From: wcs@anchor.ho.att.com (Bill_Stewart(HOY002)1305)
To: cypherpunks@toad.com
Message Hash: 1750deb600c58e0ed24b0ce448f292b5e4f7b80dd667f6e0905241e1a445e528
Message ID: <9303040204.AA12596@anchor.ho.att.com>
Reply To: N/A
UTC Datetime: 1993-03-04 02:04:54 UTC
Raw Date: Wed, 3 Mar 93 18:04:54 PST
From: wcs@anchor.ho.att.com (Bill_Stewart(HOY002)1305)
Date: Wed, 3 Mar 93 18:04:54 PST
To: cypherpunks@toad.com
Subject: PGP: informal faq for eknipp
Message-ID: <9303040204.AA12596@anchor.ho.att.com>
MIME-Version: 1.0
Content-Type: text
Eknipp asked for an overview of PGP; my reply to him bounced, but it's of
enough possible general use that I'm inflicting it on the list.
It's rough and rambling, but believe it if you need it....,
and please send me any corrections if there are offensive errors.
The details of corporate relationships regarding PKP and RSA are especially
haphazard.
Thanks; Bill
--
"He wouldn't have wanted that _thing_ walking around with his name on it"
------
well, here's a rough overview and definitions, ignore the parts you know already.
You can get a proper faq by ftp from rsa.com, in the directory pub/faq.
Cryptography = writing stuff only authorized people can read. Real crypto
depends on algorithms that are secure as long as the Bad Guys
don't know the keys, even if they know everything else.
Most of the interesting stuff depends on mathematical
processes that take exponential amounts of time,
so a 56-bit key would take 2**56 attempts to guess -
you can't guess it a bit at a time in 56 steps.
Factoring large numbers is believed to take roughly expontential time.
M = plaintext message
Cyphertext C = E(k, M), E = encryption function, k = key.
Plaintext M = D(k, C)
ITAR - International Traffic In Armaments Regulations - the US has a bunch
of laws about exporting munitions, and crypto hardware and software
count as munitions - algorithms are OK, but our Benevolent Govt
KNOWS that foreigners aren't bright enough to turn algorithms into code.
Lots of flamewars discuss exactly the boundaries, and the laws are
contradictory about which bureaucrats are really in control,
but nobody's wanted to get thrown in jail for arms dealing badly
enough to force a court case ....
Appears to apply to importing crypto also, though that hasn't been
something anybody's made a big deal about.
Other countries besides the US may have major restrictions as well.
Alice and Bob - the people sending messages to each other.
Eve may be eavesdropping, and Charlie may be around also,
Secret-Key Cryptosystem, also called Symmetric-key or private-key -
the same key k is used for E and D, or at least a closely related
key that's easy to derive if you know the other one.
DES = Data Encryption Standard = IBM/NSA-designed secret-key system,
very widely used, keys 56 bits long which may be a bit short,
some people worry there may be an trapdoor put there by NSA,
but if I told you I'd have to kill you :-) Banks use it, for instance.
IDEA - a Swiss-written secret-key system, maybe more secure than DES,
newer anyway. Patented in Switz but not US, easy licensing.
Public-Key CryptoSystem - Encryption key ke and Decryption key kd are related,
but in a way that you can't determine kd knowing only ke.
ke is called the public key and kd the private key -
you can publish ke where everyone can see it and encrypt stuff
to mail to you, you can decrypt with private key kd.
(If you want to reply, you've got to get their public key.)
Public-key algorithms are pretty slow, so generally people
use create a random secret key, encrypt their message with a
secret-key algorithm like DES, and encrypt the secret key with
the recipient's public key; recipient decrypts the secret key
with his private key, then uses it to decrypt the message.
Digital Signatures - if you can do public-key crypto, then you can do the
reverse as well to sign a message - you *decrypt* the message
with your private key, and the recipient encrypts it with your
public key - if it restores the original message, she knows it's good
and knows that *you* sent it, because only you have your private key.
For speed, you normally make a "hash" checksum of the message,
and sign the hash instead of the whole thing.
Some public-key algorithms can only be used for encryption, some only
for signatures, some for both but you need different keys.
MD-4 and MD-5 - Message Digest hashing algorithms from (?) Rivest,
which are thought to be unforgeable, unlike the CRC checksums
used by many programs which are easily forged.
RSA - A public-key algorithm developed by Rivest, Shamir, and Adelman.
It's the only well-known public-key algorithm that does everything everybody
wants, including signatures and public-key, that's secure enough
that you can't crack it as long as you use reasonably long keys.
Unfortunately, it's patented in the US, by Public Key Partners,
a company R, S, A, and friends started that owns most of the interesting
patents related to public-key. On the other hand, to avoid having the
NSA classify their patent right when they applied (the NSA can do that),
they published the algorithm before applying, which means that
it's public-knowledge in most of the world and you can't patent it
there, even in places that do allow algorithm patents.
Their claims about what techniques their patents cover are *very* broad;
if you want to do anything public-key related in the US,
you've got to deal with them or carry a BIG lawyer, and so far
everybody's chosen to deal with them rather than risk a long expensive
difficult court case, or else chosen to ignore or infringe their patent
but not sell their products for cash, and hoped to get away with it.
RSAREF - an RSA implementation from PKP, which you may use free for personal
non-commercial use as long as you agree to follow a set of rules
that are much less restrictive than they used to be; you can't
export it outside the US and Canada, and can't change the interface
without their permission, and a few other terms. Better implementations
of RSA's algorithms have been done, but you can use this one free,
with their permission. Or you can pay them money and get support
for incorporating their techniques into your products.
Key certification - Public Keys are usually long - RSA keys are often 1024 bytes.
Public keys crypto is only secure if you can be SURE you have the
public key for the person you're trying to send a message to,
like Bob, and that Eve hasn't handed you HER public key instead -
she could be intercepting all your mail to Bob, decrypting it,
and re-encrypting with Bob's key. So you need to find a secure way
to transmit public keys, where "secure" means it can't be forged
without you knowing about it (though anybody can read them.)
Publishing in the New York Times classified ads is one approach,
as is any other broadcast method you can be SURE everyone gets correctly.
Another method is to use digital signatures - somebody you trust,
whose public key you can be sure you know accurately, gets Bob's
public key from Bob, and signs it with their public-key.
Since not everybody knows somebody who knows Bob, the problem can
be handled by a chain or hierarchy of key certifications -
Charlie signs Bob's, Dave signs Charlie's ... and You know Xerxes yourself.
Or George Bush signs all the general's keys, the generals all sign
the keys for the colonels under them, the colonels sign for the
majors under them, .... and you can check some sergeant's key
because it's got a certificate from his lieutenant on up to Bush,
and Bush's key is in the Phone Book.
PGP - Phil's Pretty Good Privacy program - a nice packaging of this technology
that can be used easily to prepare secure email. The original version
used RSA and a choice of DES or a home-brew secret-crypto system;
the current version uses RSA and IDEA. For certification,
the method is non-hierarchical - you have a "keyring" containing
public keys you know, maybe with certificates, and you can sign
the ones *you* trust and give your signed keyring to your friends.
Hierarchies imply the potential for control; this is cooperative anarchy,
and there's no chain of people you HAVE to obey to exchange keys.
When PGP version 1 first came out, RSA yelled at Phil Zimmerman,
the author, and told him he was risking patent infringement lawsuits
and such if he didn't cease and desist, so he's no longer distributing it.
But some of those SNEAKY FOREIGNERS *somehow* got a copy,
and so ongoing development of PGP is taking place outside the US,
unhindered by patent problems. Version 2.1 is out, 2.2 real soon.
Parts of PGP are probably not covered by PKP's patents,
and parts are clearly not covered by ITAR, but some parts are a problem.
RIPEM - Mark Riordan's public-key email system, which uses RSAREF to do RSA,
so it's legally kosher but not exportable, and is related to the
internet Privacy Enhanced Mail stuff that was being developed
for a while. Still real new, but probably Pretty Good also;
I seem to remember its key certification was more hierarchical.
----
More PGP info - PGP was originally written for a DOS environment (there are
problems trusting any system you don't totally control,
and it's tough to say you totally control a multi-user system),
but it's been ported to lots of things by now, including
UNIX and some early Mac ports (work is in progress to make the
Mac port feel like Mac-stuff rather than Unix-stuff.)
You can get the source, compile it, play with it, and
do anything you want that doesn't infringe PKP's patent,
so remember not to use it to exchange keys with anyone or send them
mail unless you've got a licensing agreement.....
Once it's compiled, type
pgp -h
to get help, and/or read the documentation.
Where to get things: The fun place to shop is nic.funet.fi, by anonymous ftp,
but if you telnet to an archie server like archie.rutgers.edu (login
as archie) you can ask it wher to find anything. Using a US site would
be potentially better legally, and also cuts down on the bandwidth
used between here and Finland....
Bill Stewart
Return to March 1993
Return to “wcs@anchor.ho.att.com (Bill_Stewart(HOY002)1305)”
1993-03-04 (Wed, 3 Mar 93 18:04:54 PST) - PGP: informal faq for eknipp - wcs@anchor.ho.att.com (Bill_Stewart(HOY002)1305)