What follows is a list of freely available crypto systems, with comments based on my limited reading in books and on the net. I am not an expert in cryptography, and the following comments are therefor not to be taken as anything but an introductory words on the subject. For another more extensive source for Cryptography available on the net, go to The International Cryptographic Software Pages... (Unfortunately this link seems to have disappeared and searches for it produce nothing)
The PGP Attack Faq gives an explanation of how PGP works and analyses a variety of potential attacks on the security of PGP.
The alt.security.pgp FAQ also gives a detailed discussion of PGP and its workings.
PGP can also be used to sign messages. It does so by first computing a "hash" of the message using the hash function MD5 (Note that MD5 has recently(May 96) been shown to be weak by Hans Dobbetin. Whether this weakness affects its use in signing in PGP is at present unknown, but the weakness is a worry. Future versions will probably use SHA1, a hash algorithm developed by NSA instead) It then encrypts this hash output (128 bits or 16 bytes) with the secret RSA key of the sender. Any recipient can calculate that same hash output of the received message, use the senders public key to decrypt the signature. If the outpput to this decryption agrees with the recipients calculated hash output, then the recipient knows both that the sender actually sent that message, and that not a single bit of that message has been changed. Although in theory such a signing is far more secure than any physical holographic signing, it has not as far as I know, ever been tested in a court of law.
(Note that MD5 has recently(May 96) been shown to be weaker than hoped by Hans Dobbetin. Whether this weakness affects its use in signing in PGP is at present unknown, but the weakness is a worry. Future versions will probably use SHA1, a hash algorithm developed by NSA, instead. The demonstration that MD5 may be weak illustrates the difficulties that a court of law faces in accepting such signatures.)
Another thing that such signing makes possible is time stamping services. In this a third party will take your document or a hash thereof, together with that day's date and encrypt it with their private key, as an authentication of the contents of the document as of that date. To ensure that documents cannot be back or forward dated, hashes of all of the time stamps for a certain week can be created and published.
An excellent book on the history and theory of PGP and a detailed guide on how to use it, see the book
For a beginner's guide to PGP, see David Hamilton's An Absolute Beginner's Guide to PGP
For other pointer to guides for beginners see Nat Queen's PGP page
One of the principle repositories for such keys is kept by MIT and
can be used at:
In addition, Comparitech has a guide to using encryption on a variety of
email clients
http://compari.tech/emailsecurity
The alternative process, advocated by RSADSI, Netscape, IBM, and
other providers of secure Web Servers
is that a commercial company
sign the public key as belonging to the person or company
claiming the key. That commercial company demands documentation
demonstrating the relation
of the user of the key to the claimed person using the key.
This has the advantage of establishing commercial liability
but the disadvantage of being expensive (of the order of $300).
To ensure that a key has not
been "taken over" such commercial digital key certificates are valid
only for a limited time (eg, a year), after which time they must be
reissued.
The trust has been transfered from "trustworthy" people to a
"trustworthy" company.
Some companies offering signed digital certificates is
< A HREF="http://www.digicert.com"> DigiCert SSL Certificate
Authority
Four11 Corporation (formerly SLED) offers a PGP Key Certification
service in conjunction with their
"White Pages Email Service". They
demand faxed driver's license or passport identification before signing
a key and putting it on their service. The charge is US$20/year.
Arge Daten of Austria also offers a PGP key
signing service, and garrantees the identity of the owner of the key. Price Aust Schill 300.
For a discussion of public keys and the issues surrounding key
signing and trust, read
Zimmermann and others formed a commercial company to further the
development of PGP, PGP Inc.. They are
the purveyors of the commercial version and are now leading the
development of PGP. Unfortunately, they seem to abandoning some key
features of any cryptography program, and that is the ability of the
user to ensure that the program does what it claims to do and does not
insert any foreign security weakening material. (See section below on
Commercial crypto standards). They are also at present in a dispute with
RSADSI over the status of their license for the use of the patented RSA
technology.
PGP Inc has just released a new version of PGP, version 5.0. They
have released this only as compiled versions for Windows operating
systems, although other operating systems are planned.
It is available through the MIT site above. They have published
what they claim to be the source code in book form, which is apparently being
scanned into the computer by S Schumacher who will apparently release an
"international" version. It is claimed that PGP Inc has stated that they will not release
the source code in other than printed form. Although this version still
supports RSA as the public key encryption, they are attempting to
establish ElGamal as the prefered public key system for PGP because of
the licensing problems with RSA.
In order to keep peace with RSADSI, the exclusive licensor of the
MIT patent on RSA, the MIT PGP uses subroutines developed by RSADSI.
The "exported" version of PGP has been altered (by Staale Schumacher) by using the original
subroutines written by Zimmermann. These International versions
are distinguished by an i
at the end of the version number. The home page of this international
version is
the PGP International
Home Page which will also give sources for the international PGP code,
(presently PGP2.6.3i) which is completely compatible with the MIT
version. This page also has numerous links to other PGP sites.
Finally, some people do not like the licensing terms under which the MIT versions
(and also the i versions) have been released, especially their
restrictions on non-commercial use. They have released so called
Unofficial International
versions, based on the code in PGP 2.3, a
version which was largely coded outside the USA and was released under the
Gnu Public License. The latest is 2.63ui (which however has nothing to do
with the other 2.6.x versions as far as code is concerned, but is supposed to be
interoperable with all the other versions.
This now appears to be being organised by Steve Crompton and can be obtained either at
ftp://ftp.funet.fi/pub/mirrors/utopia.hacktic.nl/pgp/pc/dos/
or
ftp://utopia.hacktic.nl/pub/replay/pub/pgp/pc/dos/
Due to the commercialisation of PGP, a European group has developed
GnuPG,a Gnu GPL
version of PGP . It is now working on Linux systems
(and may work on others). It is designed to impliment the OpenPGP
standards, and uses ElGamal as the public key and BLOWFISH,CAST5,and
TIGER as the encryption engines and MD5, SHA-1 and DSA as
hashing/signing algorithms. TripleDES is being implimented.
For Canadian readers you can find various versions of PGP and other cryptographic
products at
Mark Henderson's Crypto archive
For OS2 compiled versions of PGP, go to http://www.gibbon.com/getpgp.html
for a USA version 2.6.2 (export restricted)
or to
ftp://ftp.pgp.net/pub/pgp/pc/os2/ for an international 2.6.3i
version.
All of the above free versions of PGP are licensed by all of Zimmermann,
Ascom Systec (for IDEA), RSADSI (for RSAREF), and MIT for non-commercial use
only. For a discussion of what this means, see
For users of the Theory machines you can register by running the
program addpgp, and then using the program pgp.
In early 1995 a routine was published anonymously on the
Newsgroups claiming to be RC4. It was tested against a valid copy of
RC4, and the tests seemed to indicate that it acted identically to the
the real RC4. To the extent that this alleged RC4 is identical to the
real one, it is no longer a trade secret, and is no longer proprietary.
It is a cypher with a key size of up to 2048 bits (256 bytes), which, on
the brief examination given it over the past year or so seems to be a
relatively fast and strong cypher. It is a " stream " cypher, creating a stream of random bytes and XORing those bytes with the text. Using it with the same key on two
different messages makes it very weak. It is thus useful in situations in which
a new key can be chosen for each message.
The source (in C for Unix) for the alleged RC4 can be obtained from
Note that the same warning is also true for the so called encryption
routines included in Word Perfect, Word for Windows, PKZip, and others.
DH can also be used in a public key crypto system. To use it in this way, the recipient publishes g,m, h1 and the sender chooses a random exponent
e2 and sends h2 along with the message encrypted using the
private key crypto system and the key k. This system does not have
the feature that one can easily sign messages, as with RSA. It has the political advantage that the patent expires in 1997. It also depends for
its security on both recipient and sender choosing exponents e1
and e2 in a strong way.
Rumours exist that PGP will
use DH and triple DES (perhaps along with RSA and IDEA for backwards compatability) in a future version to get around the licensing problems of RSA and IDEA.
Cryptography
Research's index to a whole lot of cryptography pages.
Ron
Rivest has an extensive list of various security products, etc.
(Rivest is the coinventor
of the RSA public key cryptography system.)
Bruce
Schneier's page. He is the inventor of the BLOWFISH algorithm and
author of the excellent book Applied Cryptography.
http://www.cs.hut.fi/ssh/crypto/algorithms.html
contains a discussion of freely available algorithms more extensive than the
one here, and pointers to obtaining them.
SecSplit Split a secret into N parts of which any M parts can be
used to reconstruct the secret. Useful for giving secrets like encryption keys,
to others to store for you , but requiring a number of them to all get
together to reveal the secret.
CryptLib- a library
of encryption routines and hash algorithms (DES,3DES, IDEA, Blowfish,
Blowfish-SK, RC2, RC4, RC5, Safer, Safer-SK, RSA, DSS, MD5, SHA).
Written by Peter Gutmann
with DES code by Eric Young
and IDEA code by Colin Plumb. See the
documentation file
for more information.
Also available from here
Matt Curtin's Beware of "Snake Oil" (also available from
here). There are many advertisements for crypto
systems which are worthless. Read this FAQ to become aware of danger
signs that the crypto system being peddled falls in this category.
Keys:
- PGP will generate a public /private key pair for the user, of
the length specified by the user (up to 2048 bits for PGP2.6.2/2.6.3i).
Since it is the user that generates the key pair, one of the problems is
that of trust. How do you know that the public key claimed to be from
the intended recipient is not that of an Sources:
For a comprehensive list of sources for PGP, get
the Where to Get PGP FAQ
from
Entrust Technologies, a subsidiary of Nortel, has designed, and is selling, a public key
crypto system similar to PGP. It uses RSA as the public key system, and
a choice of CAST, DES, TripleDES, or RC2 as the conventional encryption
system. They have a version, called SOLO, which is free for
non-commercial use. At present SOLO is only for Windows95 or NT.
Designed in Canada, they claim to be able to sell or
send to anyone almost anywhere in the world. They also have a variety of
comercial encryption products.
They apparently do not publish their source code, nor do they allow
examination of the raw output of the crypto engine to allow verification
that the system operates as it should . This is a weakness of the
system (shared by almost all commercial crypto providers, including PGP
Inc.)
Their full scale commercial version (Entrust) combines a key
management/Certification Authority system with a client
encryption/decryption. It appears that they solve the problem of how the
organisation can ensure that it can recover the material of employees by
having only the central authority create and issue encryption/decryption
key pairs, and saving these in a database. This clearly provides a
single point of attack for an enemy or a rogue employee. If that
database is cracked, all keys of the origanisation become compromised.
Users however create their own digital signing key pairs, so that
neither the central administration not a cracker can compromise the
identity of the users from that central database.
This is another email public key system developed by Mark Riordan.
It uses RSA in the
same way as PGP does, but used DES rather than IDEA as the standard
cypher. It is incompatible with PGP and is not as widely used on the
net.
This is the latest product of the MIT/Zimmermann collaboration.
This uses a computer with a sound card/microphone, PGP, and a modem to
carry out completely encrypted phone conversations. The voice is
digitised, encrypted using PGP and the other person's public key, sent
by modem to the other computer, where it is decrypted and played through
the sound card. The source for PGP Phone is
The Digital Encryption Standard was developed by IBM and the
National Security Agency (NSA) of the USA in the 50s
and forms the basis not only for the Unix password program, but also for
the Automatic Teller Machines
PIN authentication. (For a discussion of the security of ATMs, see
Ross Anderson's
article
Why Cryptosystems Fail). DES uses a key of only 56 bits, and thus it
is now susceptible to "brute force" attacks (ie try every possible key
and see which decrypts the message), but at a substantial (for a private
individual) cost. Although many rumours have circulated that it was designed
to be weak, the evidence apparently is that it was designed as strong as
possible, even being designed to resist techniques which were not known
in the unclassified world at the time. However the design criteria have
never been released. For a fast implimentation, see
Eric Young's libdes implimentation. This includes an implimentation
of triple DES, believed to be much stronger than ordinary DES, and a
fast implimentation of the Unix password subroutine, crypt(3).
IDEA
is a cryptosystem which was developed by Dr. X. Lai and Prof. J.
Massey in Switzerland in the early 1990s to replace the DES standard.
It is a symmetric (same key for encryption and decryption) block (operated
on one definite sized block of the message at a time) cypher, operating on 8 bytes at a time, just
like DES, but with a key of 128 bits. This key length makes it
impossible to break by simply trying every key, and no other means of
attack is known. Since it is relatively new, it has not had as much
study as has DES. It is fast, and has also been implimented in hardware.
It was chosen by Phil Zimmermann for PGP after his own attempt at a
cypher had been shown to be weak, and apparently
because of worries he had about
the security and key length of DES.
IDEA is patented in Europe [ Austria, France, Germany, Italy, Netherlands, Spain, Sweden, Switzerland, UK] , in the USA and in Japan(pending).
Ascom Systec is the holder of the
patents but licensing is now handled by MediaCrypt AG . PGP has a license to use it for non-commercial
use only.
RC4 is a cypher invented by Ron Rivest-co-inventor of the RSA
cypher, and is claimed as a
proprietary system by RSADSI. It is proprietary in that RC4 is
considered to be a trade secret of RSADSI.
It is used in a number of commercial
systems like Lotus Notes and secure Netscape.
Many Unix systems come supplied with an encryption system called crypt.
(This should not be confused with the subroutines of the same name used
in the Unix password system.)
It is based on a software implimentation of the WWII German Enigma
cypher, broken by the Polish and British cryptographers during the war.
This routine should never be used for
encrypting anything.
There exist programs on the net
for taking
the encrypted output from the crypt function and producing the decrypted
text and the key. crypt is thus worse than useless, as it gives
the user a completely unwarranted feeling of safety.
Of course if this weakness is understood, one could use it to hide information
from other casual readers. It has the advantage that if one forgets the
encryption key, one can often still recover the encrypted text.
RSA is a cypher based on the concept of a trapdoor function. This is
a function which is easily calculated, but whose inverse is extremely
difficult to calculate. In the RSA case, this function is factoring.
Take two prime numbers, p and q, (ie numbers which cannot
be divided evenly by any other number), and multiply them together
to get their product N. This is very easily done. However,
if we only know
N, then it is extremely difficult to determine what the factors
p and q are if N is sufficienlty large. Typically in
crypography, N takes a value of greater than 500 bits (150
digits). The message is written as a series of numbers each of which is
smaller than N but has approximately the same length as N.
Each of these message numbers M are then multiplied by themselves
e times. (In PGP ,e is often taken to have the value 17).
Then the result of that set of multiplications is divided by N,
and only the remainder of that division is kept and is the
encrypted message. To decrypt the message, the recipient uses another
specially chosen number d, which is typically a very large number
(of the order of half the length of N). This number is chosen so
that if we now multiply the encrypted message with itself d
times, divide by N, and keep only the remainder, then we get the
original message back. The only way known to find d is to know
p and q. e and N are the public key, which
is published, while d is the private key, which must be kept
secret. e and d are symmetric in that using either as the
encryption key, the other can be used as the decryption key. This is what makes
signing possible.
RSA is patented in the USA by MIT, who granted exclusive rights to license the
product to RSA Data Security, Inc.(RSADSI).
Elsewhere in the world RSA
is free from proprietary restrictions to the best of my knowledge except
for copyright on code written by RSADSI themselves.
Diffie-Hellman was the first public key cryptographic technique published. It is primarily used for public key exchange for use of some other private key
type crypto system. The basis for the technique is the difficulty of
calculating logs in
modular arithmetic. Say A and B wish to establish a key. A sends B the number g, the modulus m and the number h1 = g^e1 mod(m),
where e1 is a large number (<m). B then sends back to A the number
h2 = g^e2 mod(m). They each then use the number k = g^(e1*e2)= h1^e2=h2^e1 mod(m) as the private key. Any enemy must be able to calculate either e1 from g,m,h1 or e2 from g,m,h2. This is believed to be very very hard for large enough values of g,m.
SSH:
SSH is not a cryptographic technique, but rather is a an application of
cryptogrphy for keeping communicatins between computers secret. It encrypts
everything on an ssh connection between two computers with one of the
cryptographic functions (eg, AES) See
http://wiht.link/SSH-intro for an extensive introduction to what
ssh is and how it works.
CryptoLog- An
Excellent and extensive source page for Cryptography.
The above situation changes in the new year (Jan 1997) when control of civilian cryptography was removed from the ITAR regulations and put under the control of the Dept. of Commerce. These new regulations (See especially Part 742 section 15 and Supplement 6, and Category 5 part 2. Also 740.13(e) gives the general exemption for open source, royalty free software, and the requirements for making use of this.) These are unfortunately far less readable than are the ITAR regulations so figuring out what is allowed and what not has become far more complicated. These regulations appear to have expanded, rather than contracted, the control over cryptography. although application can be made for freedom from license for mass market software using symmetric keys with no more than 56 or 64 bit key.
However the whole of the regulations controling the export of cryptography in the USA has been thrown into confusion by the Bernstein case. Dan Bernstein, then a graduate student at UC Berkeley, launched a civil First Ammendment suit agianst the US Government, when it refused to allow him to publish, either in printed or electronic form an encryption algorthm that he had designed. Judge Pattel ruled that source code was protected speech under the First Ammendment and that the ITAR and Commerce regulations violated the First Ammendment by not instituting sufficient safeguards against capricious and arbitrary decisions by the executive branch. This decision will probably be appealed by the US government.
Canada also has a set of laws governing the export of military technology called the Export Control List. A copy of a Guide to Canada's Export Controls may be obtained from the Government International Trade Offices across the country.
The status of PGP and other publicly available cryptography under this set of regulations is somewhat unclear to me. The key sections of relevance to PGP are
Evidence that the Canadian situation may be much freer than the US one is that the Entrust Solo software is exported to all countries in the world( except for seven exceptions) from Canada. As a subsidiary of Nortel, a major Canadian company, they have presumably received permission for this export.
[Note that I am not a lawyer, and base the above interpretation purely on my reading of the law as a layman. It is not legal advice, nor should it be taken as such.]
Marc Plumb has tested the ECL by applying for permission to export various cryptographic products from Canada. For his experience and his comments on the ECL see http://www.efc.ca/pages/doc/crypto-export.html
Canada is in the process of reviewing its policies on Cryptography. See the paper A Cryptographic Policy Framework for Electronic Commercepublished Feb. 1998
For a survey of cryptography laws worldwide see http://rechten.uvt.nl/koops/cryptolaw/index.htm
Last Updated Mar 1998 Bill Unruh
