Talk:Pretty Good Privacy/Archive 1

Archive 1

Featured article candicacy

NB: This article was a featured article candidate in May 04. Comments on it may be found in the archives. It was not added to the featured article list despite near unanimous support. Resubmission in a month or so might be appropriate.

open-source =/= disclosed source

I changed open-source to "disclosed source" because, whilst the source code is publically available, it doesn't meet the Open Source Definition (because you can't distribute modified code, basically).

Also I removed the sentence "At least Phil Zimmerman can no longer make the decision" (I'm paraphrasing), because "At least" has an unfortunate double meaning in this context (it could be read to imply that it's a good thing that PRZ no longer has any direct influence over PGP - which I assume was not what the writer meant to say), and the sentence doesn't provide any information that can't be easily deduced by reading the rest of the article.

--Robert Merkel

Psychosonik (band)?

Matt, I have no idea who the band Psychosonik (spelling?) is nor whether the song is any good. Your Google count indicates not much interest among the networked. BUT, it takes very little resource to keep the observation and I doesn't seem to me that, in the absence vandalistic/destructive intent, that the test should be quite 'Delete unless good reason for presence can be shown'. I'd be in favor of retaining on a 'No harm, no foul' basis. ww

POV objection unclear

Matt, I'm not sure what the nature of your POV objection is to PGP has been cryptographically excellent and influential. Can you explain? ww 14:25, 16 Apr 2004 (UTC)

The "cryptographically excellent" bit; if you could say something like "many cryptography experts, for example Bruce Schneier, consider PGP to be a secure cryptosystem. (for e.g., I don't known Schneier's opinion), it would be better. — Matt 14:30, 16 Apr 2004 (UTC)

PGP developer notes edits

I did a number of edits here. They range from merely making sure that PRZ's name is spelled correctly to corrections to some of the history. I've been involved with PGP since 1997, and am the OpenPGP author/editor. Jon 3 May 2004

sentence incomprehensible

Current text in second paragraph is:

  The name, on the other hand, is a bit of a joke. Garrison Keillor's hometown,   
  Lake Wobegon, had a grocery store. Like most things Wobegonian, it was a bit 
  odd. Among its oddities was the name, "Ralph's Pretty Good Grocery". Ralph's 
  slogan was, "If you can't find it at Ralph's, you can probably get along 
  without it." Zimmermann's playful side came out to play, and Pretty Good 
  Privacy was the result, the reasoning being that if PGP isn't good enough 
  security, you can probably get along without it.

Does that final sentence of that paragraph make sense? It doesn't seem to fit the sense of the original. - Bevo 17:31, 4 May 2004 (UTC)

Discussion of Jdcc edits

(Copied from User talk:Jdcc)

...I've removed a couple of phrases along the lines of "PGP's design has been (and remains) cryptographically excellent"; it would be better if we could replace such assertions with things like "PGP has been recommended for use by independent group of cryptographic experts X" or "Report Y by cryptographer Z finds no problems with the design of PGP".... — Matt 08:53, 4 May 2004 (UTC)

Matt -- I don't mind your removing that phrase. I didn't write it, someone else did. All I did was fail to delete it. :-) I was mildly uncomfortable with it, but I thought it was both flattering to PGP and I agreed with it, so I left it there. If you want it gone, sure. I'm happy to put in some other things like that PGP is one of the two NIST-approved standards for message encryption (S/MIME is the other one).

That would be exactly the right thing. We ought to convey that PGP is "pretty good" (and should be able to) using evidence like this.

I tried very hard to correct things that I knew were mistakes, and fill in things that are part of the historical gray area of PGP. Simson's book ends at the beginning of '95. The Z-affaire ended in January '96. I did some work with them (being a fan) at that time and being a crypto guy at Apple. I left Apple for PGP Inc. in Jan '97, and consequently there are lots of things that were never adequately explained. Now the story can be told.

It'd be great to have some of the less well documented bits about PGP explained. One thing you might want to watch out for, though, is that things on Wikipedia have to be (by "policy") verifiable (see Wikipedia:Verifiability) and not an original work, such as a primary historical account (see Wikipedia:No original research). What this means is that the first place a story is told shouldn't be Wikipedia (though it could very happily be the second!); if questioned, we should (in theory) be able to point at documentation or evidence for every fact we provide. — Matt 11:56, 7 May 2004 (UTC)

Some stuff I changed because it was partially true -- for example, the explanation of digital signatures describes RSA but not DSA signatures. Thanks for leaving my edits predominately.

-- Jon

Copied from User talk:Jdcc

WW -- I would like it if you did nominate it for 'featured.' I'm going back through and making some other edits.

For example: Elgamal is properly thus. I asked Taher years ago, and also worked for him. He is Egyptian by birth, and originally it would be "El Gamal". When he came to the US, two-word surnames are a hassle, so he went to "ElGamal" but that wasn't really any better. So now his legal name is "Elgamal". Yes, I know that Schneier spells it with the intra-cap. That is not the way Taher now spells his name.

It might be an idea to note this at Taher ElGamal.

Heck, I'll just go hack that up, too. -- Jon

The RSA patent wasn't merely "partially controlled" by MIT, they owned it. RSADSI (typo corrected, too) were the sole licensee who then sublicensed. Professors at MIT personally stared down RSADSI in those days.

jdcc, That was me. There is a difference between ownership and control. MIT assigned the RSA patent to PKP Partners as part of a scheme to collect several of the public key patents under single control to make commercial exploitation easier. Same reason Bizdos went off to meet with Schnoor and license his patent.

As I recall, MIT, Stanford, and another company owned PKP. The other company eventually sued the rest in a big kerfluffle, but that doesn't bear on this as I understand it. PKP in turn licensed to RSADSI which is their only claim to being the 'only source of RSA' and all that. So the term 'partially controlled' was carefully chosen to convey (briefly) the situation. I was trying to avoid any of the legal beagle and corporate scheming behind it all. Does that make clear the reasoning?

I've gone ahead and nominated. Let's see what happens. ww 14:12, 7 May 2004 (UTC)

Also got sidetracked into a large number of largely phrasing changes. Few should be problematic, but you might read it to see that I haven't miscontrued something. It's a lot cleaner now, though there are too many short paragraphs and so it reads somewhat choppily. Have to stop now, spent too much time on it! ww 18:33, 7 May 2004 (UTC)

PKP was a partnership of RSADSI and Cylink. RSADSI was the sole licensee of the RSA patent (chiefly) and Cylink of the Merkle-Hellman and Diffie-Hellman patents (chiefly). These in turn were owned by MIT and Stanford respectively. At the time of PGP 2.5-2.6, disagreements between RSA and Cylink were already brewing. My source on that tale is Jeff Schiller of MIT, who regaled me with a lot of history at one IETF. He told me that the ultimate owner, MIT, weighed in on approval of PGP. A number of people, notably Hal Levin, simply started distributing PGP as essentially MIT's, daring anyone to object. I suppose that had Cylink wanted to intervene, they could have (M-H covered the concept of public key cryptography), but chose not to. The PKP divorce is another long story.

Jon, Ah, Cylink was the other company, the one that sued. It had fallen out of my head. And it looks like my memory had PKP --> RSADSI when it was actually RSADSI --> PKP to corral all those patents for exploitation purposes. When the lawyers get involved it seems like everything turns into a long story.

Anyway, the distinction I was making between ownership and control remains relevant, I think. MIT's involvement was not so simple as "we own and so we'll do what we like with it in re letting PGP use RSA", and that's what I was aiming to convey. Still, on this I think you should choose the terminology, having heard other concerns. Unless PRZ thinks another phrase is better still? ww 15:48, 8 May 2004 (UTC)

I've skimmed this and am presently at the point where I can no longer critically read it. It all appears to be perfect enough. I've turned PRZ on this to supply his comments. I made a few minor edits at his request last night and will do more that he calls out. Jon

The security problems with PGP 2 have not been patched. They are still there, and I believe that unless you are already a PGP 2 user, you shouldn't. They are:

• PGP 2 uses MD5, which is known to have flaws.
• The fingerprint of the PGP 2 keys is the MD5 hash of the public key data, but not its length. This means that it can be spoofed.
• The key id of a key is the low 64 bits of the public modulus, which can be spoofed. In the new keys, it's a truncated hash.
• The Katz attack works best against PGP 2, and is thwarted with MDC in OpenPGP.

None of these can be patched. None of them are "oh, my god, bar the door!" flaws, but they're flaws.

J, Check the changes I've made. Does it now have the sense needed? ww 18:33, 7 May 2004 (UTC)

There are some flaws that could be patched against, like the Klima attack to get the private key. But realistically, that fix isn't in the average copy of 2.6.whatever. Also, realistically, no one is going to do a Klima attack against you who can't do something more interesting. The Klima attack requires write access to the disk. Nonetheless, no new user should be using PGP 2, any more than they should be using Windows 3.1, Mac OS 7.5, or Linux 0.99 (which all date from the same era).

suggestions re featured candidate status

On the featured article candidate page, jwr made some helpful suggestions. Many of them have been implemented as of this note. None are meant to change any content, but to reblock, add headings, subheadings, and some framing comments here and there. ww 15:39, 11 May 2004 (UTC)

Hey, it might be an idea to include an ISBN for the book mentioned in the references/links section. Also, I found slightly frustrating the "(see Zimmermann's published testimony in various hearings)" type things. I would have liked to be able to more easily follow a link or reference to these things. Seems a teeny bit long at times too. How about a timeline diagram? I can knock one of these up for you if anyone thinks it's an idea with merit. Pmcm 23:46, 16 Aug 2004 (UTC)

If we can find some web links it would be great. I think a short-ish chronology would be quite useful; I suspect it'd be better, in this case, in the form of a table rather than a timeline diagram. — Matt 03:19, 17 Aug 2004 (UTC)

Most widely used?

It is, in its various versions, the most widely used cryptosystem in the world.

Do we have evidence for this? (I'm slightly skeptical...what about various mobile phone encryption standards? US military communication hardware (which must see use in a fair few places)? Financial cryptography?) ... OK, the latest version is:

Throughout the world, it is, in its various versions, the cryptosystem most frequently chosen by users.

It might be, but I'd like to see some evidence (and the wording does sound a little like a washing powder advert!) — Matt 07:19, 4 Sep 2004 (UTC)

But PGP does keep one's laundry private. Should it not sound like a detergent (AE usage, but in this case I prefer BE) ad (again AE, while I prefer BE)? ww 20:13, 9 Sep 2004 (UTC)

small typo

'entire' was changed to 'entirely'. It wasn't a typo, just an unusual use of language. ww 14:25, 13 Jul 2004 (UTC)

If it's unusual enough to look like a typo to most people (and it does to me, too), it's probably better as "entirely". (As an aside, is it really correct to use this adverbially?) — Matt 22:56, 13 Jul 2004 (UTC)

Matt, Yes, in the sense that I've seen it used that way, though perhaps not in technical writing. I think it was a poem; certainly something literary. I agree that it's misreadable, having been now misread twice. Is it so clearly misreadable as to not be usable? ww 18:45, 14 Jul 2004 (UTC)

It might well be; if readers have never seen it used that way, it's very likely to be parsed as a typo. — Matt 19:55, 14 Jul 2004 (UTC)

Matt, 'Might well be' = unusable? ww 20:10, 14 Jul 2004 (UTC)

I think so, I'm afraid. — Matt 03:26, 17 Aug 2004 (UTC)

this section somewhat technical

Matt, This note was inserted in response to a plea from a reviewer (by jwr?) that technical material was not sufficiently separated for those not interested in it. It thus was, in some sense, an invited note. I think it ought to be restored. ww 16:22, 10 Sep 2004 (UTC)

I agree that separating out technical material is a good idea, but what purpose does it serve to place a note indicating that we have done so? — Matt 17:05, 10 Sep 2004 (UTC)

Matt, Reader warning. Some are non-plussed when encountering technical material, perhaps especially mathematical or somewhat mathematical stuff. I wouldn't myself have thought of it perhaps, despite some experience with the problem, but had it called to my attention in this instance. There was even a note (to my talk I think) appreciating it not long after it was added.

How to handle such material for the non technical is a perennial problem and painful experience forces me to the conclusion that no 'solution' will be acceptable to all. I was guided here by a representative of the opressed. ww 17:41, 10 Sep 2004 (UTC)

Improper wording?

Shouldn't the choice of words be refined a little? The article has some words that don't seem well-chosen for an encyclopedia. For example:

• "[..] the FBI >got< a court order [..]"
• In "Limitations": ``PGP cannot keep out the FBI if they have a court order and sneak into your computer via burglary or the Internet, can't deter the FSB from torturing your passphrase out of you [..]´´

Just an opinion. Please tell me if I am wrong.--Logariasmo 00:12, 27 Sep 2004 (UTC)

If you feel a change is needed, feel free to make it yourself! Wikipedia is a wiki, so anyone — including you — can edit any article by clicking the edit this page tab at the top of the page. You don't even need to log in, although there are several reasons why you might want to. Wikipedia convention is to be bold and not be afraid of making mistakes. If you're not sure how editing works, have a look at How to edit a page, or try out the Sandbox to test your editing skills. New contributors are always welcome. — Matt 08:11, 27 Sep 2004 (UTC)

Yes, but in this case, I wanted to know if it was just me who thought this has to be corrected. In any case, I will make some changes.--Logariasmo 15:09, 27 Sep 2004 (UTC)

Your changes look good to me, thanks! — Matt 15:38, 27 Sep 2004 (UTC)

Ståle Schumacher Ytteborg

Hi,

I am curious what is the edit option under Wiki is for. I have tried to correct that Stale is a lady, but the system (or the editor) changed back to a man. I was an original contributor to PGPi project back in 1999. And I am 100 % absolutely certain that Stale is a lady, got married and has kid(s). She has been a great coordinator for the international versions of PGP. In the previous pgpi.org website one can information on her (having to look further).

Thank you.

T. Netratanawong 23 November 2004

Your information contradicts at least Ståle Schumacher Ytteborg which reads "He is married to Ulrikke Isabelle Ytteborg; they have two children.". Certainly, this guy has the same name and the same birth year, and the same name change. I cannot find any evidence at pgpi.org — do you have a source? — Matt 00:51, 23 Nov 2004 (UTC)

this archived copy of a homepage gives further evidence that everyone's discussing the same individual here. — Matt 00:56, 23 Nov 2004 (UTC)

Ståle is very, very definitely a man's name in Norway. Egil 02:35, 10 Jan 2005 (UTC)

Split Article

It may be wise to spit this article into 2 or preferably 3 articles. PGP should really describe the software that goes under that name. While some details of operation should be on that page not all of it should be. OpenPGP should be seperate article that discusses the IETF standard. Technical details that apply equally to all implementations of OpenPGP should be discussed there. Finally because the history of both PGP (the app) and OpenPGP (the format), are pretty much the same the history and is quite long it should probably be at History of PGP with History of OpenPGP as a redirect.

And of course all pages, should be clear on how PGP (the format) was once proprietary but then opened by OpenPGP. 66.144.41.232 17:42, 19 Apr 2005 (UTC)

I also agree strongly with the initial proposal of re-splitting the content and having new History of... pages. OpenPGP is the proposed standard, PGP and GnuPG are implementations of it. GPG is the name of the command for GnuPG. -- MagicFab 13:11, 2005 Nov 22 (UTC)

How much is there to say about PGP-the-software that's not also historical? IMO most of the current article would end up in either (Open)PGP-the-format or History of PGP. -- JTN 21:11, 2005 Apr 19 (UTC)

Okay. very true. Then how about just the OpenPGP split. Some of the infor,ation is duplicated on GPG which is a waste. Details on how one works that applies to both, (and most likely all other implementations) should really be in one place, if just to ensure that they stay reasonably synchronized. 205.240.38.27 00:37, 20 Apr 2005 (UTC)

OpenPGP was a separate article until it was merged in last month. I don't have a strong opinion on it, but I'd lean towards splitting the OpenPGP stuff back out again. — Matt Crypto 01:26, 20 Apr 2005 (UTC)

I merged in OpenPGP in order to reduce redundancy and compare it to the pre-OpenPGP format; I didn't think I could usefully do that if the material was in separate articles. (The comparison is not just of historical interest as there are still V3 keys in circulation, and probably will be for the foreseeable future, as they have hard-won signatures; this was my main motivation for finding out about this stuff in the first place.)

I agree that reducing redundancy in articles like GPG is good. I think there's stuff that could be trimmed from this article - for instance, there's a lot of stuff that would be better described in reference to generic cryptography articles, such as asymmetrically encrypting a symmetric session key , which is hardly unique to PGP - but I haven't got round to it myself yet.

JTN 10:26, 2005 Apr 20 (UTC)

Having thought about it some more, I'd now strongly support splitting out the OpenPGP stuff again, and keeping only material specific to the PGP implementation here. — Matt Crypto 16:08, 22 November 2005 (UTC)

Truncated sentence?

@there was an additional requirement that the recipient state where they were resident:

What should "the recipient state where they were resident" do/be?

Isn't a genitive missing as well somewhere? Who are "they"? Shinobu 20:31, 20 July 2005 (UTC)

"They" are the guys wanting to download PGP, and "state" is the verb "to state" here... -- ClementSeveillac 21:16, 20 July 2005 (UTC)

O-okay... that makes sense. However, shouldn't in that case "they were" be congruent to the recipient (sng.) to yield "he is", or change "recipient" ro "recipients"? Oh well, at least I know what it means now. It's funny the way a perfectly normal sentence sometimes just seems to escape comprehension. Thanks! Shinobu 04:54, 8 August 2005 (UTC)

re edit to remove links in discussion of public key operations

This edit removes a number of links to other topics from this article. It is unfortunate in that sense. However, the removed material also includes a brief (though not brief enough for some I suppose) evaluation of the security context for the use of asymmetric key encryption and of PGP's status re other systems. This is useful information for those who are not crypto fans. It should be retained. Comments? ww 18:39, 4 September 2005 (UTC)

It's better to discuss the generalities of how public-key cryptography works, and its various security issues, in articles like public key encryption or digital signature or non-repudiation. I don't think it's the best thing to discuss this stuff in articles on specific pieces of crypto software; it's not meant to be "stand-alone". — Matt Crypto 19:26, 4 September 2005 (UTC)

passphrase and private key

Why is there both passphrase and private key encryption/decryption? Why isn't there just a single of them? Is someone able to read my messages if he is in possession of only my private key, but not my passphrase? What about the opposite case? Why did they introduce this double-lock?

Thanks, --Abdull 22:41, 5 October 2005 (UTC)

This is exactly two-factor authentication: here you protect your identity by something you have (the private key, presumably on a file on your computer or sometimes on a smartcard) and something you know, the passphrase that "unlocks" the private key. This way, nobody can impersonate you only stealing (or just reading the file on) your hard-disk , or only knowing your passphrase: he has to steal both, which is quite safer for you. --ClementSeveillac 06:36, 6 October 2005 (UTC)

A & CS,

PGP / GPG use an asymmetric algorithm to protect a symmetric algorithm key used to actually encrypt the message. At least in the usual operating mode; it's possible to have PGP use only the asymmetric key algorithm, but this is rarely done (lessened speed if for no other reason). Likewise for the symmetric key algorithm encryption only mode, but lessened security makes this uncommon. Asymmetric key algorithms useful in this context use two keys, one of which is the "private key" (NB, a poor choice of terms as all symmetric key algorithms are also inherently "private"). That asymmetrick key algorithm private key is hardly human readable or rememberable, and so it's kept in a 'keychain file', ideally not on storage accessible from other machines (local or remote). Perhaps a thumbdrive kept around one's neck? Anyway, wherever kept, the private key should not be in immediately usuable form lest life for a light fingered thumbdrive thief have things to easy. The passphrase is used to control access to the actual private key (which gives access to the symmetric key algorithm key used to encrypt the relevant message). Some implementation of a PGP / GPG sysmte might also require a second challenge factor (like a smart card or some biometric detection or ...). ww 21:18, 6 October 2005 (UTC)

Duplicate article?

It seems that article Pretty_Good_Privacy and PGP talk about the same thing. Shouldn't they be merged? (I am no expert in this field, but they seem to copy each other)—the preceding unsigned comment is by 193.165.253.198 (talk • contribs) 13:40, 4 January 2006 (UTC1)

PGP used to be a redirect to Pretty Good Privacy, but on 25 December 2005 the anonymous user 146.115.65.15 apparently copied the contents of Pretty_Good_Privacy to PGP. The changes to PGP should definitely be merged back into Pretty_Good_Privacy and PGP be again turned into a redirect.—Tobias Bergemann 13:54, 4 January 2006 (UTC)

After looking at the recent edits to PGP I find them to be bordering an vandalism. I am going to change PGP back into a redirect without a merge.—Tobias Bergemann 13:56, 4 January 2006 (UTC)

By the way: thank you for spotting this! And as we are talking about mergers right now: you may want to have a look at Wikipedia:Merging and moving pages, especially at the section about proposing a merger. This page describes a more formal approach to handle content duplication such as the one you found.—Tobias Bergemann 14:28, 4 January 2006 (UTC)

GPGee reference

I have taken the liberty of adding a reference to GPGee in the implementation section. I should disclose that I am the author of GPGee, so I thought this change, while minor, should have some attention drawn to it. GPGee has been included by Werner as part of his packaging of Windows GnuPG tools in gpg4win, so it does have some official status.

Why not asymmetrically encrypt the whole message?

There are also cryptographic vulnerabilities in using asymmetric key algorithms when they are used to directly encrypt messages.

I am removing the above sentence because I can't see how it can be true. If someone would care to provide a better explanation with citations, feel free to re-add the sentence. I believe the slower algorithm is the only reason that PGP uses a symmetric key to encrypt the message.

The article would also be improved if someone would mention the typical key size of the symmetric key that's used to encrypt the plaintext. And what the response has been to any previous movement to just use the strongest asymmetric encryption available to encrypt the whole shebang. Thanks - Tempshill 19:23, 22 February 2006 (UTC)

Actually the sentence should probably stay. See RSA and cryptanalysis for some perspective. And see below. ww 06:37, 23 February 2006 (UTC)

The biggest reason not to use asym for the whole message is that it's cruelly slow compared to a symmetric-key algorithm. I think the throughput of hardware asym crypto is on the order of 10s of Kbytes/second, while you can get AES encryptors in multimegabit/sec range (I think you can do a gig, but I'm not sure about that). --Alvestrand 20:00, 22 February 2006 (UTC)

Understood. The article says as much, although your stats would improve the article a lot if you could run down the exact numbers as of this date and insert them in that section. One could easily imagine arguments, though, that an end-to-end encryption system would benefit if short messages under, say, 1K (e.g. most e-mails) were asymetrically encrypted and for those messages, the overhead of the symmetric key were removed. To take this argument to an extreme, a single-character e-mail would clearly benefit from this tactic.

My main question, though, is whether asymmetric encryption of the whole thing would increase the difficulty of cracking those messages. If so (or if not) the article should probably say so, since as a layman the question occurred to me, and will probably occur to other people. Thanks. Tempshill 00:09, 23 February 2006 (UTC)

temp, It's probably not possible to find a constant figure for slowness of asymmetric encryption algorithms vs symmetric encryption algorithms. Not all of those in either category have the same speeds, and will differ in any case depending on implementation (parallism if the platform supports it), CPU word size, use of assembler functions to increase speed, ... The best possible answer here is indeed vastly slower...

As for using end-to-end asym encryption as you suggest, it would be possible (aside from the speed problem). But the attack vulnerability varies with algorithms, including asym algorithms, and they have additional vulneabilities that symmetric ones do not. Public key certification (tie, this key belongs to this user) is hardly invulnerable to spoofing. And then there are man-in-the-middle attacks to which some of these are more vulnerable than a proper symm algorithm. Among the additional vulnerabilities of some algorithms is too short a plaintext... Crypto is twisty, twisty, twisty, and what seems sensible is too often a sinkhole for the unwary. Beware the crypto snakes in the weeds.

Key length differences are rather easier to follow. If we consider only brute force search, then the more keys the better as it increase the Opponent's work load (Shannon called it the 'work factor'). In symmetric encryption cyphers, all possible key values are usable (disregarding weak keys, which some cyphers have). The work factor for keys longer than maybe 100 bits is too great for brute force to be feasible. The safe key length depends on the processing speed the Opponent can afford (which in turn depends on such things as raw CPU speed, cache sizes and types, bus speeds, network connection speeds, parallization, ...). In contrast, because asymmetric key encryption algorithms (at least those witht he privet key - public key property) have two keys which are inextribably related. So just any pair of keys are unlikely to meet those relation requirements. Top have a large enough key space (ie, key length more or less) to contain a sufficiently large enough number of key pairs to make the Opponent's life miserable means that vastly longer keys are required. RSA keys, for instance, are suggested to be 1024 bits long for equivalent Opponent misery as say 100 bit symmetric keys. Elliptic curve asymmetric encryption algorithms are an exception in that their keys for equivalent security should be about the smae or a little longer than symmetric keys.

Every so often, someone will look into this, survey the current status of brute force searching, and recalculate an estimate for minimum length keys needed ro various algortihm classes. Things have been changing as Moore's Law makes the hardware faster and faster and cheaper and cheaper. Best to guess on the longer key side, than to bee too low.

It is not true that symmetric encryption algorithms are worse (or better) than asymmetric key algorithms. First, there are examples of each class which have been broken. And second, there are no proofs of unbreakability for any of them. At this writing, unless somebody's preparing the epochal paper just now, the only unbreakable encryption algorithm is the one time pad -- used properly. This is quite hard to arrange in practice, and so it's not used routinely. But, the essentially unanamous opinion amongst the informed, is that there are both asymmetric and symmetric algorithms which are effectlively unbreakable by direct cryptanalytic attack. The biggest security issue in the real world is almost never (except for snake oil crypto from Bozo inc of which there is far too much) a broken algorithm. It's defects in the protocols, misuse of them, human error, poor crypto system design, extortion, threat, Post-it notes attached to monitors, lists of keys (or controlling passwords/passphrases) protected by the generally laughable locks in most office furniture, lost laptops or PDAs, security vulnerabilities in the OS running the crypto system (those folks should know who they are, but too many don't), ... Mostly, none of this has anything to do with direct cyrptanalytic vulnerabilities (again excepting snake oil garbage).

Does this help some? ww 06:35, 23 February 2006 (UTC)

Very much so, thanks for the perspective. As a layman, it had seemed to me that the use of the symmetric cipher was a security weakness in the name of speeding up encryption. 24.16.74.233 04:58, 24 October 2006 (UTC)

Speed of asym vs symmetric crypto

No definitive answer... but I found one product on the net that does both: Portwell ABC-110 (basically the result of a random googling - no endorsement implied). Performance data:

• Asymmetric: 1750 1024-bit RSA operations/second
• Symmetric: AES at 200 Mbits/second

I'm not quite sure how to compare those numbers, but I *think* that one RSA operation will encrypt or sign one 1024-bit value, so you can call the RSA "throughput" 1.79 Mbits/second. So a factor of 100 in speed difference seems a reasonable "ballpark estimate". This probably belongs on the asym crypto page, if anywhere, not on the PGP page. But this is where I opened my mouth first... --Alvestrand 07:29, 23 February 2006 (UTC)

The following discussion is an archived debate of the proposal. Please do not modify it. Subsequent comments should be made in a new section on the talk page. No further edits should be made to this section.

The result of the debate was don't move. —Nightstallion (?) 07:15, 17 May 2006 (UTC)

thanks for the update in recent edit

Jon, good to see you back and glad to have an update from you. Thanks and hang around, eh? we could use a little pro leavening here in the crypto corner. ww 03:49, 25 May 2006 (UTC)

Requested move

Pretty Good Privacy → PGP – Rationale: No one ever says 'Pretty Good Privacy' when talking of this - they always say 'PGP'. Hence since the concept is "almost exclusively known only by its acronyms and is widely known and used in that form", WP:NCA says the article should be at the abbreviation name as with NASA, CERN, SETI etc. … SteveRwanda 12:38, 12 May 2006 (UTC)

Survey

Add *Support or *Oppose followed by an optional one-sentence explanation, then sign your opinion with ~~~~

• Support For reasons above. — SteveRwanda 12:40, 12 May 2006 (UTC)
• Oppose unlike NATO this is not an acronym known to the general public. Seems to me that for experts in other fields the PGP acromym could mean any of the terms on the PGP (disambiguation). PGP (disambiguation) was moved there from Pgp on 23 April 2006 by SheeEttin, and on the same day the PGP page was also redircted from the disambiguation there to here. --Philip Baird Shearer 16:10, 12 May 2006 (UTC)
• Support, sensible. James F. (talk) 19:37, 12 May 2006 (UTC)
• Oppose. Leave PGP as a dab page, since there are other fairly-well-known PGPs. -Hit bull, win steak^(Moo!) 21:05, 12 May 2006 (UTC)
• Oppose. Pretty Good Privacy is virtually unknown outside of the open-source computing world. It shouldn't usurp a disambiguation page when we have several other topics with an acceptable acronym of PGP. Warrens 21:35, 12 May 2006 (UTC)
• Oppose ILovePlankton ^{(T—C—U—L)} 23:01, 12 May 2006 (UTC)
• Oppose Jonathunder 04:55, 14 May 2006 (UTC)

The above discussion is preserved as an archive of the debate. Please do not modify it. Subsequent comments should be made in a new section on this talk page. No further edits should be made to this section.

Backdoors?

David Shayler was the host of a 13-episode series from Britain called "Spy School" and in one episode calimed that all versions of PGP from v6.0 on up carried a backdoor for the United States Government to use. What's the deal with that, exactly? Sweetfreek 06:09, 11 July 2006 (UTC)

Some versions of PGP had a feature (I've forgotten what they called it) which would encrypt the message to a company key as well as the recipient's key, so that the company could decrypt it as well as the recipient: he may be referring to that, but it's not really a back-door. From what I remember it was required by a number of companies because of laws requiring them to keep copies of all correspondence. Mark Grant 10:21, 11 July 2006 (UTC)

This guy David Shayler also believes that the 9/11 attacks were a U.S. government consiracy and that no airplanes hit the World Trade center, but in fact were missiles disguised as airplanes. This is the kind of guy who thinks that PGP has a back door for the U.S. government. Phil Zimmermann 26 Dec 2006

Just saying that you are Phil Zimmermann does not prove anything to me. Plus, in case you haven't noticed, a fairly large (and increasing) percentage of Americans believe the U.S. Government had a role in 9/11... the details of which I'll concern myself with when they become relavant to the subject of encryption. Sweetfreek 07:48, 16 January 2007 (UTC)

"a fairly large (and increasing) percentage of Americans believe the U.S. Government had a role in 9/11" For the love of God, stop embarrassing yourself. This statement is both untrue and utterly, utterly stupid. 216.220.11.84 03:22, 22 September 2007 (UTC)

What? "Just saying" that I am Phil Zimmermann doesn't prove... what? Doesn't prove that I am Phil Zimmermann? If you doubt this, go to my web site [1], get my phone number, and call me and ask me if I am me. And while you are visiting my site, take a look at the special page I have on the subject of back doors. [2] prz 08:55, 10 February 2007 (UTC)

Well, he could prove that he is Phil Zimmermann if he signed his post with his own PGP key. -Anonymous —Preceding unsigned comment added by 99.228.9.61 (talk) 15:05, 29 September 2007 (UTC)

I know this is anecdotal but i know a guy who had his pc stolen by the feds and they sent it to nasa and they couldnt decrypt it and they tried for 6 months, and i know numerous people who have had their pgp'd computers seized by the police in england and not one of them has had their encryption broken and any of their files revealed. Not much of a backdoor. —Preceding unsigned comment added by 213.235.33.15 (talk) 09:54, 3 April 2008 (UTC)

Grand jury investigation

I happen to know why Phil was not indicted, because I knew one of the Grand Jury members who had Phil's case.

What happened was that the US attorney presented the case to a Grand Jury in San Jose.

Bad idea! I am not sure if there were two or three Grand Juries involved, but the essence of the problem is that they got serious hackers (old style meaning) on all of them. It was just about impossible to emplanel a Grand Jury in San Jose without getting at least one technical person who could explain the issues to the other members.

The Grand Juries, of course, refused to charge Phil. Now a US attorney can charge someone without a Grand Jury, but if they have presented a case to one (in Phil's case at least two) and the Grand Jury will not indite, they never or almost never charge a person.

The problem with this information is that it is not verifiable unless someone can get Grand Jury records or one of the members speaks to the press.

But it was a first hand account to me. Keith Henson 08:53, 28 August 2006 (UTC)

Based on todays technology, there will never be a 100% security. We will never know i fthere can be or can not be a backdoor to PGP

Free version

I seem to remember that when PGP started, Zimmermann was very keen to offer a free version for a home user; he wanted everyone to start using encryption and, in particular, I seem to remember that he promised that there will be a free version available forever. Where is this all gone? The PGP website contains no mention of a free version. Google hits for free version of PGP 8 redirect to trials on PGP website. Does anyone know? I'm surprised to see no mention of this in the article. --Romanski 08:35, 28 August 2006 (UTC)

PGP Corp still offers freeware versions for noncommercial use. When you click through to their page, you will see that they now call it trialware. Before you jump to the wrong conclusions, read the entire page, in detail, every word. It's still freeware. I get email from people because they immediately stop reading as soon as they see the word "trialware". Please take the extra few seconds to read what it actually says on the page. - Philip Zimmermann User:prz

Sources

Does anyone have any sources for the following?

Since PGP now permits the use of several algorithms, current PGP messages are not equally susceptible to any potential breakthroughs against the original algorithms. However, there has been some speculation that the first released PGP version (using the RSA and IDEA algorithms) might have been broken. PGP's author, Phil Zimmerman, was criminally investigated for three years by the U.S. Government for having violated munitions control regulations in connection with the availability outside the US and Canada of PGP. The investigation was abruptly dropped. Zimmerman has publicly stated that the investigation might have been dropped because the U.S. government had found a way to break PGP messages of that period.

Thanks. — Matt Crypto 10:28, 23 September 2006 (UTC)

I am Philip Zimmermann, and I catagorically deny ever saying to anyone that "the investigation might have been dropped because the U.S. government had found a way to break PGP messages". I would never say such a thing, or anything remotely like that. You don't have to look for sources, since I am quoted as the source, and I specifically deny saying it, so there is no source. I talk about this irresponsible assertion at length on the FAQ page on my own web site. This is a fine example of why people criticize Wikipedia because it allows the posting of such misinformation in an encyclopedia. Anyone who wants to check on whether I said this can call me, my number is on my web site. And, I might add, whoever quoted me misspelled my name. User:prz

PRZ, On behalf of Wikipedia and Wikipeidans, I apologize that WP has gotten your name mispelled. In a world of errant digits (and no spell check function when directly editing WP articles), one must sadly expect such problems. When English (spelling by North Country loons) is added, well....

On your other point, I would note that at least WP managed to label the alleged comment as having been speculation. For what that's worth, which may not be much. I expect it will be removed rather promptly, though I'll myself refrain from doing so to see how long it takes.

WP does deserve credit for getting a good bit straight in this article, as in quite a few others in the crypto cornet. And elsewhere too.

It may be that WP is an example of the old saw, "It wasn't that the horse sang badly, it was that the horse sang at all". Rather like Linux in that sense. Who would have thought it possible, in years past, that a high quality operating system (much less the largest encyclopedia in human history) could have possibly been produced by hordes of unpaid volunteer unvetted as to knowledge or authority? I certainly wouldn't have, and I remember those days too clearly. When spaghetti code and its supposed remedy, sturctured code, were the high voltage debate of the time, this sort of thing was below the horizon with a bullet. ww 04:20, 24 September 2006 (UTC)

PGP the Program and PGP the Corporation

Shouldn't this article be broken into two parts or at least the "PGP corporation" template be moved to a different article? The program and the company are two different entities. I think the inclusion of the PGP Corporation template is confusing to readers. Rearden9 14:39, 17 October 2006 (UTC)

R, You have a point, to be sure. However, the corporate history of hthe program, and the tangled web of patents and patent licensing is part and parcel of the story of PGP. So, while I don't think much of the corporate history probably belongs elsewhere than here, some of it is properly placed here. It is, after all an embodiment of hte resolution of many (most) of those patent and licensing issues. ww 22:10, 18 October 2006 (UTC)

The Corporation has a page, PGP Corporation, and I took the liberty of moving the product release history and the company infobox there. Left the history part intact, since it is the history of PGP aswell. The Section Pretty_Good_Privacy#PGP Encryption Applications might need some attention now, since it is closely related to the corporation Teferi 15:07, 14 November 2006 (UTC)

Could someone please rephrase this...

The message recipient computes a message digest over the recovered plaintext, and then uses the sender's public key and the signed message digest value with the signature algorithm.

-- Robocoder (t|c) 20:21, 22 November 2006 (UTC)

Public key fingerprints

There should be a mention somewhere that user identities are specified within PGP messages by their public key fingerprint. It is also the fingerprint that is used to locate user keys on public key servers. — Loadmaster 18:26, 25 November 2006 (UTC)

Screenshots

I uploaded Image:PGPgui1.png, which is a screenshot of PGP 8.1 on WinXP for selecting public keys to encrypt a file. Also Image:PGPkey1.png and Image:PGPkey2.png, which show public keyring and key information. Hopefully, these are the sort of GUI images people were looking for. — Loadmaster 20:40, 27 November 2006 (UTC)

Do users on both ends need PGP?

the article doesn't make clear: Can I use PGP and send messages to people who don't have it? A salient detail like this should be prominent in the "How it works" section. Thanks, 68.123.41.244 18:58, 1 July 2007 (UTC)

OpenPGP redirection

Why does OpenPGP points to Pretty Good Privacy? I think OpenPGP as a standard should have its own Wiki page.

cheers raff 123.255.55.238 00:17, 21 October 2007 (UTC)

I think that's a good idea. Especially if you can explain the history and the reasoning that led to there being a formal standard rather than just saying "everyone should use PKZ's code". (I was around at the time, but am not sure I could lay my hands on the documentation easily....) --Alvestrand 19:45, 25 October 2007 (UTC)

List of implementations in external links

This list has now been removed, restored, removed and restored again (the last time by me). There's a link to it in the header of the "PGP.com encryption applications" sections, so just removing it needs a bit of cleanup.

I think it's valuable to make the point that multiple implementations exist, even though I agreee the current list is a bit of a link farm. Would it be better to clean it up instead of removing it? --Alvestrand 20:05, 25 October 2007 (UTC)

Well, I agree to talk about multiple implementations. But I think this should not be done by just adding some implementation links. If someone wants to invest into this topic, please unmerge "OpenPGP" from "PGP" and let us focus on PGP and Phil Zimmerman in this topic and get into the flavours of OpenPGP implementations (open source, commercial / libraries, applications) in it's own topic. --LenaBerlin 21:58, 25 October 2007 (UTC)

I can't agree that OpenPGP is so separate a topic from PGP that its implementations can't be included here. Deserves a separate article to be sure, but not such hermetic separation. ww 22:26, 10 November 2007 (UTC)

Graffiti / Spam / Vandalism

http://en.wikipedia.org/w/index.php?title=Pretty_Good_Privacy&diff=192345881&oldid=191881792

Above link shows where somebody has plastered "pretty good" through the whole article. I assume it can be reverted in one go but I don't know how / if I can do that. Article has had some edits since then too, so they need to be kept. Surprised nobody's noticed yet. —Preceding unsigned comment added by 90.194.110.163 (talk) 18:55, 18 February 2008 (UTC)

• Fixed now, found the "undo" link. D'oh! Sorry for not signing too. Any other articles ended up like this I wonder? 90.194.110.163 (talk) 18:58, 18 February 2008 (UTC)

No, it was just the one. Click on the editor's name/IP address in the article history to get his/her edits: [3]. All the best! --Old Moonraker (talk) 19:11, 18 February 2008 (UTC)

Security confidence level.....

I know that it is impossible to seek 100% security but is it possible to seek 95%???

Please see my post at

Talk:Cyclic_redundancy_check for the section of Controversial opinions

and

also at

http://www.cryptography.org/getpgp.htm for the section of IS PGP REALLY SECURE?

http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4059371

All I need is the information on 95% security confidence level —Preceding unsigned comment added by 64.62.138.98 (talk) 13:36, 24 March 2008 (UTC)

I'm sorry, but based on your comments here and on the CRC page, plus the edits you are making, it seems that you are fairly confused about this whole subject. Talk pages aren't really a good place to give help, they are for discussing the particular wikipedia article. For example, the concept of "95% security" is fairly meaningless. Wrs1864 (talk) 15:16, 24 March 2008 (UTC)

I mean 95% confidence level of security which can be computted through statistics and which is a scientific approach