Cryptography Reference
In-Depth Information
clean implementation. That's much harder than designing pushbuttons and shift
registers.
Release 2.6.3 even supports 2048-bit keys, thus implementing asymmetric
cryptography on the current state-of-the-art. No vulnerability of IDEA is still
officially known, and, well, PGP made IDEA popular in the first place.
A large number of key servers all over the world deposit public keys, and the
number of users has grown to hundreds of thousands. Many mail programs have
PGP interfaces nowadays, and there is a large offer of separate user interfaces
for PGP available anyway.
Unfortunately, PGP uses MD5 as a one-way hash function. This is why signa-
tures created in PGP 2.6 are not worth much nowadays. Here is a conceptual
weakness of the program: the cryptographic modules are permanently built in
and cannot be replaced easily. (But there is a way out of the dilemma; see
Section 7.3.)
Other PGP Versions and OpenPGP
Further development of PGP and the emergence of compatible products had
been rather confusing for many people. PGP 2.6 was progressive cryptologi-
cally, but less as a program:
•
The algorithms it uses are 'permanently burnt in'; it doesn't give you
a choice.
•
Its DOS origin cannot be denied. As mentioned above, it cannot work in
a UNIX pipeline, but instead swaps intermediate results to the disk.
•
It uses the same key for encrypting and signing. This is an outdated and
risky concept.
•
The key management is generally in need of improvement.
The further developments it required were introduced mainly by Colin Plumb
(cryptography) and Derek Atkins (key management) with the participation of
thousands of programmers worldwide. The new release was completely rewrit-
ten and named PGP 3.0 in the announcement, but PGP 5.0 upon completion.
As usual, PGP 5.0 was not to be exported from the USA. However, this didn't
concern its paper format; the lawmakers had obviously waved it off as of little
interest. This is how it happened that the source text of PGP 2.6.2 was printed
