Version 1.4
PGP can also be used to apply a digital signature to a message without encrypting it. This is normally used in public postings where you don't want to hide what you are saying, but rather want to allow others to confirm that the message actually came from you. Once a digital signature is created, it is impossible for anyone to modify either the message or the signature without the modification being detected by PGP.
While PGP is easy to use, it does give you enough rope so that you can
hang yourself. You should become thoroughly familiar with the various
options in PGP before using it to send serious messages. For example,
giving the command pgp -sat <filename>
will only sign a message, it
will not encrypt it. Even though the output looks like it is
encrypted, it really isn't. Anybody in the world would be able to
recover the original text.
Xenon <an48138@anon.penet.fi> puts it like this:
Crime? If you are not a politician, research scientist, investor, CEO, lawyer, celebrity, libertarian in a repressive society, investor, or person having too much fun, and you do not send e-mail about your private sex life, financial/political/legal/scientific plans, or gossip then maybe you don't need PGP, but at least realize that privacy has nothing to do with crime and is in fact what keeps the world from falling apart. Besides, PGP is FUN. You never had a secret decoder ring? Boo!-Xenon (Copyright 1993, Xenon)
It should be noted, however, that in the United States, some freeware versions of PGP *may* be a violation of a patent held by Public Key Partners (PKP). The MIT and PGP, Inc. versions specifically are not in violation; if you use anything else, it's your risk. See below (question 1.6) for more information on the patent situation.
Also, the free versions of PGP are free only for noncommercial use. If you need to use PGP in a commercial setting (and you live in the United States or Canada), you should buy a copy of PGP from PGP, Inc. This version of PGP has other advantages as well, most notably a limited license to export it to foreign branch offices. See below, under question 1.9, for information on how to contact them.
If you need to use PGP for commercial use outside the United States or Canada, you should contact Ascom Systec AG, the patent holders for IDEA. They have sold individual licenses for using the IDEA encryption in PGP. Contact:
Erhard Widmer
Tel ++41 64 56 59 83
Fax ++41 64 56 59 90
The legal status of encryption in many countries has been placed on the World Wide Web.
First, there is a question as to whether or not PGP falls under ITAR regulations which govern the exporting of cryptographic technology from the United States. This despite the fact that technical articles on the subject of public key encryption have been available legally worldwide for a number of years. Any competent programmer would have been able to translate those articles into a workable encryption program. A lawsuit has been filed by the EFF challenging the ITAR regulations; thus, they may be relaxed to allow encryption technology to be exported.
The situation in Canada is somewhat special; although ITAR does not apply here, Canada honors the US export restrictions, which makes it illegal to export PGP from Canada if it were imported there from the USA.
Second, older versions of PGP (up to 2.3a) were thought to be violating the patent on the RSA encryption algorithm held by Public Key Partners (PKP), a patent that is only valid in the United States. This was never tested in court, however, and recent versions of PGP have been made with various agreements and licenses in force which effectively settle the patent issue. So-called "international" versions and older versions (previous to ViaCrypt PGP 2.4), however, are still considered in violation by PKP; if you're in the USA, use them at your own risk!
All versions of PGP after 2.3 produce messages that cannot be read
by 2.3 or earlier, although the "international" versions have a switch
to enable the creation of messages in a compatible format. This is
the legal_kludge=on
option in the configuration file.
MIT has released the freeware version of PGP 5.0 for Windows '95 and the Macintosh. This version has some limitations over the previous "official" freeware version 2.6.2 (for example, no conventional encryption and no wiping option). The source for PGP 5.0 is only available in book form. An international effort is underway to scan in this source to produce the electronic form. US export regulations forbid the export of PGP source in electronic form, but not of export in book form.
Note: there now is a beta version of PGP 5.0 for Linux available at http://www.pgp.com/products/50-linux-beta.cgi. Thanks to Lou Rinaldi for pointing this out.
PGP, Inc sells two versions of PGP: PGPmail 4.5 for business use (formerly Viacrypt PGP Business Edition) and PGP 5.0 for personal use. See question 1.9 for more details on these versions.
PGP 2.6.3i ("international") is a version of PGP developed from the source code of MIT PGP, which was exported illegally from the United States at some point. Basically, it is MIT PGP 2.6.2, but it uses the old encryption routines from PGP 2.3a; these routines perform better than RSAREF and in addition do not have the usage restrictions in the RSAREF copyright license. It also contains some fixes for bugs discovered since the release of MIT PGP 2.6.2, as well as several small enhancements. For more information, see the International PGP homepage
PGP 2.6ui ("unofficial international") is PGP 2.3a with minor modifications made so it can decrypt files encrypted with MIT PGP. It does not contain any of the MIT fixes and improvements; it does, however, have other improvements, most notably in the Macintosh version.
The 2.6.3(i)n version was developed to fullfill the policy of the Individual Network e.V. Certification Hierarchy. It supports the features described in the pgformat.doc:
It fixed announing bugs of PGP:
Furthermore it adds:
Of course, you can try using Dejanews or Alta Vista if you are looking for articles about specific topics.
The PGP 5.0 FAQ discusses this version in more detail.
PGPmail 4.5 is the successor of Viacrypt PGP Business Edition. In addition to the features found in normal versions of PGP, it also has a "Corporate Message Recovery" feature, which enables a site admin to recover messages encrypted by employees using PGPmail 4.5 in case their secret key is lost. It also has the Enclyptor, which adds a toolbar for email programs and word processors. For more information, see http://www.pgp.com/products/PGPmail-faq.cgi.
(Note: the Corporate Message Recovery feature is not a backdoor in PGP in the traditional sense. The freeware versions of PGP do not have this feature, and PGPmail 4.5's encryption has not been weakened in any way. Its only function is a backup so that the company can recover company data if the employee who encrypted it has left or has lost his secret key.)
There is a PGP library that can be used in programs:
ftp://dslab1.cs.uit.no/pub/PGPlib.tar.gz.
Alternatively, you can write your programs to call the PGP program
when necessary. In C, for example, you would use the system()
or spawn...()
functions to do this.
There are several people working on DLL versions (most often for Windows 3.1 or NT) of PGP, but I have no information on the status of these versions. PGP Inc. (formerly Viacrypt, see question 1.9) sells an MS Windows DLL which can be used for this purpose.
If you don't see your favorite platform above, don't despair! It's likely that porting PGP to your platform won't be too terribly difficult, considering all the platforms it has been ported to. Just ask around to see if there might in fact be a port to your system, and if not, try it!
PGP's VMS port, by the way, has its own Web page.
However, I will describe below the ways to get the differing versions of PGP from their source sites. Please refer to the above document for more information.
Telnet to net-dist.mit.edu and log in as "getpgp". You will then be given a short statement about the regulations concerning the export of cryptographic software, and be given a series of yes/no questions to answer. If you answer correctly to the questions (they consist mostly of agreements to the RSADSI and MIT licenses and questions about whether you intend to export PGP), you will be given a special directory name in which to find the PGP code. At that point, you can FTP to net-dist.mit.edu, change to that directory, and access the software. You may be denied access to the directories even if you answer the questions correctly if the MIT site cannot verify that your site does in fact reside in the USA.
Further directions, copies of the MIT and RSAREF licenses, notes, and the full documentation are freely available from:
ftp://net-dist.mit.edu/pub/PGP/
An easier method of getting to the PGP software is now available on the World Wide Web at the following location:
http://bs.mit.edu:8001/pgp-form.html
You may also get it via mail by sending a message to
hypnotech-request@ifi.uio.no with your request in the subject:
GET pgp262i[s].[zip | tar.gz]
Specify the "s" if you want the source code. Putting ".zip" at the end gets you the files in the PKZIP/Info-ZIP archive format, while putting "tar.gz" at the end gets the files in a gzipped tar file.
A US-compiled version of 2.6.3i (which means it does not use the MPILIB RSA library that violates a patent in the USA) can be downloaded from http://www.isc.rit.edu/~pdw5973/crypto/pgpdown.html.
A note on ftpmail:
For those individuals who do not have access to FTP, but do have access to e-mail, you can get FTP files mailed to you. For information on this service, send a message saying "Help" to ftpmail@ftpmail.ramona.vix.com. You will be sent an instruction sheet on how to use the ftpmail service.
[ Next | Table of Contents | About this FAQ | Glossary ]