PGP Frequently Asked Questions with Answers

Security Questions


3.1. How secure is PGP?
3.2. Can't you break PGP by trying all of the possible keys?
3.3. How secure is the conventional cryptography (-c) option?
3.4. Can the NSA crack RSA?
3.5. Has RSA ever been cracked publicly? What is RSA-129?
3.6. How secure is the "for your eyes only" option (-m)?
3.7. What if I forget my pass phrase?
3.8. Why do you use the term "pass phrase" instead of "password"?
3.9. What is the best way to crack PGP?
3.10. If my secret key ring is stolen, can my messages be read?
3.11. How do I choose a pass phrase?
3.12. How do I remember my pass phrase?
3.13. How do I verify that my copy of PGP has not been tampered with?
3.14. I can't verify the signature on my new copy of MIT PGP with my old PGP 2.3a!
3.15. How do I know that there is no trap door in the program?
3.16. I heard that the NSA put a back door in MIT PGP, and that they only allowed it to be legal with the back door.
3.17. Can I put PGP on a multi-user system like a network or a mainframe?
3.18. Can I use PGP under a "swapping" operating system like Windows or OS/2?
3.19. Why not use RSA alone rather than a hybrid mix of IDEA, MD5, & RSA?
3.20. Aren't all of these security procedures a little paranoid?
3.21. Can I be forced to reveal my pass phrase in any legal proceedings?

========

3. Security Questions


========

3.1. How secure is PGP?

The big unknown in any encryption scheme based on RSA is whether or
not there is an efficient way to factor huge numbers, or if there is
some backdoor algorithm that can break the code without solving the
factoring problem. Even if no such algorithm exists, it is still
believed that RSA is the weakest link in the PGP chain.


========

3.2. Can't you break PGP by trying all of the possible keys?

This is one of the first questions that people ask when they are first
introduced to cryptography. They do not understand the size of the
problem. For the IDEA encryption scheme, a 128 bit key is required.
Any one of the 2^128 possible combinations would be legal as a key,
and only that one key would successfully decrypt all message blocks.
Let's say that you had developed a special purpose chip that could try
a billion keys per second. This is FAR beyond anything that could
really be developed today. Let's also say that you could afford to
throw a billion such chips at the problem at the same time. It would
still require over 10,000,000,000,000 years to try all of the possible
128 bit keys. That is something like a thousand times the age of the
known universe! While the speed of computers continues to increase and
their cost decrease at a very rapid pace, it will probably never get
to the point that IDEA could be broken by the brute force attack.

The only type of attack that might succeed is one that tries to solve
the problem from a mathematical standpoint by analyzing the
transformations that take place between plain text blocks, and their
cipher text equivalents. IDEA is still a fairly new algorithm, and
work still needs to be done on it as it relates to complexity theory,
but so far, it appears that there is no algorithm much better suited
to solving an IDEA cipher than the brute force attack, which we have
already shown is unworkable. The nonlinear transformation that takes
place in IDEA puts it in a class of extremely difficult to solve
mathmatical problems.


========

3.3. How secure is the conventional cryptography (-c) option?

Assuming that you are using a good strong random pass phrase, it is
actually much stronger than the normal mode of encryption because you
have removed RSA which is believed to be the weakest link in the
chain.  Of course, in this mode, you will need to exchange secret keys
ahead of time with each of the recipients using some other secure
method of communication, such as an in- person meeting or trusted
courier.


========

3.4. Can the NSA crack RSA?

This question has been asked many times. If the NSA were able to crack
RSA, you would probably never hear about it from them. The best
defense against this is the fact the algorithm for RSA is known
worldwide. There are many competent mathematicians and cryptographers
outside the NSA and there is much research being done in the field
right now. If any of them were to discover a hole in RSA, I'm sure
that we would hear about it from them. I think that it would be hard
to hide such a discovery.  For this reason, when you read messages on
USENET saying that "someone told them" that the NSA is able to break
pgp, take it with a grain of salt and ask for some documentation on
exactly where the information is coming from.


========

3.5. Has RSA ever been cracked publicly?  What is RSA-129?

One RSA-encrypted message has been cracked publicly.

When the inventors of RSA first published the algorithm, they
encrypted a sample message with it and made it available along with
the public key used to encrypt the message.  They offered $100 to the
first person to provide the plaintext message.  This challenge is
often called "RSA-129" because the public key used was 129 digits,
which translates to approximately 430 bits.

Recently, an international team coordinated by Paul Leyland, Derek
Atkins, Arjen Lenstra, and Michael Graff successfully factored the
public key used to encrypt the RSA-129 message and recovered the
plaintext.  The message read:

  THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE

They headed a huge volunteer effort in which work was distributed via
E-mail, fax, and regular mail to workers on the Internet, who
processed their portion and sent the results back.  About 1600
machines took part, with computing power ranging from a fax machine to
Cray supercomputers.  They used the best known factoring algorithm of
the time; better methods have been discovered since then, but the
results are still instructive in the amount of work required to crack
a RSA-encrypted message.

The coordinators have estimated that the project took about eight
months of real time and used approximately 5000 MIPS-years of
computing time.  (A MIPS-year is approximately the amount of computing
done by a 1 MIPS [million instructions per second] computer in one
year.)

What does all this have to do with PGP?  The RSA-129 key is
approximately equal in security to a 426-bit PGP key.  This has been
shown to be easily crackable by this project.  PGP used to recommend
384-bit keys as "casual grade" security; recent versions offer 512
bits as a recommended minimum security level.

Note that this effort cracked only a single RSA key.  Nothing was
discovered during the course of the experiment to cause any other keys
to become less secure than they had been.

For more information on the RSA-129 project, see:

  ftp://ftp.ox.ac.uk/pub/math/rsa129/rsa129.ps.gz


========

3.6. How secure is the "for your eyes only" option (-m)?

It is not secure at all. There are many ways to defeat it. Probably
the easiest way is to simply redirect your screen output to a file as
follows:

    pgp [filename] > [diskfile]

The -m option was not intended as a fail-safe option to prevent plain
text files from being generated, but to serve simply as a warning to
the person decrypting the file that he probably shouldn't keep a copy
of the plain text on his system.


========

3.7. What if I forget my pass phrase?

In a word: DON'T. If you forget your pass phrase, there is absolutely
no way to recover any encrypted files. I use the following technique:
I have a backup copy of my secret key ring on floppy, along with a
sealed envelope containing the pass phrase. I keep these two items in
separate safe locations, neither of which is my home or office. The
pass phrase used on this backup copy is different from the one that I
normally use on my computer. That way, even if some stumbles onto the
hidden pass phrase and can figure out who it belongs to, it still
doesn't do them any good, because it is not the one required to unlock
the key on my computer.


========

3.8. Why do you use the term "pass phrase" instead of "password"?

This is because most people, when asked to choose a password, select
some simple common word. This can be cracked by a program that uses a
dictionary to try out passwords on a system. Since most people really
don't want to select a truly random password, where the letters and
digits are mixed in a nonsense pattern, the term pass phrase is used
to urge people to at least use several unrelated words in sequence as
the pass phrase.


========

3.9. What is the best way to crack PGP?

Currently, the best attack possible on PGP is a dictionary attack on
the pass phrase.  This is an attack where a program picks words out of
a dictionary and strings them together in different ways in an attempt
to guess your pass phrase.

This is why picking a strong pass phrase is so important.  Many of
these cracker programs are very sophisticated and can take advantage
of language idioms, popular phrases, and rules of grammar in building
their guesses.  Single-word "phrases", proper names (especially famous
ones), or famous quotes are almost always crackable by a program with
any "smarts" in it at all.


========

3.10. If my secret key ring is stolen, can my messages be read?

No, not unless they have also stolen your secret pass phrase, or if
your pass phrase is susceptible to a brute-force attack. Neither part
is useful without the other. You should, however, revoke that key and
generate a fresh key pair using a different pass phrase. Before
revoking your old key, you might want to add another user ID that
states what your new key id is so that others can know of your new
address.


========

3.11. How do I choose a pass phrase?

All of the security that is available in PGP can be made absolutely
useless if you don't choose a good pass phrase to encrypt your secret
key ring. Too many people use their birthday, their telephone number,
the name of a loved one, or some easy to guess common word.  While
there are a number of suggestions for generating good pass phrases,
the ultimate in security is obtained when the characters of the pass
phrase are chosen completely at random. It may be a little harder to
remember, but the added security is worth it. As an absolute minimum
pass phrase, I would suggest a random combination of at least 8
letters and digits, with 12 being a better choice. With a 12 character
pass phrase made up of the lower case letters a-z plus the digits 0-9,
you have about 62 bits of key, which is 6 bits better than the 56 bit
DES keys. If you wish, you can mix upper and lower case letters in
your pass phrase to cut down the number of characters that are
required to achieve the same level of security. I don't do this myself
because I hate having to manipulate the shift key while entering a
pass phrase.

A pass phrase which is composed of ordinary words without punctuation
or special characters is susceptible to a dictionary attack.
Transposing characters or mis-spelling words makes your pass phrase
less vulnerable, but a professional dictionary attack will cater for
this sort of thing.

A good treatise on the subject is available which discusses the use of
"shocking nonsense" in pass phrases.  It is written by Grady Ward, and
can be found on Fran Litterio's crypto page:

  http://draco.centerline.com:8080/~franl/pgp/pgp-passphrase-faq.html


========

3.12. How do I remember my pass phrase?

This can be quite a problem especially if you are like me and have
about a dozen different pass phrases that are required in your
everyday life. Writing them down someplace so that you can remember
them would defeat the whole purpose of pass phrases in the first
place. There is really no good way around this. Either remember it, or
write it down someplace and risk having it compromised.


========

3.13. How do I verify that my copy of PGP has not been tampered with?

If you do not presently own any copy of PGP, use great care on where
you obtain your first copy. What I would suggest is that you get two
or more copies from different sources that you feel that you can
trust. Compare the copies to see if they are absolutely identical.
This won't eliminate the possibility of having a bad copy, but it will
greatly reduce the chances.

If you already own a trusted version of PGP, it is easy to check the
validity of any future version.  Newer binary versions of MIT PGP are
distributed in popular archive formats; the archive file you receive
will contain only another archive file, a file with the same name as
the archive file with the extension .ASC, and a "setup.doc" file.  The
.ASC file is a stand-alone signature file for the inner archive file
that was created by the developer in charge of that particular PGP
distribution.  Since nobody except the developer has access to his/her
secret key, nobody can tamper with the archive file without it being
detected.  Of course, the inner archive file contains the newer PGP
distribution.

A quick note: If you upgrade to MIT PGP from an older copy (2.3a or
before), you may have problems verifying the signature.  See question
3.14, below, for a more detailed treatment of this problem.

To check the signature, you must use your old version of PGP to check
the archive file containing the new version.  If your old version of
PGP is in a directory called C:\PGP and your new archive file and
signature is in C:\NEW (and you have retrieved MIT PGP 2.6.2), you may
execute the following command:

    C:\PGP\PGP C:\NEW\PGP262I.ASC C:\NEW\PGP262I.ZIP

If you retrieve the source distribution of MIT PGP, you will find two
more files in your distribution: an archive file for the RSAREF
library and a signature file for RSAREF.  You can verify the RSAREF
library in the same way as you verify the main PGP source archive.

Non-MIT versions typically include a signature file for the PGP.EXE
program file only.  This file will usually be called PGPSIG.ASC.  You
can check the integrity of the program itself this way by running your
older version of PGP on the new version's signature file and program
file.

Phil Zimmermann himself signed all versions of PGP up to 2.3a.  Since
then, the primary developers for each of the different versions of PGP
have signed their distributions.  As of this writing, the developers
whose signatures appear on the distributions are:

MIT PGP 2.6.2                Jeff Schiller 
ViaCrypt PGP 2.7.1           ViaCrypt
PGP 2.6.2i                   Stale Schumacher 
PGP 2.6ui                    mathew 


========

3.14. I can't verify the signature on my new copy of MIT PGP with my
old PGP 2.3a!

The reason for this, of course, is that the signatures generated by
MIT PGP (which is what Jeff Schiller uses to sign his copy) are no
longer readable with PGP 2.3a.

You may, first of all, not verify the signature and follow other
methods for making sure you aren't getting a bad copy.  This isn't as
secure, though; if you're not careful, you could get passed a bad copy
of PGP.

If you're intent on checking the signature, you may do an intermediate
upgrade to MIT PGP 2.6.  This older version was signed before the
"time bomb" took effect, so its signature is readable by the older
versions of PGP.  Once you have validated the signature on the
intermediate version, you can then use that version to check the
current version.

As another alternative, you may upgrade to PGP 2.6.2i or 2.6ui,
checking their signatures with 2.3a, and use them to check the
signature on the newer version.  People living in the USA who do this
may be violating the RSA patent in doing so; then again, you may have
been violating it anyway by using 2.3a, so you're not in much worse
shape.


========

3.15. How do I know that there is no trap door in the program?

The fact that the entire source code for the free versions of PGP is
available makes it just about impossible for there to be some hidden
trap door. The source code has been examined by countless individuals
and no such trap door has been found. To make sure that your
executable file actually represents the given source code, all you
need to do is to re-compile the entire program.


========

3.16. I heard that the NSA put a back door in MIT PGP, and that they
only allowed it to be legal with the back door.

First of all, the NSA had nothing to do with PGP becoming "legal".
The legality problems solved by MIT PGP had to do with the alleged
patent on the RSA algorithm used in PGP.

Second, all the freeware versions of PGP are released with full source
code to both PGP and to the RSAREF library they use (just as every
other freeware version before them were).  Thus, it is subject to the
same peer review mentioned in the question above.  If there were an
intentional hole, it would probably be spotted.  If you're really
paranoid, you can read the code yourself and look for holes!


========

3.17. Can I put PGP on a multi-user system like a network or a
mainframe?

Yes.  PGP will compile for several high-end operating systems such as
Unix and VMS.  Other versions may easily be used on machines connected
to a network.

You should be very careful, however.  Your pass phrase may be passed
over the network in the clear where it could be intercepted by network
monitoring equipment, or the operator on a multi-user machine may
install "keyboard sniffers" to record your pass phrase as you type it
in. Also, while it is being used by PGP on the host system, it could
be caught by some Trojan Horse program.  Also, even though your secret
key ring is encrypted, it would not be good practice to leave it lying
around for anyone else to look at.

So why distribute PGP with directions for making it on Unix and VMS
machines at all?  The simple answer is that not all Unix and VMS
machines are network servers or "mainframes."  If you use your machine
only from the console (or if you use some network encryption package
such as Kerberos), you are the only user, you take reasonable system
security measures to prevent unauthorized access, and you are aware of
the risks above, you can securely use PGP on one of these systems.  As
an example of this, my own home computer runs Linux, a Unix clone.  As
I (and my wife) are the only users of the computer, I feel that the
risks of crackers invading my system and stealing my pass phrase are
minimal.

You can still use PGP on multi-user systems or networks without a
secret key for checking signatures and encrypting.  As long as you
don't process a private key or type a pass phrase on the multiuser
system, you can use PGP securely there.


========

3.18. Can I use PGP under a "swapping" operating system like Windows
or OS/2?

Yes.  PGP for DOS runs OK in most "DOS windows" for these systems, and
PGP can be built natively for many of them as well.

The problem with using PGP on a system that swaps is that the system
will often swap PGP out to disk while it is processing your pass
phrase.  If this happens at the right time, your pass phrase could end
up in cleartext in your swap file.  How easy it is to swap "at the
right time" depends on the operating system; Windows reportedly swaps
the pass phrase to disk quite regularly, though it is also one of the
most inefficient systems.  PGP does make every attempt to not keep the
pass phrase in memory by "wiping" memory used to hold the pass phrase
before freeing it, but this solution isn't perfect.

If you have reason to be concerned about this, you might consider
getting a swapfile wiping utility to securely erase any trace of the
pass phrase once you are done with the system.  Several such utilities
exist for Windows and Linux at least.


========

3.19. Why not use RSA alone rather than a hybrid mix of IDEA, MD5, &
RSA?

Two reasons: First, the IDEA encryption algorithm used in PGP is
actually MUCH stronger than RSA given the same key length.  Even with
a 1024 bit RSA key, it is believed that IDEA encryption is still
stronger, and, since a chain is no stronger than its weakest link, it
is believed that RSA is actually the weakest part of the RSA - IDEA
approach. Second, RSA encryption is MUCH slower than IDEA. The only
purpose of RSA in most public key schemes is for the transfer of
session keys to be used in the conventional secret key algorithm, or
to encode signatures.


========

3.20. Aren't all of these security procedures a little paranoid?

That all depends on how much your privacy means to you! Even apart
from the government, there are many people out there who would just
love to read your private mail. And many of these individuals would be
willing to go to great lengths to compromise your mail. Look at the
amount of work that has been put into some of the virus programs that
have found their way into various computer systems. Even when it
doesn't involve money, some people are obsessed with breaking into
systems.

In addition, don't forget that private keys are useful for more than
decrypting.  Someone with your private key can also sign items that
could later prove to be difficult to deny.  Keeping your private key
secure can prevent, at the least, a bit of embarassment, and at most
could prevent charges of fraud or breach of contract.

Besides, many of the above procedures are also effective against some
common indirect attacks.  As an example, the digital signature also
serves as an effective integrity check of the file signed; thus,
checking the signature on new copies of PGP ensures that your computer
will not get a virus through PGP (unless, of course, the PGP version
developer contracts a virus and infects PGP before signing).


========

3.21. Can I be forced to reveal my pass phrase in any legal
proceedings?

Gary Edstrom reported the following in earlier versions of this FAQ:

- -----
The following information applies only to citizens of the United
States in U.S. Courts.  The laws in other countries may vary.  Please
see the disclaimer at the top of part 1.

There have been several threads on Internet concerning the question of
whether or not the fifth amendment right about not being forced to
give testimony against yourself can be applied to the subject of being
forced to reveal your pass phrase.  Not wanting to settle for the many
conflicting opinions of armchair lawyers on usenet, I asked for input
from individuals who were more qualified in the area.  The results
were somewhat mixed.  There apparently has NOT been much case history
to set precedence in this area.  So if you find yourself in this
situation, you should be prepared for a long and costly legal fight on
the matter.  Do you have the time and money for such a fight?  Also
remember that judges have great freedom in the use of "Contempt of
Court".  They might choose to lock you up until you decide to reveal
the pass phrase and it could take your lawyer some time to get you
out.  (If only you just had a poor memory!)