Mailing List Archive

An interesting e-mail....I'm also looking at comparing the security of GPG
and PGP...

> -----Original Message-----
> From: Mark Goldstein [mailto:mgoldstein@austin.rr.com]
> Sent: 17 January 2000 04:53
> To: s.simpson@mia.co.uk
> Subject: comparison gpg:pgp6.5.1
>
>
> Questions from a hopeful convert:
> 1. How do the random number generators compare?

My understanding is that GPG relies on the OS provided RNG whereas PGP
offers it's own primitives. This is ok if you trust the construction of the
/dev/random devices but on operating systems I wouldn't trust as far as I
could throw (Winxxxx) then the PGP solution is probably preferable.

Have a look at http://lists.gnupg.org/gnupg-devel-199911/msg00027.html for
details of how RNGs are employed in GPG.

> 2. Are the prime numbers used in key generation calculated
> or is there a
> prepared list (i.e. the quick key gen option in NAI's pgp)?

GPG doesn't include "canned primes" for ElGamal / DSA keys. This is good
IMHO (though I can imagine situations where v.fast keygen would be a
bonus...).

I guess the best solution is to offer the option of employing canned primes
but by default turn this off.

> 3. It's my understanding there are no temp/swap etc. file
> generation to leave
> an unaccounted plaintext. Is this true, and how?

Pass. I've still only given GPG source code a cursory glance :(

> 4. Is there a wipe option? If not, how does one assuredly eliminate a
> plaintext file. If a wipe is present, how many overwrites
> are performed?

Afaik no wipe is present. For half-secure OSs I would expect this function
to be included as a standard function (C2 criteria talks about wiping before
reuse etc...). Not sure if Linux wipes before re-use....


Regards,

Sam Simpson
Communications Analyst
-- http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption &
Delphi Crypto Components. PGP Keys available at the same site.

On Mon, Jan 17, 2000 at 02:49:07PM +0000, Simpson, Sam (s.simpson@mia.co.uk) wrote:
> An interesting e-mail....I'm also looking at comparing the security of GPG
> and PGP...
> > From: Mark Goldstein [mailto:mgoldstein@austin.rr.com]
> > Sent: 17 January 2000 04:53
> > To: s.simpson@mia.co.uk
>
> > 3. It's my understanding there are no temp/swap etc. file
> > generation to leave
> > an unaccounted plaintext. Is this true, and how?
>
> Pass. I've still only given GPG source code a cursory glance :(

GPG is best used installed to run with superuser access. This gives it the
ability to request a portion of memory which will not be paged to disk by the
operating system. If you DON'T set it to run as superuser, it will give an
error telling you that it is using unsecure memory.

> > 4. Is there a wipe option? If not, how does one assuredly eliminate a
> > plaintext file. If a wipe is present, how many overwrites
> > are performed?
>
> Afaik no wipe is present. For half-secure OSs I would expect this function
> to be included as a standard function (C2 criteria talks about wiping before
> reuse etc...). Not sure if Linux wipes before re-use....

I don't think there's a wipe function either, but this is A Good Thing(TM).
True to the Unix design philosophy, GPG is intended to encrypt and decrypt
files, and things like triple-rewrite-with-random-data-and-wipe-clean-with-
small-tactical-nuclear-weapons are better left to outboard utilities that
can dedicate themselves to doing a better job without being considered "bloat."

--

Everything on television is fake.
----------------------------------------------------------------------------
sungod@atdot.org

On Tue, 18 Jan 2000, sen_ml@eccosys.com wrote:

> it's very nice that gpg can handle this. it would be even nicer if
> other rfc 2440 implementations handled it as well (it really shouldn't

I guess you mean PGP 6 with the other rfc2440 implementation.
This feature is marked optional and so there is no need for an
implementation to support it. PGP 6 is not rfc2440 compliant: For
example the do generate v3 sig atures and have invented a new packet
type (Photo ID) which is not defined in OpenPGP nor is it in the range
for private extension.

> write it if you can use a library for handling rfc 2440, and that is
> not something that is available yet (iirc, i would love to be wrong

Sorr, you are still right. However I see a demand for such a library.

> considered "cryptographic" software? it doesn't seem like it should
> be to me.

No and since Friday it seems to be quite easy to get an export
license: You only have to send the URL to the BXA.


--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html

On Mon, 17 Jan 2000, Simpson, Sam wrote:

> My understanding is that GPG relies on the OS provided RNG whereas PGP

No. GnuPG used /dev/random as entropy source to seed it's own PRNG.
See Peter Gutmann's paper on generation of practically strong random
numbers.

> /dev/random devices but on operating systems I wouldn't trust as far as I
> could throw (Winxxxx) then the PGP solution is probably preferable.

PGP 5 version for Unix used the /dev/random too. I have not looked at
the pgp 6.x code.

> Afaik no wipe is present. For half-secure OSs I would expect this function
> to be included as a standard function (C2 criteria talks about wiping before
> reuse etc...). Not sure if Linux wipes before re-use....

I considered to put a very good wiping tool into the GnuPG package but
it turned out that it would make the distribution much larger and
mode complicate to maintain. The next release of the GNU fileutils
will come with this tool. For now, I suggest to use one of the tools
available in the contrib directory or listed somewhere on the website.


--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html