raymond yu web masthead

4:50:07†

Monday, December 11, 2017

Review of PGP 5.0 and 5.5.1
12th December, 1997

[Please note that the figures, pictures referred to in this article are not included here to conserve server space.]

Having to put up with a text based software on the Mac for the last couple of years is not the most enjoyable experience. Finally, a fully graphical and easy to use public key encryption software has arrived last June with the release of PGP 5.0 in the US.

Even though, technically, there was still a big question mark over whether the software can be legally exported from the US, PGP 5.0 spread around the world in typically ‘Net anarchical style. With the release of version 5.5.1. PGP has become even better still.

System Requirements

Both PGP 5.0 and PGP 5.5.1 require System 7.5 or higher. MacOS 8 is preferable for PGP 5.5.1.

To use the keyserver functionality on a PowerMacs you need to have Open Transport 1.1.1 or higher installed. On a 68K Macs you can use either MacTCP 2.0.6 or OpenTransport 1.1.1 or greater to access the keyserver functionality. There is unconfirmed suggestion that keyserver functions do not work on 68K Macs under PGP 5.0.

A New Interface

Version 5.0 onward was designed from scratch to provide graphical user interface. Every function is now a simple mouse click or two away. The layout is intuitive and easy to use. But if you do get stuck a fairly comprehensive online help using Apple Guide is also available.

Key generation is a simple matter of choosing the New Key selection from the Keys menu. A Key Generation Wizard dialog pops up that guide you through the process of key generation. (Fig 1) The dialog provides sufficient basic information so that even a novice to public key cryptography is not likely to get confused.

Three Components

Instead of a single application PGP comes with three components that work together as one:

1. PGPkeys.

This is where you take care of the public and private keys management activities, like key generation, checking validity and trust level of keys, storing your own public and private keys pair and your friends’ public keys. (Fig 3)

Everything you want to know about a key is conveniently summed up in a list. By clicking on each key you can easily change the trust level, access the fingerprint of the key, and change the pass-phrase for your own key.

2. PGPtools.

This is where the main action takes place. You encrypt, sign, decrypt and verify here. (Fig 2)

3. PGPmenu.

This is an extension that places a menu in your menu bar. I find using this much handier than PGPtools itself. This extension substantially extends the versatility of PGP, allowing you to tap into the power of PGP in any other selected program.

You specify these applications from which you wish to access PGP in the PGPkeys Preference menu. (Fig 5)

Through PGPmenu you can encrypt, sign, decrypt and verify files. For example, to encrypt a block of text within a word processor, such as Microsoft Words or Simple Text, it is as simply as highlighting the block of text, choosing the encrypt option from the menu, and selecting the recipient from the list that pops up in a new window. This feature is particularly useful for selectively encrypting a block of text, or a field, in a FileMaker Pro database. The advantage is you do not need to encrypt the whole file. You can still see the rest of the file, but for the more sensitive information in the file you can encrypt it and when you need to see it, it is a few simple mouse and keyboard click away (depending on how long your pass phrase is of course). By making PGPmenu available on the Finder, you can encrypt and sign any files or even entire folder.

Drag and Drop

Drag and Drop is extensively supported in the new versions. You can drag a key, from PGPkey, directly to the trash to dispose of it. To get a copy of the ASCII public key, you only need to drag the key icon in the PGPkey window to any software that handle text (and is Drag and Drop aware). File(s) can be encrypted, signed, decrypted or verified simply by dragging the file(s) to the respective icons in PGPtools.

Integration with Key Server

PGP 5.0 are designed to integrate with public Key Server (ie. the one at MIT). You can quickly and easily upload your public key to the key server. Likewise, it provides a simple interface to search and download the public key of other people. You do this by specifying the person’s name or email address.

PGP 5.5.1 adds new key server integration capabilities. You can use it to automatically store, search and synchronise keys. It is also more flexible than PGP 5.0 by permitting you to specify the key server that you want to access through the Preference menu.

Unlike PGP 5.0 where the search is fairly simple, in version 5.5.1 you can search for key using different criteria such a user ID, key ID, key type, creation date, etc. And the key search window has the same user interface as the one you use to search you keyrings.

Integration with other applications

Apart from the PGPmenu that integrates PGP with other applications, PGP comes with plugin for Claris Emailer 2.0 and Eudora Lite/ Pro.

The plugin further simplify the encryption, signing, and the subsequent decryption and verification process. With the plugin, these activities are achieved by a simple click on the tool bar icons in each application. (Fig 4) It can even automatically encrypt and sign the attachments, without requiring you to separately encrypt and sign the attachments before hand, provided that the application supports the PGP/MIME standard. So far only Eudora supports this standard.

There is, however, a drawback with this approach. The message and any attached documents are not encrypted right away. They are only encrypted when the message is being uploaded to the server. This tends to slow down the mail posting process, particularly if your attachment is large. It also introduces a potential security risk. Ie. The message and document stored on your computer awaiting upload are not encrypted.

Addition Features in PGP 5.5.1

The structure and appearance of PGP 5.5.1 is more or less similar to that of PGP 5.0, but it adds a number of new features. A few that are particularly interesting are:

Contextual Menu

PGP 5.5.1 provides a contextual menu extension that allows MacOS 8 users to access the functionality of PGP through the contextual menu. This makes the already very well integrated software even better integrated with the whole computer.

More Control

You can customise the PGPkey window in PGP 5.5.1. For example, to display one or more of the following information in relation to each key: validity, trust, size, key ID, creation date, expiration date, ADK, description. You can also rearrange the column by simply drag and drop action.

PGP 5.5.1 gives you a choice of three encryption algorithms: CAST, IDEA, and triple DES. Alternatively, you can encrypt a file using conventional encryption instead of public key encryption. Interestingly this capability is available in version prior to version 5.0 but for some reason not included in 5.0.

Security Wipe

PGP 5.5.1 contains a Wipe feature that provides secure erasure of files. One erased the files cannot be recovered with file recovery software. It provides the same functionality as Wipe Info in Norton Utilities so it is not such a new feature, although the ability to securely erased files is a logical extension in a personal privacy software.

Recipient Groups

By allowing you to selectively group people together in a recipient groups, PGP 5.5.1 permits you to encrypt mails and files to all the people in that group simultaneously. A very handy feature.

The Down Side

Size.

The graphical interface is great, however, both PGP 5.0 and 5.5.1 are bloatware. It is huge. The installation of the PPC native version required in excess of 5MB of disk space, and the fatbinary version required 8Mb. This is quite a significant jump from the less than 0.5Mb for previous version. To be fair, despite its size, it appears to run faster and smoother than previous version. This is particularly noticeable during the initial key generation.

Compatibility.

PGP 5.0 introduces different public key algorithms to encrypt and sign. The algorithms used for encryption is different to the one used for signing, although the operations of these two algorithms are transparent to the user. Instead of RSA (or the MPILIB algorithms in previous international version), PGP 5.0 uses Diffie-Hellman (in particular, the ElGamal variant) public key algorithms to encrypt files. For backward compatibility PGP 5.0 can also generate and use RSA key. (However, this feature is apparently disable in the freeware version, and there is no sign of it in PGP 5.5.1.) To sign files PGP 5.0 uses the Digital Signature Standards (DSS) algorithm.

A document signed with keys generated under this new algorithms will not be verifiable by older version of PGP. This compatibility problem could be a concern. But then, perhaps it is time to change your key pairs. After all it is good security practice to change the key once a while just in case the old key has been compromised!

This leads to the next point on security. How does the security of the new algorithms comparied with the old? Some people, especially the rival group of RSA Labs, have claimed that the Diffie-Hellman algorithm has some weaknesses. Of course, PGP Inc claimed the contrary. They claimed in their release documentation that the new keys offer improved security and speed!

Which ever is the case it probably does not really matter to the typical users of PGP. They are sufficiently secure to ensure that the privacy of individuals are protected. So long that you are not a spy than any such weaknesses are unlikely to be a major concern. But then, even a spy may want to use PGP because it is just so easy to use and so well integrated with other softwares.

 


 

 

 

[back to index]