PGP vs GPG - New findings.

Mon Oct 31 13:41:36 PST 2005

<top-posted>

Mark,
Thank you SO much. At least I know what to ask now... but from the few
converstations I've had withe the commercial product PGP people, I fear the
answer will force me toward the path of *buying* rather than using our our
currently working compiled free version. Both Rick and I have been working
on a two week long complete re-write of the EDI system it took me nearly 11
months to write back in 2001. Niether of us have had enough time to breathe
lately, and on top of this usual sort of thing... one of my critical
software systems encountered a gliche that will take me hours to fix
tonight. Also, Rick has built a new house and closed on it Friday... He is
essentially in the midst of "moving". Yechhh... glad I'm not him. :-)

So, all the work you have done and took the time to put out here for me is
much appreciated. Please send an invoice to our fax number for $100 to cover
your investigating this all for me. It isn't much, and might not even cover
your time, but it is obvious you really researched this enough to get to the
hidden meanings I was alluding to...  Just knowing that it might not work
for encrypting... which *is* thw sole reason we need it will save us a lot
of time and money. (Send the bill attn: Maria, as pe Johnny... yes, Johnny,
don't laugh. :-)

Thanks,

John

P.S. - Robin signed into the FP Room today just after you... and I told her
to to get lost. She probably won't talk to me for a wekk. :-)  I am really
pressed to get this stuff done by tonight... then off to NYC at 4am tomorrow
morning... with a deadline of tomorrow noon for transition.  I think I can
arrange for several tests... maybe take up a day or two *without* encryption
just to get the ball rolling... That will give us time to get the soid
answers on compatability and get the commerical product compiled if need be.
Tahnks again.  (Mark your invoice... PGP research.)

John Esak

--our fax is 973-427-4847

> -----Original Message-----
> From: filepro-list-bounces at lists.celestial.com
> [mailto:filepro-list-bounces at lists.celestial.com]On Behalf Of Fairlight
> Sent: Monday, October 31, 2005 3:12 PM
> To: filePro Mailing List
> Subject: PGP vs GPG - New findings.
>
>
> After all the questions raised, I took a look at pgp.com's PGP
> Command Line
> product information on their web site, as well as the GPG docs and program
> itself in an effort to nail down an answer to whether they'd work
> together.
>
> What I found was (I feel) something akin to burying it in the fine print.
>
> Standards
> =========
> Their product supports OpenPGP.  So does GPG.
>
> Encryption algorithms
> =====================
> Their product -supports- IDEA.  You -can- modify GPG to use IDEA, although
> the legality of doing so is questionable depending on circumstances,
> locale, and licensing, as it's patented until 2007 (assuming no extensions
> are sought and granted).  It's better just to avoid IDEA entirely inside
> the US and countries that recognise US Patents, which isn't hard.
>
> However, they also support Cast5, 3DES, TWOFISH, (all supported
> by GPG) and
> AES (the AES is supported up to 256bit, and GPG supports AES, AES192, and
> AES256 so it's a match).
>
> Hashing algorithms
> ==================
> Their product supports SHA-1, SHA-256, SHA-512, MD5, and RIPEMD-160.  GPG
> supports SHA-1, MD5, RIPEMD-160, SHA-256, SHA-384, and SHA-521.
>
> Compression algorithms
> ======================
> Both their product and GPG support ZIP, BZIP2, and ZLIB.
>
>
> On the surface, this all sounds like they're a near perfect match if you
> avoid using IDEA, right?  It goes downhill sharply from here:
>
> Key algorithms
> ==============
> Their product supports Diffie-Hoffman, RSA, and DSA keys up to 4096-bits.
> DSA and ElGamal is not listed.
>
> GPG supports both DSA-only (1024-bit only) and RSA-only (up to 4096-bit),
> but ONLY for signing, NOT for encryption, according to what you're told
> when you generate the keys.  The default is a DSA and ELGamal combined key
> that can be used for both encryption and signing.  Diffie-Hoffman is not
> listed at all.  Please see what you're presented with in GPG:
>
> Please select what kind of key you want:
>    (1) DSA and Elgamal (default)
>    (2) DSA (sign only)
>    (5) RSA (sign only)
> Your selection?
>
> Given this, the main problem may be keys.  The assumption here, based
> on their documentation, is that while pgp.com can handle pure DSA keys on
> either end, but GPG reserves pure DSA keys for signing only and
> you may not
> encrypt with them in GPG, the commercial product doesn't appear to support
> DSA/ELGamal combo keys.  I'd verify this with the vendor before making a
> move.
>
> This could be problematic in the extreme.  If that's actually the case, I
> -can- readily see where they said you'd have little to no success between
> the two for encryption.  Signing, sure.  Not encryption--the
> biggest reason
> to use it.
>
> In addition, their highly-touted ADK (Additional Decryption Key)
> technology
> (patented, no less!) is a JOKE.  The theory is that you encrypt with an
> additional key so that if an encrypted document is encrypted with an
> employee's key and expires, is cancelled, or is lost (or the employee
> refuses to give up the passphrase), the data can be retrieved with an
> additional key.  NEWS FLASH:  Been doing this since PGP 2.6 by simply
> adding an additional recipient that is identical to the signing party.
> What a bloody joke.
>
> On the assumption that the documentation for both products is complete, I
> think keys may indeed be an issue, and this probably will not fly for
> encryption.  The "little" bit of "little to no success" may be signing and
> verification of signing only from the GPG end.  The "no" part is probably
> that you can't encrypt for pgp.com's solution with GPG due to a key
> compatibility issue.
>
> My advice is to ask pgp.com directly whether they support DSA and ELGamal
> combo keys.  If they do not, you are going to -have- to go with the
> commercial product if you want to encrypt between the two, as far as I can
> see.
>
> Best guess:  The docs are accurate and pgp.com went out of their way to
> make it non-interoperable with GPG to force more revenue.  Wouldn't be the
> first time a company did something like this, by a long shot.  Their
> consistent reliance on the phrase "the most important 'x' algorithms" in
> every section, including keys, leads me to believe they don't want people
> to think GPG is important, which is a load of rot.
>
> I hope this helps.  It indicates that, -if- the keys were compatible, all
> the hashing, compression, and cipher algorithms are mutual,
> excepting IDEA.
> However, it also indicates that they probably made keys incompatible.
>
> Check with the vendor and NAIL them down to an answer of whether
> or not DSA
> and ELGamal keys from GPG are supported.  If not, you're basically left
> with no alternatives except getting everyone on GPG or getting everyone on
> commercial.  And if you run into someone that has the flip side of what
> you implemented, you'll either have to get them to switch or implement the
> second package.
>
> To be clear, it's not whether they support only ELGamal.  It's a DSA key
> with an ELGamal subkey, actually.  And that's what I believe they're not
> saying they support at pgp.com.
>
> Condolences,
>
> mark->
> --
> Fairlight->   ||| "I'm talking for free, it's a New  | Fairlight
> Consulting
>   __/\__      ||| Religion..." --Le Bon              |
>  <__<>__>     |||                                    |
http://www.fairlite.com
    \/        |||                                    | info at fairlite.com
_______________________________________________
Filepro-list mailing list
Filepro-list at lists.celestial.com
http://mailman.celestial.com/mailman/listinfo/filepro-list