to convert either key to the
other. With public key encryption, the encryption and decryption keys
are different and it is impossible for anyone to convert one to the
other. Therefore, the encryption key can be made public knowledge, and
posted in a database somewhere. Anyone wanting to send you a message
would obtain your encryption key from this database or some other
source and encrypt his message to you. This message can't be decrypted
with the encryption key. Therefore nobody other than the intended
receiver can decrypt the message. Even the person who encrypted it can
not reverse the process. When you receive a message, you use your
secret decryption key to decrypt the message. This secret key never
leaves your computer. In fact, your secret key is itself encrypted to
protect it from anyone snooping around your computer.
========
1.4. How much does PGP cost?
Nothing! (Compare to ViaCrypt PGP at $98!)
It should be noted, however, that in the United States, some freeware
versions of PGP *MAY* be a violation of a patent held by Public Key
Partners (PKP). The MIT and ViaCrypt versions specifically are not in
violation; if you use anything else, it's your risk. See below
(question 1.6) for more information on the patent situation.
Also, the free versions of PGP are free only for noncommercial use.
If you need to use PGP in a commercial setting (and you live in the
United States or Canada), you should buy a copy of ViaCrypt PGP.
ViaCrypt PGP has other advantages as well, most notably a limited
license to export it to foreign branch offices. See below, under
question 1.10, for information on how to contact ViaCrypt.
If you need to use PGP for commercial use outside the United States or
Canada, you should contact Ascom Systec AG, the patent holders for IDEA.
They have sold individual licenses for using the IDEA encryption in
PGP. Contact:
Erhard Widmer
Ascom Systec AG
Dep't. CMVV
Gewerbepark
CH-5506 Maegenwil
Switzerland
IDEA@ascom.ch
++41 64 56 59 83 (Fax ++41 64 56 59 90)
========
1.5. Is encryption legal?
In much of the civilized world, encryption is either legal, or at
least tolerated. However, there are a some countries where such
activities could put you in front of a firing squad! Check with the
laws in your own country before using PGP or any other encryption
product. A couple of the countries where encryption is illegal are
France, Iran, and Iraq.
*** NEWS FLASH ***
On April 3, 1995, Boris Yeltsin issued a decree formally banning
encryption with methods not approved by the state. This would,
presumably, include PGP. Thus, Russia must be added to the short list
above.
*** END NEWS FLASH ***
The legal status of encryption in many countries has been placed on
the World Wide Web. You can access it from:
http://web.cnam.fr/Network/Crypto/
========
1.6. Is PGP legal?
In addition to the comments about encryption listed above, there are a
couple of additional issues of importance to those individuals
residing in the United States or Canada.
First, there is a question as to whether or not PGP falls under ITAR
regulations which govern the exporting of cryptographic technology
from the United States and Canada. This despite the fact that
technical articles on the subject of public key encryption have been
available legally worldwide for a number of years. Any competent
programmer would have been able to translate those articles into a
workable encryption program. A lawsuit has recently been filed by the
EFF challenging the ITAR regulations; thus, they may be relaxed to
allow encryption technology to be exported.
Second, older versions of PGP (up to 2.3a) were thought to be
violating the patent on the RSA encryption algorithm held by Public
Key Partners (PKP), a patent that is only valid in the United States.
This was never tested in court, however, and recent versions of PGP
have been made with various agreements and licenses in force which
effectively settle the patent issue. So-called "international"
versions and older versions (previous to ViaCrypt PGP 2.4), however,
are still considered in violation by PKP; if you're in the USA, use
them at your own risk!
========
1.7. What's the current version of PGP?
You would think that's an easy question to answer!
At the moment, there are four different "current" versions of PGP.
All of these are derived, more or less, from a common source base: PGP
2.3a, the last "guerillaware" version of PGP. Negotiations to make
PGP legal and "legitimate" have resulted in the differing versions
available; all of them, for the most part, are approximately
equivalent in functionality, and they can all work with each other in
most respects.
MIT PGP 2.6.2 is the current "official" freeware version. It has been
developed both with Phil Zimmermann's approval and active involvement.
It contains several bug fixes and enhancements over 2.3a, and it
avoids the patent question surrounding other versions of PGP by using
the RSAREF library for some of its functions. This library was
developed by RSA Data Security, Inc., and is (basically) free for
noncommercial use. As part of MIT's agreement with RSADSI, all
versions of MIT PGP generate encrypted messages that cannot be
decrypted with PGP 2.3a or previous versions.
ViaCrypt PGP 2.7.1 is the current "official" commercial version. It
is available from ViaCrypt, a company out of Arizona, and also has
Phil's approval and involvement. See below for details on this
version.
PGP 2.6.2i ("international") is a version of PGP developed from the
source code of MIT PGP, which was exported illegally from the United
States at some point. Basically, it is MIT PGP 2.6.2, but it uses the
old encryption routines from PGP 2.3a; these routines perform better
than RSAREF and in addition do not have the usage restrictions in the
RSAREF copyright license. It also contains some fixes for bugs
discovered since the release of MIT PGP 2.6.2.
PGP 2.6ui ("unofficial international") is PGP 2.3a with minor
modifications made so it can decrypt files encrypted with MIT PGP. It
does not contain any of the MIT fixes and improvements; it does,
however, have other improvements, most notably in the Macintosh
version.
========
1.8. Is there an archive site for alt.security.pgp?
laszlo@instrlab.kth.se (Laszlo Baranyi) says:
"My memory says that ripem.msu.edu stores a backlog of both
alt.security.pgp, and sci.crypt. But that site is ONLY open for ftp
for those that are inside US."
========
1.9. Is there a commercial version of PGP available?
Yes; by arrangement with the author of PGP, a company called ViaCrypt
is marketing a version of PGP that is almost identical to the freeware
version. Each can read or write messages which the other can
understand.
ViaCrypt reports:
- -----
If you are a commercial user of PGP in the USA or Canada, contact
Viacrypt in Phoenix, Arizona, USA. The commercial version of PGP
is fully licensed to use the patented RSA and IDEA encryption
algorithms in commercial applications, and may be used in
corporate and government environments in the USA and Canada. It
is fully compatible with, functionally the same as, and just as
strong as the freeware version of PGP. Due to limitations on
ViaCrypt's RSA distribution license, ViaCrypt only distributes
executable code and documentation for it, but they are working on
making PGP available for a variety of platforms. Call or write
to them for the latest information. The latest version number
for Viacrypt PGP is 2.7. [Note: Since this statement was issued,
ViaCrypt has updated ViaCrypt PGP to 2.7.1.]
Here is a brief summary of Viacrypt's currently-available
products:
1. ViaCrypt PGP for Windows (3.1). Prices start at $124.98
2. ViaCrypt PGP for Macintosh, 680x0 or PowerPC, System 6.04 or
later. Prices start at $124.98
3. ViaCrypt PGP for MS-DOS. Prices start at $99.98
4. ViaCrypt PGP for UNIX. Includes executables for the following
platforms:
SunOS 4.1.x (SPARC)
Solaris 2.3
IBM RS/6000 AIX
HP 9000 Series 700/800 UX
SCO 386/486 UNIX
SGI IRIX
AViiON DG-UX(88/OPEN)
Prices start at $149.98
Executables for the following additional platforms are
available upon request for an additional $30.00 charge.
BSD 386
Ultrix MIPS DECstation 4.x
DEC Alpha OSF/1
NeXTSTEP
5. ViaCrypt PGP for WinCIM/CSNav. A special package for users of
CompuServe. Prices start at $119.98
If you wish to place an order please call 800-536-2664 during the
hours of 8:30am to 5:00pm MST, Monday - Friday. We accept VISA,
MasterCard, AMEX and Discover credit cards.
If you have further questions, please feel free to contact me.
Best Regards,
Paul E. Uhlhorn
Director of Marketing, ViaCrypt Products
Mail: 9033 N. 24th Avenue
Suite 7
Phoenix, AZ 85021-2847
Phone: (602) 944-0773
Fax: (602) 943-2601
Internet: viacrypt@acm.org
Compuserve: 70304,41
- -----
They have also reported recently that they have gained a general
export license for exporting ViaCrypt PGP to foreign subsidiaries of
USA-based companies. Contact ViaCrypt for details.
========
1.10. Is PGP available as a programming library, so I can write
programs that use it?
Not yet. PGP 3.0, when it is released, is supposed to have support
for doing this. The PGP development team has even released a
preliminary API for the library; you can get it from:
ftp://ftp.netcom.com/pub/dd/ddt/crypto/crypto_info/950212_pgp3spec.txt
The development team has expressed that this is not a definitive spec;
some of it is already out of date. It's good for getting the general
idea, though. Send comments concerning the spec to pgp@lsd.com.
In the meantime, you can write your programs to call the PGP program
when necessary. In C, for example, you would likely use the system()
or spawn...() functions to do this.
========
1.11. What platforms has PGP been ported to?
PGP has been ported successfully to many different platforms,
including DOS, the Macintosh, OS/2, Unix (just about all flavors),
VMS, the Atari ST, Archimedes, and the Commodore Amiga. A Windows NT
port is reportably in the works as well.
If you don't see your favorite platform above, don't despair! It's
likely that porting PGP to your platform won't be too terribly
difficult, considering all the platforms it has been ported to. Just
ask around to see if there might in fact be a port to your system, and
if not, try it!
PGP's VMS port, by the way, has its own Web page:
http://www.tditx.com/~d_north/pgp.html
========
1.12. Where can I obtain PGP?
PGP is very widely available, so much so that a separate FAQ has been
written for answering this question. It is called, "WHERE TO GET THE
PRETTY GOOD PRIVACY PROGRAM (PGP)"; it is posted in alt.security.pgp
regularly, is in the various FAQ archive sites, and is also available
from:
ftp://ftp.csn.net/mpj/getpgp.asc
However, I will describe below the ways to get the differing versions
of PGP from their source sites. Please refer to the above document
for more information.
MIT PGP 2.6.2:
Due to the ITAR regulations (described above), MIT has found it
necessary to place PGP in an export-controlled directory to prevent
people outside the United States from downloading it. If you are in
the USA, you may follow these directions:
Telnet to net-dist.mit.edu and log in as "getpgp". You will then be
given a short statement about the regulations concerning the export of
cryptographic software, and be given a series of yes/no questions to
answer. If you answer correctly to the questions (they consist mostly
of agreements to the RSADSI and MIT licenses and questions about
whether you intend to export PGP), you will be given a special
directory name in which to find the PGP code. At that point, you can
FTP to net-dist.mit.edu, change to that directory, and access the
software. You may be denied access to the directories even if you
answer the questions correctly if the MIT site cannot verify that your
site does in fact reside in the USA.
Further directions, copies of the MIT and RSAREF licenses, notes, and
the full documentation are freely available from:
ftp://net-dist.mit.edu/pub/PGP/
An easier method of getting to the PGP software is now available on
the World Wide Web at the following location:
http://bs.mit.edu:8001/pgp-form.html
ViaCrypt PGP 2.7.1:
ViaCrypt PGP is not generally available for FTP; it is commercial
software. It is, furthermore, not available outside the United States
or Canada except under special circumstances. See above (question
1.9) for contact information.
PGP 2.6.2i:
As Norway is not limited by ITAR, no hoops are needed to get this
version:
http://www.ifi.uio.no/~staalesc/PGP/home.html
ftp://ftp.ox.ac.uk/pub/crypto/pgp/
You may also get it via mail by sending a message to
hypnotech-request@ifi.uio.no with your request in the subject:
GET pgp262i[s].[zip | tar.gz]
Specify the "s" if you want the source code. Putting ".zip" at the
end gets you the files in the PKZIP/Info-ZIP archive format, while
putting "tar.gz" at the end gets the files in a gzipped tar file.
PGP 2.6ui:
ftp://ftp.mantis.co.uk/pub/cryptography/
http://www.mantis.co.uk/pgp/pgp.html
This link is also an excellent resource for other information about PGP.
A note on ftpmail:
For those individuals who do not have access to FTP, but do have access
to e-mail, you can get FTP files mailed to you. For information on
this service, send a message saying "Help" to ftpmail@decwrl.dec.com.
You will be sent an instruction sheet on how to use the ftpmail
service.
========
1.13. I want to find out more!
If this FAQ doesn't answer your question, there are several places for
finding out information about PGP.
Web/Mosaic/Lynx:
Fran Litterio's Crypto Page (from the Virtual Library)
http://draco.centerline.com:8080/~franl/crypto.html
Using Microsoft Windows with PGP
http://www.lcs.com/winpgp.html
Derek Atkins' Official Bug List for MIT PGP
http://www.mit.edu:8001/people/warlord/pgp-faq.html
The Phil Zimmermann Legal Defense Fund Page
http://www.netresponse.com/zldf
The MCIP/Macintosh Cryptography Page
http://uts.cc.utexas.edu/~grgcombs/htmls/crypto.html
Jeff Licquia's Home Page
http://www.prairienet.org/~jalicqui
FTP Sites:
ftp://ripem.msu.edu/pub/crypt/
ftp://ftp.dsi.unimi.it/pub/security/crypt/
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/
News Groups:
alt.anonymous Discussion of anonymity and anon remailers
alt.anonymous.messages For anonymous encrypted message transfer
alt.privacy.clipper Clipper, Capstone, Skipjack, Key Escrow
alt.security general security discussions
alt.security.index index to alt.security
alt.security.pgp discussion of PGP
alt.security.ripem discussion of RIPEM
alt.security.keydist key distribution via Usenet
alt.society.civil-liberty general civil liberties, including privacy
comp.compression discussion of compression algorithms
comp.org.eff.news News reports from EFF
comp.org.eff.talk discussion of EFF related issues
comp.patents discussion of S/W patents, including RSA
comp.risks some mention of crypto and wiretapping
comp.society.privacy general privacy issues
comp.security.announce announcements of security holes
misc.legal.computing software patents, copyrights, computer laws
sci.crypt methods of data encryption/decryption
sci.math general math discussion
talk.politics.crypto general talk on crypto politics