[ale] PGP/GnuPGP

[Michael H. Warfield]

JANINDRA at MS.NDCORP.COM enscribed thusly:

> I have just entered the "security conscience" realm. I have been looking at
> encryption software for Linux and have heard of both PGP and GnuPGP. My
> question to the group is, "Which is the standard?". I understand PGP uses
> patented technology while GPG doesn't. My concern is compatibility with
> others. I know PGP has been around longer but are people moving to GPG or
> staying with the old way? If they are using PGP are they using the "pre
> Network Associates" 2.6.2 or the current 5.x? My main use is to sign things,
> not necessarily encrypt. Any comments would be appreciated.

	Oh man...  This opens one hell of a can of worms...

	The "standard" (at least from the IETF point of view) is openpgp,
(which is a working group and a standard under development at the IETF,
not an application) but more on that below.

	Depending on rev level and package, pgp may or may not be using
patented (RSA and Idea) algorithms.  The older PGP (prior to 5.0) used
RSA and Idea.  RSA is patented in the US by RSA Inc and Idea is patented
in the US and Switzerland by the Swiss company ASCOM.

	A lot of people are still using pgp 2.6, although I believe
that the majority of keys on the key servers are now DH (Diffie Hellman)
keys.  If you use a DH key to sign or encrypt a message, users of PGP
versions prior to 5.0 will NOT be able to read the message, even if you
also included their RSA key in the encryption (format changed enough
that pgp 2.6.2 won't accept it).

	Unless you BUY the commercial version of pgp 5.x or 6.x, it no
longer includes RSA or Idea (they have to pay royalties to RSA and ASCOM
for copies that include them).

	There is a new standard at the IETF called openpgp.  I believe that
pgp 6.x is openpgp compliant.  I know that pgp 2.x is NOT.  There must
be at least two interoperating implimentations of openpgp for it to become
a standard.  NAI's pgp and Gnu's gpg apparently meet that qualification.

	Gnu Privacy Guard (GnuPG or gpg) is an openpgp implimentation that
can also generate messages that can be decrypted by pgp 5.0 and above.  Stock,
out of the box, gpg does not include either RSA or Idea.  But both ARE
available as plugins.  With the plugins, gpg can READ all messages and keys
from all versions of pgp.  As far as I can figure out, it still can not
GENERATE RSA keys, even with the plugins.  It also can not encrypt a message
in a format that pgp 2.x will read even if all the keys are RSA keys.  It
can import and use your RSA key if you already have one.  It can encrypt
using RSA keys and it can sign with an RSA key, if you have the plugins.

	When the Gnu purists proclaim that they only use non-patented
algorithms in gpg, they are calling upon what Robert Heinlein called
one of the true artful ways of lying.  "You tell the trueth, you just
don't tell all of it."  Gpg out of the box and with no plugins does
not use any patented algorithms.  But it can.  Just add the plugins and
you've got your patented algorithms and your compatibility.  And gpg
is then using patented algorithms.  Dealing with patent royalties
and commercial use is left up to the user to keep straight and legal.

	There is also a command line wrapper, pgpgpg, that takes pgp 2.x
command line parameters and translates them into gpg parameters.  That
way, if you have scripts that call on pgp, you can use gpg with existing
scripts without modification.  I don't believe (at least I haven't seen)
any similar wrapper to translate from pgp[eksv] 5.x parameters to gpg yet
exists.

	Sooo....  There is no one single answer or one single "pgp" that
will do everything.  GnuPG with the RSA and Idea pluggins plus the pgpgpg
wrapper seems to come pretty darn close.  The only things you loose with
that combination seems to be generating RSA keys and encrypting to pgp 2.6
users (not sure about ViaCrypt PGP 4.x users - probably same boat as 2.6).
For commercial use, you may want to purchase a copy of PGP 6.5.1 from NAI.
There is a version for Linux.  The NAI Freeware version for Linux does
not support RSA keys or Idea.

	You can find a LOT more information about pgp versions, features,
and compatibility at the Internation PGP site, www.pgpi.net.  The Gnu
Privacy Guard stuff can be found up at www.gnupg.org.  You can get the
sources from the great crypto archives at Replay, www.replay.com, in
the /pub/crypto directory.  You'll find gnupg sources and rpms as well
as sources and rpms for the plugins.

	I built my copy of gnupg from the source rpms downloaded from
Replay.  You build the one for the main gnupg first, then the ones for
the Idea and RSA plugins.

	I've actually got pgp 2.3, pgp 2.6.2, ViaCrypt PGP 4.0, PGP Inc
PGP 5.0, NAI PGP 6.5.1, and GnuPG 1.0 here.  GnuPG seems to be about as
close to a universal package as I'm going to get at this point.  I just
have to get it patched into elm yet.  :-)  My plans are to transition to
GnuPG for everything but to keep my copies of pgp 2.6 and pgp 5.0 handy
just incase something hickups.

> --Randy

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!