Cryptography Reference
In-Depth Information
any other program. In view of its wide proliferation, quality, and functionality,
PGP deserves this in every respect. I'm not looking for completeness, and it
wouldn't be possible even if I wanted it. All information discussed here refers
to PGP 2.6.3.
Algorithms
PGP uses three cryptographic algorithms:
•
IDEA for symmetric encryption of messages and files.
•
MD5 for the creation of digital signatures and initialization vectors, for
computation of passwords from passphrases and fingerprints from public
keys, and for internal random generation.
•
RSA for the encryption of session keys, and for the creation and verifi-
cation of digital signatures.
Passphrases
PGP uses passphrases with a maximum length of 253 characters rather than short
passwords. You will recall that we talked about passphrases in Section 5.1.4.
They are much more secure than passwords, and easier to remember. PGP takes
a passphrase and uses the MD5 one-way hash function to create a 128-bit value
that is then used as an IDEA key.
Normally, the passphrase is not displayed as you type it. But you can set the
keyboard echo in the configuration file to enable it if you want to see what
you type. Of course, this is a security risk. The scrolling window I suggested
in Section 5.1.4 might be a suitable solution.
Moreover, you can accommodate your passphrase in the PGPPASS environment
variable. That's very risky. Under UNIX, for example, it can be read by the
ps
command with suitable options (normally
−
f
). However,
ps
shows only the
beginning of the command line; more information can be recovered only by
the superuser. If you are the only user of your computer, you can write pretty
comfortable scripts using PGPPASS.
Phil Zimmermann implemented this option at the request of many users. He
warns against using PGPPASS with a script, though. You should assign a value
to the variable only via keyboard entry.
