FAQ on PGP, tilted towards ver 5 and later

FAQ on PGP, tilted towards ver 5 and later

Q. Where can i read more about the key splitting method?

A. A private key can be splitted into n pieces (max 10 in PGP) called share holders, such that m of these pieces can be used to reconstruct the message. This is called an (m,n) threshold scheme. This idea was invented independently by;
Adi Shamir in "How to share a secret", Communications of the ACM, v 24, n 11, November 1979, pp 612-613 and
George Blakley (Blakley's name is misspelled in the on-line help in PGP) in "Safeguarding Cryptographic Keys", Proceedings of the National Computer Conference, 1979, American Federation of Information Processing Societies, v 48, 1979, pp242-268.

Reference, Applied Cryptography, p 72, Bruce Schneier, http://www.counterpane.com

Q. Why can i not decrypt my own files? I can encrypt and sign them, so my password is correct.

A. When PGP is installed, the default is to not letting your self to read what you have encrypted. This protect the encrypted content in cases where the sender wants to ensure that the content is secured, even if he would be forced to reveal his password. But for business purposes, it is a requirement to being able to read what has been sent.

The procedure to read your own encrypted messages is:
Go to PGP preferences | General , and ensure that the box; "Always encrypt to default key" is marked

This specifies that all email messages or files you encrypt with a recipient's public key are also encrypted to you using your default key.

Q. Is PGP year 2000 compliant?
A. Yes. NAI:s written statement; "PGP Year 2000 Compliance" is at; http://www.nai.com/services/support/2000/2000pgp.asp, and the detailed test procedure for all NAI:s products is at; http://www.nai.com/services/support/2000/yr2qa.asp

Q. Why is the key length sometimes refereed as 128 bits long, and in other cases as 2048 bit, or even 4096 bit?
A. Because two different encryption methods are combined; symmetrical and public key encryption. Symmetrical encryption is usually within the range of 40 - 128 bits. These bits are usually refereed to when we read about export restriction. PGP uses 128 bit which is considered strong enough to restrict for export. The other encryption method, the public key encryption, is based on another kind of mathemathic and require more bits for the key length to reach the same level of strength as a 128 bit symmetrical key. PGP allows you to chose this key length, which by default is 2048 bits.
Thus the confusion about different key length is due to the use of two different encryption methods.

Zimmerman writes:

"Every once in a while, I get a letter from someone who has just learned the awful truth that PGP does not use pure RSA to encrypt bulk data. They are concerned that the whole package is weakened if we use a hybrid public-key and conventional scheme just to speed things up. After all, a chain is only as strong as its weakest link. They demand an explanation for this apparent "compromise" in the strength of PGP. This may be because they have been caught up in the public's reverence and awe for the strength and mystique of RSA, mistakenly believing that RSA is intrinsically stronger than any conventional cipher. Well, it's not.

People who work in factoring research say that the workload to exhaust all the possible 128-bit keys in the IDEA cipher would roughly equal the factoring workload to crack a 3100-bit RSA key, which is quite a bit bigger than the 1024-bit RSA key size that most people use for high security applications. Given this range of key sizes, and assuming there are no hidden weaknesses in the conventional cipher, the weak link in this hybrid approach is in the public key algorithm, not the conventional cipher.

It is not ergonomically practical to use pure RSA with large keys to encrypt and decrypt long messages. A 1024-bit RSA key would decrypt messages about 4000 times slower than the IDEA cipher. Absolutely no one does it that way in the real world. Many people less experienced in cryptography do not realize that the attraction of public key cryptography is not because it is intrinsically stronger than a conventional cipher-- its appeal is because it helps you manage keys more conveniently.

Not only is RSA too slow to use on bulk data, but it even has certain weaknesses that can be exploited in some special cases of particular kinds of messages that are fed to the RSA cipher, even for large keys. These special cases can be avoided by using the hybrid approach of using RSA to encrypt random session keys for a conventional cipher, like PGP does. So the bottom line is this:

Using pure RSA on bulk data is the wrong approach, period. It's too slow, it's not stronger, and may even be weaker. If you find a software application that uses pure RSA on bulk data, it probably means the implementor does not understand these issues, which could imply he doesn't understand other important concepts of cryptography."

Reference: PGP(tm) User's Guide, Volume II: Special Topics, by Philip Zimmermann, Revised 11 October 94. Can be found at; ftp://ftp.pgpi.com/pub/pgp/2.x/doc/pgpdoc2.txt

Se also; " Kryptonycklars längder – En förvirring" by Mikael Simovits, at; http://www.simovits.com/archive/krylength.html

"Om vi jämför systemen DES (Data Encryption Standard) och RSA (Rivest Shamir Adleman), så har DES en datateknisk kryptonyckellängd på 56-bitar, vilket motsvaras av 384-bitars nyckel för RSA. Om vi vidareutvecklar detta ger en 64-bitars nyckel för ett DES-liknande system minst samma säkerhet som 512-bitars RSA."