-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ Revised 3 December 1997 Disclaimer: some of this information may be outdated or otherwise inaccurate. Use it at your own risk. The master copy of this FAQ is at http://www.cryptography.org/getpgp.htm (and at http://www.cryptography.org/getpgp.txt for the text-only version). The official (much more complete) PGP FAQ is available at: http://www.pgp.net/pgpnet/pgp-faq/ WHAT IS THE LATEST VERSION OF PGP, AND WHERE IS IT? PGPmail commercial version: 5.5 http://www.pgp.com PGP freeware, USA-legal: 2.6.2, 5.0, or 5.5 (depending on your platform) http://www.eudora.com http://www.pgp.com/products/freeware.cgi http://web.mit.edu/network/pgp.html PGP: http://web.mit.edu/network/pgp-form.html PGPfone: http://web.mit.edu/network/pgpfone http://www.cryptography.org PGP international freeware: 2.6.3, 2.6.3i, 5.0, or 5.5 http://www.pgpi.com WHERE CAN I GET THE COMMERCIAL PGP? http://www.pgp.com Pretty Good Privacy, Inc. (Headquarters) 2121 S. El Camino Real Suite 902 San Mateo, CA 94403 Main: (415) 572-0430 Fax: (415) 572-1932 WHERE CAN I FTP PGP IN NORTH AMERICA? If you are in the USA or Canada, try one of these URLs: ftp://net-dist.mit.edu/pub/PGP/README ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ ftp://ftp.gibbon.com/pub/pgp/README.PGP ftp://ftp.mindlink.net/pub/crypto/software/README WHERE IS PGP ON COMPUSERVE? GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled. WHAT BULLETIN BOARD SYSTEMS CARRY PGP? MANY BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP. US 303-772-1062 Colorado Catacombs BBS, Longmont CO 8 data bits, 1 stop, no parity, up to 28,800 bps. Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. 314-896-9309 The KATN BBS 317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login First Name: PGP Last Name: USER Password: PGP 501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR Login name: PGP USER Password: PGP 506-457-0483 Data Intelligence Group Corporation BBS 508-668-4441 Emerald City, Walpole, MA 601-582-5748 CyberGold BBS 612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN 914-667-4567 Exec-Net, New York, NY 915-587-7888, Self-Governor Information Resource, El Paso, Texas 909-681-6221 ATTENTION to Details (ATD BBS) All lines v.32bis/14.4KBPS minimum CH +41-1-322-7129 MoonLight BBS, Zurich 28800 bps, V34 ZYXEL ELITE 2864 DE +49-781-9483621 MAUS BBS, Offenburg - angeschlossen an das MausNet +49-521-68000 BIONIC-BBS Login: PGP NL +31-26-3890037 Viber BBS, NOTB HOST Gelderland 8 data bits, 1 stop, no parity, up to 28,800 bps. (ISDN soon) Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. Latest version and other tools: FILE AREA: [NOTB] - PGP +31-71-5768914 Insanity Systems III Just logon and answer some questions about where you live and get PGP as well as a lot of PGP-tools for free. The system also has an offline and online PGP-server available for your public keys. WHERE CAN I FTP PGP OUTSIDE OF NORTH AMERICA? BR ftp://ftp.ibilce.unesp.br/pgp The last available version is PGP 2.6ui DE ftp://ftp.cert.dfn.de/pub/pgp/ IT ftp://idea.sec.dsi.unimi.it/pub/security/crypt/PGP FI ftp://ftp.funet.fi/pub/crypt/pgp/ NL ftp://ftp.nl.net/pub/crypto/pgp ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp NO ftp://menja.ifi.uio.no/pub/pgp/ NZ ftp://ftphost.vuw.ac.nz SE ftp://leif.thep.lu.se TW ftp://nctuccca.edu.tw/PC/wuarchive/pgp/ GB ftp://ftp.ox.ac.uk/pub/crypto/pgp HOW CAN I GET PGP BY EMAIL? If you have access to email, but not to ftp, send a message saying "help" to ftpmail@decwrl.dec.com or mailserv@nic.funet.fi WHERE CAN I GET MORE PGP INFORMATION? http://www.pgp.net/pgpnet/pgp-faq/ http://www.pgp.net/pgpnet/ http://www.sni.net/~mpj http://www.mit.edu:8001/people/warlord/pgp-faq.html ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-01.txt http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html http://www.sni.net/~mpj/getpgp.htm http://web.cnam.fr/Network/Crypto/ (c'est en francais) http://web.cnam.fr/Network/Crypto/survey.html (en anglais) http://inet.uni-c.dk/~pethern/privacy.html http://www.stack.nl/~goofy/PGP The PGP-Users Mailing List home page at http://pgp.rivertown.net contains many, many PGP related resources, including resources on privacy, anonymous remailers, and other related fields. The PGP-Users list archives are also linked to the page as is an HTML version of the PGP-FAQ (may not be the most recent), the PGP documentation, resources for MacPGP, links to another mailing list dedicated to PGPfone (which includes one of its authors, Will Price) and the one of a kind, PGPfone Registry, where PGPfone users who would like to test PGPfone with each other can leave messages in a browsable data base to let others find them to connect with each other. CAN I GET PGP DOCUMENTATION IN MY OWN LANGUAGE? Yes. You can get the official PGP documentation in several languages at http://www.pgpi.com German documentation is at http://www.geocities.com/Athens/1802/ Thanks to Florian Helmberg for making it available. WHAT COMPATIBILITY ISSUES EXIST BETWEEN PGP 5.x AND EARLIER VERSIONS PGP 5.0 introduces some new algorithms for both public key and conventional encryption. These changes are good from both technical (security & efficiency) and political (patent) standpoints. With the death of the Diffie-Hellman key exchange patent, the freeware PGP new algorithms are 100% free of patent problems, and free of legalese such as come with the RSAREF toolkit. The Diffie-Hellman key exchange key size limit is also larger than the old RSA limit, so PGP encryption is actually more secure, now. The new SHA1 hash function is better than MD5, so signatures are more secure, now, too. The conventional encryption used is all sound, and definitely not the weak link in the chain. This much is good news. The bad news, of course, is that there will be some interoperability problems, since no earlier versions of PGP can handle these algorithms. How this affects you depends on the PGP version that you have. There are really 3 versions of PGP called PGP 5.0. The freeware edition can only generate and use the new (faster, more secure, patent-problem-free) algorithms. There is a really cheap (cheaper than one S/MIME key certificate) upgrade to PGP 5.0 for Eudora users that will let you use the old RSA keys as well. Then, of course, the full commercial version of PGP 5.0 can handle both old and new algorithms and message formats equally well. If you want to handle both, you need to either keep both an old and new freeware PGP around, upgrade to one of the versions of PGP 5.0 that can handle the old keys. WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail_Security, How To Keep Your Electronic Messages Private (covers PGP & PEM) by Bruce Schneier 365 pages 1995 pub: John Wiley & Sons, Inc. ISBN 0-471-05318-X $24.95 US The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software by André Bacard Peachpit Press ISBN 1-56609-171-3 US $24.95 800-283-9444 or 510-548-4393 THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmerman MIT Press April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP Standard PGP documentation neatly typeset and bound. PGP SOURCE CODE AND INTERNALS by Philip R. Zimmerman April 1995 - 804 pp. - US $55.00 - 0-262-24039-4 ZIMPH How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13). IS PGP LEGAL? Pretty Good Privacy is legal if you follow these rules: Don't export PGP from the USA except to Canada, or from Canada except to the USA, without a license (except that printed books containing source code are OK to export). If you are in the USA, use either the commercial PGP (licensed for commercial use) or MIT PGP using RSAREF (limited to personal, noncommercial use), or use one of the versions of PGP that doesn't support RSA encryption and digital signatures and use the Diffie-Hellman and DSA algorithms (that aren't patented). Outside of the USA, where RSA is not patented, you may prefer to use a version of PGP (2.6.3i) that doesn't use RSAREF to avoid the restrictions of that license. If you are in a country where the IDEA cipher patent holds in software (including the USA and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec: Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone +41 64 56 59 83 Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone +41 64 56 59 45 Fax: +41 64 56 59 90 e-mail: IDEA@ascom.ch Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland) PGP, Inc., has an exclusive marketing agreement for commercial distribution of Philip Zimmermann's copyrighted code. (Selling shareware/freeware disks or connect time is OK). This restriction does not apply to PGP 3.0, since it is a complete rewrite by Colin Plumb. If you modify PGP (other than porting it to another platform, fixing a bug, or adapting it to another compiler), don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission. WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? Philip Zimmermann was under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months, ending 11 January 1996. The Federal Government chose not to comment on why it decided to not prosecute, nor is it likely to. The Commerce Secretary stated that he would seek relaxed export controls for cryptographic products, since studies show that U. S. industry is being harmed by current regulations. Philip endured some serious threats to his livelihood and freedom, as well as some very real legal expenses, for the sake of your right to electronic privacy. The battle is won, but the war is not over. The regulations that caused him so much grief and which continue to dampen cryptographic development, harm U. S. industry, and do violence to the U. S. National Security by eroding the First Ammendment of the U. S. Constitution and encouraging migration of cryptographic industry outside of the U. S. A. are still on the books. If you are a U. S. Citizen, please write to your U. S. Senators, Congressional Representative, President, and Vice President pleading for a more sane and fair cryptographic policy. Several legislative efforts will, if successful, relax the export controls of cryptographic software from the U.S. See: http://www.epic.org http://www.crypto.com CAN I USE ENCRYPTION LEGALY? Within the U.S. there is no legal obstacle for use of strong encryption. In an ideal world everyone would have the right to use encryption. Unfortunately, your right to use encryption may be restricted or does not exist. In France, the government prohibits the use of encryption without prior permission, that you won't get if you are a private citizen. Germany is said to consider banning the use and distribution of strong cryptographic software in the name of "national security." United Kingdom may adopt a key escrow system. For a recent update on the legal situation see The Crypto Law Survey http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm HOW DO I SELECT A GOOD SECURE PASSPHRASE? See: http://world.std.com/~reinhold/diceware.page.html http://colossus.net/wepinsto/wsft_f/wspp_f/passfraz.html WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? http://www.dayton.net/~cwgeib ftp://menja.ifi.uio.no/pub/pgp/pc/msdos/apgp22b3.zip http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip ftp://ftp.firstnet.net/pub/windows/winpgp/pgpw40.zip http://www.eskimo.com/~joelm(Private Idaho) ftp://ftp.eskimo.com/~joelm http://www.xs4all.nl/~paulwag/security.htm http://www.LCS.com/winpgp.html http://netaccess.on.ca/~rbarclay/index.html http://netaccess.on.ca/~rbarclay/pgp.html ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip http://www.aegisrc.com http://www.ncinter.net/~rewilson/PGPClick/ For the Pegasus Mail System: http://www.incrypt.com/imail01.html Invincible Mail for Pegasus For Eudora and Netscape Mail: http://www.eudora.com http://www.pgp.com/products/PGPmail.cgi WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others. Quicrypt is interesting in that it comes in two flavors: shareware exportable and registered secure. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are: ftp://ftp.csn.net/mpj/qcrypt11.zip http://www.cryptography.org ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/ ftp://idea.sec.dsi.unimi.it/pub/crypt/code/ HOW DO I SECURELY DELETE FILES (DOS)? If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del110.zip, which is really good at deleting existing files, but doesn't wipe "unused" space. US ftp://ftp.csn.net/mpj/public/del121.zip NL ftp://basement.replay.com/pub/replay/pub/security/del120.zip UK ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip WHERE DO I GET PGPfone(tm)? PGPfone is for private phone calls using a modem or the Internet. http://web.mit.edu/network/pgpfone ftp://basement.replay.com/pub/replay/pub/voice/ http://menja.ifi.uio.no/pub/pgp/ WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better). See: ftp://sable.ox.ac.uk/pub/crypto/misc ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz http://www.cryptography.org ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://basement.replay.com/pub/replay/pub/voice/ The official Nautilus home page is at: http://www.lila.com/nautilus/ HOW DO I ENCRYPT MY DISK ON-THE-FLY? Secure File System (SFS) is a DOS device driver that encrypts an entire partition on the fly using SHA in feedback mode. Secure Drive also encrypts an entire DOS partition, using IDEA, which is patented. Secure Device is a DOS device driver that encrypts a virtual, file-hosted volume with IDEA. Cryptographic File System (CFS) is a Unix device driver that uses DES. CryptDisk is a ShareWare package for Macintosh that uses strong IDEA encryption like PGP. http://www.cs.auckland.ac.nz/~pgut01/sfs.html ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/ ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/ ftp://sable.ox.ac.uk/pub/crypto/misc/ ftp://menja.ifi.uio.no/pub/pgp/mac/ ftp://basement.replay.com/pub/replay/pub/disk/ http://www.cryptography.org ftp://miyako.dorm.duke.edu/mpj/crypto/disk/ WHERE IS PGP'S COMPETITION? S/MIME is gaining a foothold on the secure email market, but my experience with it has been rather negative. Current implementations of S/MIME (1) don't allow secure key lengths to be used except in "U. S. Only" versions, (2) require payment of an annual fee to a key certification authority who verifies only that you got email to your key certificate's address at least once, (3) have much more limited key management facilities than PGP, and (4) the first time I tried to make S/MIME work, it flat out failed to perform as advertised. On the positive side, S/MIME is integrated into email packages almost as well as PGP is integrated into Eudora, and once the kinks are taken out, the secure version of S/MIME (1024-bit RSA keys and 128-bit RC-2 keys) will be good enough for most people. The "export" edition (512-bit RSA keys and 40-bit RC-2 keys) is a very bad idea, because it gives a false sense of security. RIPEM is the third most popular freeware email encryption package. I like PGP better for lots of reasons, but if for some reason you want to check or generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also an exportable RIPEM/SIG. U.S. and Canada: ftp://ripem.msu.edu/pub/GETTING_ACCESS International: ftp://idea.sec.dsi.unimi.it/pub/crypt/code/ HOW DO I PUBLISH MY PGP PUBLIC KEY? The latest PGP version will interact with key servers automatically if you are connected to the Internet and if you configure them to. For manual key publication, send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers synchronize keys with each other. There are other key servers, too. pgp-public-keys@keys.pgp.net pgp-public-keys@keys.de.pgp.net pgp-public-keys@keys.no.pgp.net pgp-public-keys@keys.uk.pgp.net pgp-public-keys@keys.us.pgp.net HOW DO I RETRIEVE A PGP PUBLIC KEY USING A WWW BROWSER? http://www.pgp.net/pgpnet/www-key.html CAN I SUBMIT MY PUBLIC KEY TO A "CLEAN" CERTIFIED DATABASE? You can have your key officially certified and published in a "clean" key database that is much less susceptible to denial-of-service attacks than the other key servers. Send mail to info-pgp@Four11.com for information, or look at http://www.Four11.com/ Of course, you can always send your public key directly to the parties you wish to correspond with. CAN I COPY AND REDISTRIBUTE THIS FAQ? Yes. Please only do so in appropriate forums, and provide pointers to the home location of this FAQ. WHO MAINTAINS THIS FAQ? Michael Paul Johnson maintains this FAQ. My PGP public key is at ftp://ftp.csn.net/mpj/mpjkey.asc (includes both RSA and DH keys). -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNITPikSP4McX10e7EQJ8mwCdHGzW1ANOXEJH9cCs0u3LSCS9dYUAoIZ7 peXjEq6vtGjSwdGgfqHAIDkU =dbGo -----END PGP SIGNATURE-----