============================================================================ SUBJECT: PRETTY GOOD PRIVACY 2.6 SOURCE: ZiffWire via Fulfillment by INDIVIDUAL, Inc. DATE: July 5, 1994 INDEX: [3] ---------------------------------------------------------------------------- PC Week via INDIVIDUAL, Inc. : Those opposed to, or even just worried about, the federal government's Clipper chip encryption proposal now have a free, easy, and legal alternative. The Massachusetts Institute of Technology and RSA Laboratories have teamed to produce a new version of Philip Zimmermann's PGP (Pretty Good Privacy), Version 2.6. The software and source code is being distributed by MIT along with a free license from RSA Laboratories for non- commercial use. The software was released at the end of May. PGP uses the Public Key encryption method, which has been patented by RSA. PGP has been distributed since 1990 as an implementation of the Public Key encryption algorithm and has gone a long way in popularizing that method of personal encryption and the use of what are called digital signatures. PGP has been the subject of controversy, however, since it used to use public-key encryption without a license from RSA, and because it has been distributed all over the world in source-code form, which some federal authorities say is against international encryption-export bans imposed by the United States. Version 2.6, however, is licensed through RSA, so there's no question about its legality. MIT and RSA's distribution of PGP Version 2.6 is an attempt to short- circuit PGP's popularity. After Sept. 1, 1994, PGP 2.6 will no longer work with documents and keys generated and encrypted by older versions of PGP, and it is licensed for use only in the United States. The release is already causing upheaval, since its public-key format is different than in prior versions, and numerous public-key repositories will have to be updated. An oversimplified explanation of public-key encryption is that users choose (or generate using software) two large, random prime numbers (only divisible by themselves or one), which remain private. They then distribute the product of those two numbers freely, which is the public- key part of the encryption. Anyone wishing to send an encrypted document to a user can encrypt it using that user's public key. Only the intended recipient can then decrypt the document. A related use of public-key encryption (and probably its more important use in the future of the information highway) is for digital signatures. A user wishing to "sign" a document uses a private key (the prime factors) and combines it with a checksum of the document. Anyone can then use that users's public key to verify the electronic signature and verify that the document was not altered since the user signed it. Public-key encryption is especially strong because there is no known "easy" method of breaking down extremely large numbers into their component prime factors (other than brute force). The largest supercomputers today would take centuries to break down a sufficiently large public key, but it only takes a few seconds to generate such a key and use it to encrypt and decrypt documents. The government's proposed Clipper chip uses a somewhat similar method of encryption. At least, it seems to be similar: Its exact algorithm is classified. With the Clipper chip, however, the federal government would hold the "key" that would let law-enforcement personnel decrypt the chip to be used when wiretapping is authorized by the courts. PGP comes with extensive documentation that clearly explains the public- key algorithm and provides both a DOS executable and source code for compiling the program on numerous other platforms. The program provides all the normal public-key functions (such as signing and encrypting) through the command line. Although command line is not the most intuitive method, it lends itself well to automation. Obtaining PGP 2.6 is a somewhat complicated process. Users must use ftp to get to net-dist.mit.edu and get a README file and various licenses in /pub/PGP, then use telnet to get to the same address to answer a questionnaire and get the address for the rest of the PGP files. Finally, users must use ftp a second time to actually obtain the files. If the user's IP address is not part of a Domain Name Service and can't be resolved to an address in the United States, the user must contact MIT through E-mail. -- Eamonn Sullivan [07-05-94 at 17:19 EDT, Copyright 1994, ZiffWire, File: c0705185.2zf]