Very Common Questions and Problems
======== 2. Very Common Questions and Problems ======== 2.1. Why can't a person using version 2.2 read my version 2.3 message? You might try adding "+pkcs_compat=0" to your command line as follows: "pgp -seat +pkcs_compat=0" By default, versions 2.3 and later of PGP uses a different header format that is not compatible with earlier versions of PGP. Inserting this option into the command will force PGP to use the older header format. You can also set this option in your config.txt file, but this is not recommended, as the newer versions of PGP cannot understand the old signature format. ======== 2.2. Why can't a person using version 2.x read my version 2.6 message? You are probably using MIT PGP, or possibly some other version of PGP with the "legal_kludge" option turned off. As part of the agreement made to settle PGP's patent problems, MIT PGP changed its format slightly to prevent PGP 2.4 and older versions from decrypting its messages. This format change was written into MIT PGP to happen on September 1, 1994. Thus, all messages encrypted with MIT PGP after that date are unreadable by 2.4 (and earlier). The best route here is for your friend to upgrade to a newer version of PGP. Alternatively, if you are using a non-MIT version, look up the "legal_kludge" option in your documentation; you should be able to configure your copy of PGP to generate old-style messages. ======== 2.3. Why does PGP complain about checking signatures every so often? Version 2.3a introduced the "pkcs_compat" option, allowing the format of signatures to change slightly to make them more compatible with industry standards. (See question 2.1.) MIT PGP, because it uses the RSAREF library, is unable to understand the old signature format, so it therefore ignores the signature and warns you that it is doing so. This problem comes up mostly with old key signatures. If your key contains such old signatures, try to get those people who signed your key to resign it. If an old signature is still vitally important to check, get a non-MIT version of PGP to check it with, such as ViaCrypt's. ======== 2.4. Why does it take so long to encrypt/decrypt messages? This problem can arise when you have placed the entire public key ring from one of the servers into the pubring.pgp file. PGP may have to search through several thousand keys to find the one that it is after. The solution to this dilemma is to maintain 2 public key rings. The first ring, the normal pubring.pgp file, should contain only those individuals that you send messages to quite often. The second key ring can contain ALL of the keys for those occasions when the key you need isn't in your short ring. You will, of course, need to specify the key file name whenever encrypting messages using keys in your secondary key ring. Now, when encrypting or decrypting messages to individuals in your short key ring, the process will be a LOT faster. ======== 2.5. How do I create a secondary key file? First, let's assume that you have all of the mammoth public key ring in your default pubring.pgp file. First, you will need to extract all of your commonly used keys into separate key files using the -kx option. Next, rename pubring.pgp to some other name. For this example, I will use the name "pubring.big". Next, add each of the individual key files that you previously created to a new pubring.pgp using the - -ka option. To encrypt a message to someone in the short default file, use the command "pgp -e ". To encrypt a message to someone in the long ring, use the command "pgp -e +pubring=c:\pgp\pubring.big ". Note that you need to specify the complete path and file name for the secondary key ring. It will not be found if you only specify the file name. ======== 2.6. How does PGP handle multiple addreses? When encrypting a message to multiple addresses, you will notice that the length of the encrypted file only increases by a small amount for each additional address. The reason that the message only grows by a small amount for each additional key is that the body of the message is only encrypted once using a random session key and IDEA. It is only necessary then to encrypt this session key once for each address and place it in the header of the message. Therefore, the total length of a message only increases by the size of a header segment for each additional address. (To avoid a known weakness in RSA when encrypting the same message to multiple recipients, the IDEA session key is padded with different random data each time it is RSA- encrypted.) ======== 2.7. Where can I obtain scripts to integrate pgp with my email or news reading system? There are many scripts and programs available for making PGP easier to use. See below, in Appendix I, for a list of such programs. A set of scripts was distributed with PGP for doing this. Since these scripts were considered out of date, they have been removed from the MIT distribution. ======== 2.8. How can I decrypt messages I've encrypted to others? With conventional encryption, you can read the message by running PGP on the encrypted file and giving the pass phrase you used to encrypt. With regular encryption, it's impossible unless you encrypted to yourself as well. Sorry! There is an undocumented setting, EncryptToSelf, which you can set in your CONFIG.TXT or on the command line to "on" if you want PGP to always encrypt your messages to yourself. Be warned, though; if your key is compromised, this means that the "cracker" will be able to read all the message you sent as well as the ones you've received. ======== 2.9. Why can't I generate a key with PGP for Unix? Most likely this is caused because PGP can't create the public and private key ring files. If PGPPATH isn't defined, PGP will try to put those files in the subdirectory ".pgp" off your home directory. It will not create the directory if needed, so if the directory's not there already, PGP will crash after generating the key. There are two solutions: set the PGPPASS environment variable to point to the location of your key rings, or run a "mkdir $HOME/.pgp" before generating your key. ======== 2.10. When I clearsign a document in PGP, it adds a "dash-space" to several of my lines. What gives? PGP does this because of the "-----BEGIN PGP MESSAGE-----" (and related) headers it uses to mark the beginning of PGP messages. To keep it from getting confused, it tacks a "- " to the beginning of every line in the regular text which has a dash at the start. It strips the extra dash and space when you check the message's signature, and writes the original text to the output. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBL+kAVLnwkw8DU+OFAQGTaQP/am6VQIXoSRvYsxw9ncyPmZDN+t/0r1+0 osArYuWC167qo+hIBUcEwabRiLt2TvbTG91qjqTOUwkU+qB/eAj96ozHlN22AmmR 7ufvJAR4HjJFB+QBv5aFVB3/FTPoupDCnA6L79O4xXFHoBhxukYSJ5zswAZdVSbZ bY8ALveqhpY= =9GgA -----END PGP SIGNATURE-----