[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Unknown



============================================================================
SUBJECT:  PRETTY GOOD PRIVACY 2.6
SOURCE:   ZiffWire via Fulfillment by INDIVIDUAL, Inc.
DATE:     July 5, 1994
INDEX:    [3]
----------------------------------------------------------------------------

  PC Week via INDIVIDUAL, Inc. : Those opposed to, or even just worried
about, the federal government's Clipper chip encryption proposal now have a
free, easy, and legal alternative.

  The Massachusetts Institute of Technology and RSA Laboratories have teamed
to produce a new version of Philip Zimmermann's PGP (Pretty Good Privacy),
Version 2.6. The software and source code is being distributed by MIT along
with a free license from RSA Laboratories for non- commercial use. The
software was released at the end of May.

  PGP uses the Public Key encryption method, which has been patented by RSA.
PGP has been distributed since 1990 as an implementation of the Public Key
encryption algorithm and has gone a long way in popularizing that method of
personal encryption and the use of what are called digital signatures.

  PGP has been the subject of controversy, however, since it used to use
public-key encryption without a license from RSA, and because it has been
distributed all over the world in source-code form, which some federal
authorities say is against international encryption-export bans imposed by
the United States. Version 2.6, however, is licensed through RSA, so there's
no question about its legality.

  MIT and RSA's distribution of PGP Version 2.6 is an attempt to short-
circuit PGP's popularity. After Sept. 1, 1994, PGP 2.6 will no longer work
with documents and keys generated and encrypted by older versions of PGP,
and it is licensed for use only in the United States.

  The release is already causing upheaval, since its public-key format is
different than in prior versions, and numerous public-key repositories will
have to be updated.

  An oversimplified explanation of public-key encryption is that users
choose (or generate using software) two large, random prime numbers (only
divisible by themselves or one), which remain private. They then distribute
the product of those two numbers freely, which is the public- key part of
the encryption. Anyone wishing to send an encrypted document to a user can
encrypt it using that user's public key. Only the intended recipient can
then decrypt the document.

  A related use of public-key encryption (and probably its more important
use in the future of the information highway) is for digital signatures. A
user wishing to "sign" a document uses a private key (the prime factors) and
combines it with a checksum of the document. Anyone can then use that
users's public key to verify the electronic signature and verify that the
document was not altered since the user signed it.

  Public-key encryption is especially strong because there is no known
"easy" method of breaking down extremely large numbers into their component
prime factors (other than brute force). The largest supercomputers today
would take centuries to break down a sufficiently large public key, but it
only takes a few seconds to generate such a key and use it to encrypt and
decrypt documents.

  The government's proposed Clipper chip uses a somewhat similar method of
encryption. At least, it seems to be similar: Its exact algorithm is
classified. With the Clipper chip, however, the federal government would
hold the "key" that would let law-enforcement personnel decrypt the chip to
be used when wiretapping is authorized by the courts.

  PGP comes with extensive documentation that clearly explains the public-
key algorithm and provides both a DOS executable and source code for
compiling the program on numerous other platforms. The program provides all
the normal public-key functions (such as signing and encrypting) through the
command line. Although command line is not the most intuitive method, it
lends itself well to automation.

  Obtaining PGP 2.6 is a somewhat complicated process. Users must use ftp to
get to net-dist.mit.edu and get a README file and various licenses in
/pub/PGP, then use telnet to get to the same address to answer a
questionnaire and get the address for the rest of the PGP files. Finally,
users must use ftp a second time to actually obtain the files. If the user's
IP address is not part of a Domain Name Service and can't be resolved to an
address in the United States, the user must contact MIT through E-mail.

  -- Eamonn Sullivan

[07-05-94 at 17:19 EDT, Copyright 1994, ZiffWire, File: c0705185.2zf]