Chapter 11
PGP

PGP (Pretty Good Privacy) is a software encryption program that enables users to create secure messages and communicate securely over insecure communication links, such as e-mail and netnews. PGP uses various forms of encryption and combines messages with a simple packet format to provide a simple and efficient security mechanism for the transmission of messages over the Internet and other networks.

This chapter explains PGP 2.6.2, gives a little history and background, and talks about the different security methods PGP provides. The chapter explains the use of PGP “keys” and discusses security concerns with PGP and known attacks against PGP.

It is important for a system administrator to understand the security requirements and implications of using PGP. Because it is such a popular program, many users may want to use it. Instead of each user having his or her own copy, it is worthwhile to make it available system-wide. Understanding how the program works and how it needs to be maintained will help an administrator perform the job in an effective, educated manner.

PGP Overview

The PGP program has become the de facto standard for public key cryptography and message security worldwide. The program has evolved since its first release, and is now very popular. Hundreds of thousands of copies of PGP are known to have been distributed from public sites worldwide. Although it is impossible to know exactly how many copies of PGP exist, or how many people use PGP on a regular basis, it is easy to see that PGP is the most widely used security program on the Internet. On many Usenet newsgroups or popular e-mail lists, for example, a high number of posts use PGP. This section describes the history of PGP and explains other background information about the program.

Security is a trade-off between the cost of the data being protected and the cost it takes an attacker to get that data. Protecting data worth only a dime with a security system that costs a million dollars to break is obviously a bad investment. On the other hand, the protection of data worth a million dollars with a security system that costs a dime to crack is a serious problem. The trade-off is to find the balance—the cost to an attacker to compromise the security protecting data, and the worth of the data to its owner. The cost to break a security system can be measured in many ways, which includes the amount of computer time necessary to perform the security break.

PGP is currently believed by many to be the best and most cost-effective security program available. It uses some of the best known encryption technology, and provides security that, it is believed, governments cannot break. Moreover, because the source code is available many people have looked at the program in search of bugs and security flaws; all of them have been corrected as they have been found.

History of PGP

PGP version 1.0 was first released in the summer of 1991 in the United States through an ftp site and a Usenet news posting. This program used a home-brewed secret-key encryption scheme called Bass-O-Matic and implemented the Rivest, Shamir, and Adelmen (RSA) public-key encryption system. Unfortunately the Bass-O-Matic system was less than secure. The idea, however—to provide a simple program that provides the user with strong encryption, and to make it available to everyone—was genius.

The original PGP was created by Philip Zimmermann, a political activist turned programmer and cryptographer. Philip started his work on PGP when the United States Congress started considering restricting freedoms on computers. As a result, Philip decided to write a program that could protect the privacy of electronic communications to thwart the draconian laws that were under consideration. The result was PGP 1.0.

In September 1992, PGP 2.0 was released in Europe. A group of programmers took the ideas from the earlier 1.0 release, added some features, put in a real cryptographic system, and released a new version of PGP. The 2.0 release also replaced the Bass-O-Matic encryption scheme with IDEA, a professionally developed cryptosystem. The IDEA Cipher is a block cipher similar to the Data Encryption Standard (DES), except that it has a larger key and is believed to be more secure.

With the release of PGP 2.0, the program started gaining popularity. Computer users around the world started using PGP to protect their communications from electronic eavesdroppers or would-be counterfeiters. The program’s simplicity and ease-of-use made the program popular with many different skill levels of computer users.

One of the problems that held back the use of PGP is that patents exist on the RSA cryptosystem in the United States. Because PGP did not have a license, it was claimed that PGP violated the RSA patents. One solution was found by a company called ViaCrypt, which started selling a commercial version of PGP. ViaCrypt was licensed to sell software that uses the RSA patent, so they could legally sell PGP.

Another problem holding back the use of PGP is the United Stated International Traffic and Arms Regulations, or ITAR. The ITAR rules limit the exportability of military munitions, such as guns and nuclear weapons. Unfortunately, cryptographic systems, encryption systems, and so forth, are also considered munitions under ITAR. Therefore, exporting programs that use cryptography, such as PGP, could be considered arms smuggling.

In June 1994, the Massachusetts Institute of Technology released a free version of PGP for United States citizens that had an RSA license, thereby freeing PGP from its “forbidden-ware” status and allowing anyone in the United States to use it. Since this time, PGP’s acceptance and use has grown dramatically. Many say that it has become the de facto standard for public key cryptography in the world.

Via Crypt and its parent company, Lemcom Systems were purchased by PGP, Inc. in July of 1996, and they continue development of PGP technology for both business and personal use. (http:/www.pgp.com)