Results 1 to 2 of 2

Thread: PGP/GPG several security aspects

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    634

    PGP/GPG several security aspects

    As I have not found here a lot of tutorials directly related to PGP/GPG, I have decided to write my own.
    This tutorial deals with several general security aspects of PGP/GPG and not specifically on cryptography. Better informations about cryptography principles are here .


    PGP/GPG history:
    --------------------

    PGP (Pretty Good Privacy) was created by Phil Zimmermann on 1991. It is the most known and used cryptographic software around the world. It can encrypt and sign mails and various datas in order to prove their origin and to protect important documents. It exists currently three major independent versions which are only linked by the Open-PGP standards (rfc 2440): PGP itself owned by Networks associates Inc (easy to use, free for normal users, but heavy and suspicious since its source code is not publicly available), GnuPG (commonly called GPG) available freely for a lot of differents OSs with a public source code, and finally GPGi firstly created in order to deal PGP out of the USA.
    Obviously, GnuPG seems to be the more secure.


    Cryptographic algorithms:
    -------------------------------

    PGP/GPG use a large panel of strong algorithms to protect your privacy.
    You can find:

    As symmetrics algorithms:
    - Triple-DES: Probably one of the best and better known symmetric algorithm.
    - IDEA: Generally considered as the best symmetric algorithm implemented in PGP/GPG. Need a plugin to work in GPG.
    - CAST: It has a good reputation but had been less analyzed than Triple-DES or IDEA.
    - Blowfish: (available in GPG only) Same reputation and notes than for CAST, but younger.
    - Twofish: Idem than for Blowfish.
    - AES: Young but popular, it will replace DES on the future.

    As asymmetrics algorithms:
    - RSA: The well known RSA. It is sure.
    - El-Gamal: The current default asymetric algorithm in GPG.
    - DSA: It is only available for signing.

    As hashes algorithms:
    - md5: (128 bits) The better known but also the one with the highest probabilities to generate the same result with different entries.
    - SHA-1 and RIPEMD-160: (160 bits) Nothing crucial about them.


    Key generation:
    -------------------

    Your decision about the algorithms and the key size is only yours.
    Simply don't forget to be as paranoid as usual: install and/or compile the software on a secure and trusted pc, increase the entropy of your system while the key creation process (type randomly on your keyboard for example), protect physically your private key, and choose a good password (generally the weakest point in the security chain).
    This chart present the security equivalence between the key size (in bits) and the password size (in characters) if it is an English sentence:

    ----------------------------------------------------------
    symmetric key....asymmetric key....password
    ----------------------------------------------------------
    71..............................1024..................55
    80..............................1536..................62
    87..............................2048..................67
    99..............................3072..................77
    ----------------------------------------------------------

    This size can be divided by 4 or 5 if you use random letters.


    Revocation certificates:
    ----------------------------

    If your secret key is broken or lost, you have to use a revocation certificate in order to warn servers and correspondents to stop trusting this key. You can only create this revocation certificate with your secret key, that's why you should create it quickly after the key creation and store it on a floppy or on a paper.


    Links:
    ------

    http://www.gnupg.org/
    http://www.pgp.com/
    http://www.pgpi.org/
    http://www.ietf.org/rfc/rfc2440.txt


    I'll maybe also write a "GPG on Windows for dummies" tutorial, but I'm not sure. So, wait and see.
    If you have coments or if you find an error, don't hesitate to post or to pm me.
    That's all folks
    Life is boring. Play NetHack... --more--

  2. #2
    Very interesting. I think the readme will suffice for most users.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •