|
ATTIVITÀ
:
Utilizzare
:
Software
:
Comunicazione
:
PGP (Pretty Good Privacy)
Autore: Michael Paul JOHNSON, Referente: Eugenio MORASSI
PGP (Pretty Good Privacy)
PGP ovvero Pretty Good Privacy, una Privacy Ninte Male.
Un nome cretino? Nient'affatto, una grande verità. Privacy in rete è
un tema discusso tanto, anche troppo se pensate alle leggende metropolitane che dietro di essa crescono e propserano.
Cosa c'è di
vero in queste discussioni? Vero che la privacy in rete può essere una chimera, se non possiamo prescindere dall'onestà dei VARI
sysadmin sui quali server transita un nostro messaggio. Di vero c'è che il sistema di sicurezza assoluto totale non esiste, ma di
vero c'è anche che una e-Mail di auguri interessa pochi e che saperla interecettata ci fa incazzare un po', ma poi...
Una Privacy
Niente Male non è un nome stupido è solo un nome sottotono, una verità in toni non urlati. Il programma PGP permette la
crittografia forte a chiave pubblica, un sistema di sicurezza che resiste ridendo agli attacchi a forza bruta dei ficcananso occasionali, ha un
sorgente pubblico (OpenSource) e non contiene backdoor rilevabili da un'analisi di questo.
Essendo la crittografia forte (con chiave lunga
più di 56 bit) la base di tutta la sicurezza delle transazioni moderne ed essendone stata per lungo tempo vietata l'esportazione dagli
Stati Uniti, questa implementazione gratuita ha causato guai legali al suo autore ma un'ondata di voglia di provacy su tutto il pianeta.
Una privacy garantita nei limiti del ragionevole, ed una garanzia di questo tipo è davvero un risultato Niente Male.
Certo, con essa
è possibile che malpensanti e malviventi si scambino contenuti illegali in maniera quasi impunita, ma anche in una busta da lettere si
possono mettere lettere dal contenuto sovversivo, senza che per questo ci dobbiamo sentire costretti a scrivere SOLO cartoline postali. Se state
mandando per e-Mail il codice del bancomat alla vostra consorte che è in ufficio e non ha una lira in tasca ma ha il vostro bancomat per
errore, PGP è quello che fa per voi.
Questa pagina contiene una versione della FAQ (Frequently Asked Questions: Domande
più fequenti) sul pacchetto PGP. La FAQ si chiama: WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ e questa è la
versione dell'11 agosto 2000.
La riportiamo così come la troviamo (e quindi in inglese) per due motivi: il primo è che la
ripubblicazione della FAQ è consentita SOLO nel suo contenuto originale (l'abbiamo solo riformattata per mantenere la
linea grafica di Roam); secondo poi, se aveste necessità di specifici approfondimenti sull'argomento, questi verranno inclusi, come
contenuto originale, in questa Sezione.
Se trovate del testo espresso in prima persona, sappiate che è l'autore che parla e NON il Referente di Roam. La FAQ è riportata
integralmente e per i soli scopi del ATTIVITÀ di Roam.
Indice
- Disclaimer
- What Is The Latest Version Of PGP, And Where Is It?
- Where Can I Ftp PGP In North America?
- Where Is PGP On Compuserve?
- What Bulletin Board Systems Carry PGP?
- Where Can I Ftp PGP Outside Of North America?
- Where Can I Get More PGP Information?
- Can I Get PGP Documentation In My Own Language?
- What Compatibility Issues Exist Between PGP 5.X And Earlier Versions?
- What Are Some Good PGP Books?
- Is PGP Legal?
- What Is Philip Zimmermann'S Legal Status?
- How Do I Select A Good Secure Passphrase?
- Where Can I Get Windows & Dos Shells For PGP?
- What Other File Encryption (Dos, Mac) Tools Are There?
- How Do I Securely Delete Dos Files?
- Where Do I Get Pgpfone(tm)?
- Where Do I Get Nautilus?
- How Do I Encrypt My Disk On The Fly?
- How Do I Publish My PGP Public Key?
- Where Is PGP'S Competition?
- Is PGP Really Secure?
- May I Copy And Redistribute This Faq?
- Who Maintains This Faq?
- Copyright e Licenza
Disclaimer
Some of this information may be outdated or otherwise inaccurate. I don't update it very often, but you should by all means be able to find an
appropriate copy of PGP and its documentation using the information contained herein. Use it at your own risk. The master copies of this FAQ are
at http://www.cryptography.org/getpgp.htm and http://www.cryptography.org/getpgp.txt The official (much more complete) PGP FAQ is available
at: http://www.pgp.net/pgpnet/pgp-faq/
What Is The Latest Version Of PGP, And Where Is It?
PGPmail commercial version: 6.5.3
PGP freeware: 6.5.3
Gnu Privacy Guard 1.0.2
PGP for Psion
Note: you may need an unzip utility, such as the InfoZip unzip that you can get from
ftp://ftp.freesoftware.com/pub/infozip/Informazioni-ZIP.html to use what you download.
Where Can I Ftp PGP In North America?
If you are in the USA or Canada, try one of these URLs:
Where Is PGP On Compuserve?
GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled.
What Bulletin Board Systems Carry PGP?
Many BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP.
- US
- 314-896-9309 The KATN BBS
- 317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login First Name: PGP Last Name: USER Password: PGP
- 501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR Login name: PGP USER Password: PGP
- 506-457-0483 Data Intelligence Group Corporation BBS
- 508-668-4441 Emerald City, Walpole, MA
- 601-582-5748 CyberGold BBS
- 612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN
- 914-667-4567 Exec-Net, New York, NY
- 915-587-7888, Self-Governor Information Resource, El Paso, Texas
- 909-681-6221 ATTENTION to Details (ATD BBS) All lines v.32bis/14.4KBPS minimum
- CH
- +41-1-322-7129 MoonLight BBS, Zurich 28800 bps, V34 ZYXEL ELITE 2864
- DE
- +49-781-9483621 MAUS BBS, Offenburg - angeschlossen an das MausNet
- +49-521-68000 BIONIC-BBS Login: PGP
- NL
- +31-525-662684 Insanity Systems III Just logon and answer some questions about where you live and get PGP as well as a lot of PGP-tools for free. The system also has an offline and online PGP-server available for your public keys.
 Where Can I Ftp PGP Outside Of North America?
Where Can I Get More PGP Information?
The PGP-Users Mailing List home page at http://pgp.rivertown.net contains many PGP related resources,
including resources on privacy, anonymous remailers, and other related fields. The PGP-Users list archives are also linked to the page as is an
HTML version of the PGP-FAQ (may not be the most recent), the PGP documentation, resources for MacPGP, links to another mailing list dedicated
to PGPfone (which includes one of its authors, Will Price) and the one of a kind, PGPfone Registry, where PGPfone users who would like to test
PGPfone with each other can leave messages in a browsable data base to let others find them to connect with each other.
Can I Get PGP Documentation In My Own Language?
Yes. You can get the official PGP documentation in several languages at http://www.pgpi.com.
See also:
German: http://www.geocities.com/Athens/1802/
French: http://www.geocities.com/SiliconValley/Bay/9648/
What Compatibility Issues Exist Between PGP 5.X And Earlier Versions?
PGP 5.0 introduces some new algorithms for both public key and conventional encryption. These changes are good from both technical (security
& efficiency) and political (patent) standpoints. With the death of the Diffie-Hellman key exchange patent, the freeware PGP new algorithms
are 100% free of patent problems, and free of legalese such as come with the RSAREF toolkit. The Diffie-Hellman key exchange key size limit is
also larger than the old RSA limit, so PGP encryption is actually more secure, now.
The new SHA1 hash function is better than MD5, so
signatures are more secure, now, too. The conventional encryption used is all sound, and definitely not the weak link in the chain. This much is
good news.
The bad news, of course, is that there will be some interoperability problems, since no earlier versions of PGP can handle
these algorithm, and the new PGP freeware doesn't always support the old RSA algorithm. (This will change on September 21, 2000, when the RSA
patent expires.)
What Are Some Good PGP Books?
Protect Your Privacy: A Guide for PGP Users
by William Stallings
Prentice Hall PTR
ISBN 0-13-185596-4
US $19.95
PGP: Pretty Good Privacy
by Simson Garfinkel
O'Reilly & Associates, Inc.
ISBN 1-56592-098-8
US $24.95
E-Mail_Security,
How To Keep Your Electronic Messages Private (covers PGP & PEM)
by Bruce Schneier
365 pages
1995
pub: John Wiley & Sons, Inc.
ISBN 0-471-05318-X
US $24.95
The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software
by Andrè Bacard
Peachpit Press
ISBN 1-56609-171-3
US $24.95
800-283-9444 or 510-548-4393
THE OFFICIAL PGP USER'S GUIDE
by Philip R. Zimmermann
MIT Press
April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP
Standard PGP documentation neatly typeset and bound.
PGP SOURCE CODE AND INTERNALS
by Philip R. Zimmermann
April 1995 - 804 pp. -
US $55.00 - 0-262-24039-4 ZIMPH
How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting
Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801
(about US $10-$13).
Is PGP Legal?
Pretty Good Privacy is legal if you are careful to obey the intellectual property and export rules, as well as any local rules that may apply in
the nation you are in.
U.S. export regulations are not as bad as they were, but you may be required to give a notice to crypt@bxa.doc.gov to
export or publicly post source code (and the executable compiled from it) under license exception TSU, and you can't export PGP or GPG from the
USA to certain forbidden destination (state sponsors of terrorism, etc.) Check the Department of Commerce web site at http://www.bxa.doc.gov/Encryption/Default.htm for current rules.
The RSA patent
caused considerable expense in the USA for PGP users, until the Diffie-Hellman patent expired and DSA was offered by the U.S. Government as not
infringing. Some people still like to use older versions of PGP that use RSA, especially outside of the USA. Starting at 0000 hours EST, 21
September 2000, the RSA patent is dead and anyone in the USA may use RSA for either business or personal use without restrictions. Expect PGP
and GPG implementations to improve in interoperability on that date.
If you want to use PGP for commercial use, either spend money for a
commercial license from Network Associates, Inc., or use Gnu Privacy Guard (http://www.gnupg.org).
If you are in a country where the IDEA cipher patent holds in software (including the USA and
some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially, or avoid it by using
Gnu Privacy Guard, instead. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA
licensing, contact Ascom Systec:
Erhard Widmer, Ascom Systec AG, Dep't. CMVV
Phone +41 64 56 59 83
Peter Hartmann, Ascom
Systec AG, Dep't. CMN
Phone +41 64 56 59 45
Fax: +41 64 56 59 90
e-mail: IDEA@ascom.ch
Mail address: Gewerbepark, CH-5506
Maegenwil (Switzerland)
Network Associates, Inc., has an exclusive marketing agreement for commercial distribution of Philip Zimmermann's
copyrighted code. (Selling shareware/freeware disks or connect time is OK, as is building on older GPL versions of PGP or the new GPG.)
If
you modify PGP (other than porting it to another platform, fixing a bug, or adapting it to another compiler), don't call it PGP (TM) or Pretty
Good Privacy (TM) without Philip Zimmermann's permission.
Within the U.S. there is no legal obstacle for use of strong encryption. Export regulations used to be quite draconian in the USA, and are still
partially irrational, but they have greatly improved to the point where U.S. Citizens no longer need to hesitate to publish (even on the
Internet) and use strong cryptography, as long as they send the required notices of export and/or posting on the Internet to crypt@bxa.doc.gov.
In an ideal world everyone would have the right to use encryption. Unfortunately,
this isn't an ideal world.
France used to be quite restrictive, but now that nation allows its citizens to use strong cryptography,
recognizing its value in preventing some crimes and strengthening electronic commerce.
Germany once considered banning the use and
distribution of strong cryptographic software in the name of "national security," but now the German government has actually endorsed and helped
fund the development of Gnu Privacy Guard.
In Russia, you can be arrested for using cryptography and even be put in jail for using a GPS
receiver.
U.S. Citizens may want to view travel advisories at http://travel.state.gov before
visiting another country. For a recent update on the legal situation see The Crypto Law
Survey http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
What Is Philip Zimmermann'S Legal Status?
Philip Zimmermann was under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months,
ending 11 January 1996. The Federal Government chose not to comment on why it decided to not prosecute, nor i s it likely to. The Commerce
Secretary stated that he would seek relaxed export controls for cryptographic products, since studies show that U.S. industry is being harmed by
current regulations. Philip endured some serious threats to his livelihood and freedom, as well as some very real legal expenses, for the sake
of your right to electronic privacy.
See:
How Do I Select A Good Secure Passphrase?
See:
Where Can I Get Windows & Dos Shells For PGP?
What Other File Encryption (Dos, Mac) Tools Are There?
PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a
lot.
Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a
few others.
Quicrypt is interesting in that it comes in two flavors: shareware exportable and registered secure. Atbash2 is interesting in
that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK is a no-frills strong encryptio n program with
complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong
encryption. A couple of starting points for your search are:
How Do I Securely Delete Dos Files?
If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del110.zip, which is really good at deleting existing
files, but doesn't wipe "unused" space.
Where Do I Get Pgpfone(tm)?
PGPfone is for private telephone calls over a modem or the Internet.
Where Do I Get Nautilus?
Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations
between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better).
See:
How Do I Encrypt My Disk On The Fly?
Secure File System (SFS) is a DOS device driver that encrypts an entire partition on the fly using SHA in feedback mode.
Secure Drive also
encrypts an entire DOS partition, using IDEA, which is patented.
Secure Device is a DOS device driver that encrypts a virtual, file-hosted
volume with IDEA.
Cryptographic File System (CFS) is a Unix device driver that uses DES. CryptDisk is a ShareWare package for Macintosh that
uses strong IDEA encryption like PGP.
PGPDisk is also available somewhere at
http://www.nai.com.
How Do I Publish My PGP Public Key?
Gnu Privacy Guard is a serious OpenPGP standard competitor to PGP, but really it is more of a growth from the initial Gnu Public License
versions of PGP itself, with some independently-written code added where necessary. It is a serious alternative, quite secure, but not yet as
feature-rich as Network Associates' PGP.
S/MIME is gaining a foothold on the secure email market, but my experience with it has been rather
negative. Current implementations of S/MIME (1) don't allow secure key lengths to be used except in "U.S. Only" versions, (2) require
payment of an annual fee to a key certification authority who verifies only that you got email to your key certificate's address at least once,
(3) have much more limited key management facilities than PGP, and (4) the first time I tried to make S/MIME work, it flat out failed to perform
as advertised. On the positive side, S/MIME is integrated into email packages like Microsoft Outlook 98 and Netscape
Messenger almost as well as PGP is integrated into Eudora, and once the kinks are taken
out, the secure version of S/MIME (1024-bit RSA keys and 128-bit RC-2 keys) will be good enough for most people. The "export" edition
(512-bit RSA keys and 40-bit RC-2 keys) is a very bad idea, because it gives a false sense of security.
RIPEM is the third most popular
freeware email encryption package, but it is losing ground fast. I like PGP better for lots of reasons, but if for some reason you want to check
or generate a PEM signature (and if you are very tolerant of arcane and confusing command line interfaces), get a copy from ftp://idea.sec.dsi.unimi.it/pub/crypt/code/.
Where Is PGP'S Competition?
The latest PGP version will interact with key servers automatically if you are connected to the Internet and if you configure them to. For
manual key publication, send mail to one of these addresses with the single word "help" in the subject line to fi nd out how to use
them. These servers synchronize keys with each other. There are other key servers, too.
Is PGP Really Secure?
Yes and no. Yes, it is secure against most human attackers when used on a physically secure system in accordance with its instructions. This
includes using a good passphrase to protect your private keys and keeping your passphrase and private keys truly private. No, it is not secure
if you don't understand what you are doing. It is also true that God knows your thoughts even before you encrypt them, so you can't hide
anything from Him. http://ebible.org/bible/web/Psalms.htm#C139V1
May I Copy And Redistribute This Faq?
Yes. Please only do so in appropriate forums, and provide pointers to the home location of this FAQ.
Who Maintains This Faq?
Michael Paul Johnson mpj@ebible.org maintains this FAQ. My PGP and Gnu Privacy Guard public
keys can be downloaded from my contact page at http://eBible.org/mpj/, as well as from the
public key servers.
| 
