------------------------------------------------------------------------------- Questions and Answers about MIT's Release of PGP 2.6 by Hal Abelson, Jeff Schiller, Brian LaMacchia, and Derek Atkins June 2, 1994 Q: Is PGP 2.6 an official release from MIT? A: Yes. PGP 2.6 is distributed via the Internet to non-commercial U.S. users by MIT Information Systems, via anonymous ftp from net-dist.mit.edu in the directory pub/PGP. Planning for the PGP 2.6 release was conducted with the knowledge and approval of the MIT administration. The MIT News Office officially announced the availability of PGP 2.6 in a press release dated May 26, 1994. *** Q: Was PGP 2.6 released in cooperation with RSA Data Security, Inc.? A: Yes. PGP 2.6 uses the RSAREF(TM) Free Cryptographic Toolkit (Version 1) licensed by RSADSI. RSADSI has granted MIT permission to access the non-published routines in RSAREF required to support PGP. *** Q: Was Phil Zimmermann involved in the PGP 2.6 release? A: Yes. Zimmermann has been fully involved in the release process. In addition, he approved all code changes from earlier versions of PGP and updated the PGP documentation for version 2.6. *** Q: Can PGP 2.6 interoperate with previous versions of PGP? A: Not completely. There are two different incompatibilities between PGP 2.6 and earlier versions of PGP. The first incompatibility is a deliberate format change that will trigger on September 1, 1994. The intent of this change is to discourage PGP users in the U.S. from using PGP 2.3a, which potentially infringes patents. The second incompatibility is that PGP 2.6 requires signatures to be in PKCS format, which has been the default since PGP 2.3, although PGP 2.3 was able to process non-PKCS signatures. *** Q: What's the effect of the September 1 format change? Will I still be able to use my old keys? Will I still be able to decrypt old messages? A: Both now and after September 1, PGP 2.6 will decrypt messages and uses keys generated by PGP 2.3a. To quote from the PGP 2.6 manual: PGP version 2.6 can read anything produced by versions 2.3, 2.3a, 2.4, or 2.5. However, because of a negotiated agreement between MIT and RSA Data Security, PGP 2.6 will change its behavior slightly on 1 September 1994, triggered by a built-in software timer. On that date, version 2.6 will start producing a new and slightly different data format for messages, signatures and keys. PGP 2.6 will still read and process messages, signatures, and keys produced under the old format, but it will generate the new format. *** Q: What about the PKCS requirement? A: PKCS Stands for Public Key Cryptography Standards and is a voluntary standard created by RSA Data Security and several industry leading organizations, including MIT. PKCS specifies standard encodings for encrypted and signed objects as well as some key formats. The standard documents themselves may be obtained via anonymous FTP from rsa.com. Starting with PGP version 2.3, PGP signatures have conformed to the PKCS signature standard. Although PGP version 2.3 generated PKCS format signatures, it was capable of understanding the non-PKCS format generated by PGP 2.2 and earlier versions. PGP 2.6 removes this compatibility code. This makes some of the PGP 2.6 code cleaner and ensures compatibility with future versions of RSAREF and other future standard software. Making the change now also encourages people to obtain fresh signatures on their keys, which is a prudent thing to do every so often. Note: The PKCS requirement has nothing to do with the September 1 PGP format change. It is an independent decision of the PGP development team. *** Q: Is there a technical reason for the September 1 format change? A: No. The format change is being made for legal reasons, not technical reasons. MIT wanted to bring out a version of PGP that would have the support of RSADSI. RSADSI would not lend their support to a product that fully interoperates with PGP 2.3, which, when used in the United States, potentially infringes patents licensed to them by Stanford and MIT. The intent of this format change is to discourage people from continuing to use the earlier software, which will mitigate the patent-caused problems that have hampered use of PGP within the U.S. The time delay between now and September is to give people adequate time to upgrade to the new software. *** Q: Does using RSAREF make PGP 2.6 run more slowly than previous versions of PGP? A: No. The speed-critical portions of PGP 2.6 use the same multi-precision integer libraries as in PGP 2.3a. We have noticed no appreciable speed difference between PGP 2.3a and PGP 2.6 on any of the platforms we have tried. If you observe a performance problem with PGP 2.6, please send details to pgp-bugs@mit.edu. Be sure to tell us what platform and compiler you are using. *** Q: Is there a back door in PGP 2.6? A: No. You need not take our word for it. PGP is distributed in source code, so that you can verify its integrity yourself, or get someone you trust to verify it for you. The 2.6 MSDOS executable file that we distribute has been digitally signed, so you will know that it has not been tampered with. In general, you should be wary of using encryption programs that you receive as object code, whose origin you cannot authenticate. *** Q: Why is PGP 2.6 limited to 1024-bit keys? Does this compromise the security of PGP 2.6? A: To quote from the PGP 2.6 manual: Beginning with version 2.4 (which was ViaCrypt's first version) through at least 2.6, PGP does not allow you to generate RSA keys bigger than 1024 bits. The upper limit was always intended to be 1024 bits. But because of a bug in earlier versions of PGP, it was possible to generate keys larger than 1024 bits. These larger keys caused interoperability problems between different older versions of PGP that used different arithmetic algorithms with different native word sizes. On some platforms, PGP choked on the larger keys. In addition to these older key size problems, the 1024-bit limit is now enforced by RSAREF. A 1024-bit key is very likely to be well out of reach of attacks by major governments. Cracking a 1024-bit key is far beyond any publicly known computational capability. The table below, originally posted to Usenet in October, 1993, gives some numbers for the expected amount of work required to crack keys of various sizes. The prediction for RSA129, which was finally factored in April, 1994, was very close to the actual time required. (The time was about 5000 MIPS-years, depending on your definition of a MIPS.) RSA129 (429 bits): 4,600 MIPS-YEARS a 512 bit key 420,000 MIPS-YEARS (safe for a little while!) a 700 bit key 4,200,000,000 MIPS-YEARS (seems pretty safe to me!) a 1024 bit key 2.8 x 10^15 MIPS-YEARS (Wow!) The above table is based on the Multiple-Polynomial Quadratic Sieve (MPQS). Other algorithms under development may have slightly better performance. The bottom line is that cracking a 1024-bit key using anything like presently known factoring methods will probably not happen within the lifetime of anyone reading this FAQ at the time of this writing (1994). A breakthrough in computer technology or algorithm efficiency that threatens a 1024 bit key is likely to be so powerful that it will threaten much larger keys as well, and then all bets are off! Any successful attack on PGP with large key sizes is more likely to come from exploiting other aspects of the system (such as the prime number generation algorithm) than by brute-force factoring of keys. Given this, it is not at all clear that key sizes larger than 1024 bits provide increased security in any practical sense. Nevertheless, RSADSI has granted MIT permission to modify RSAREF to increase the key size, and larger keys will be supported in a future PGP release. These larger keys, however, will not be manipulated by PGP 2.6 and earlier releases, so users will need to upgrade in order to use them. *** Q: There is no patent problem with using PGP 2.3a outside the U.S. Isn't it offensive to impose a change on PGP users around the world to accommodate a legal problem in the U.S.? A: To quote from the PGP 2.6 manual: Outside the United States, the RSA patent is not in force, so PGP users there are free to use implementations of PGP that do not rely on RSAREF and its restrictions. Hopefully, implementors of PGP versions outside the US will also switch to the new format, whose detailed description is available from MIT. If everyone upgrades before 1 September 1994, no one will experience any discontinuity in interoperability. We apologize to PGP users outside the U.S. We are asking them to undergo the inconvenience of making a change to the non-U.S. version of PGP for no technical reason. We hope that the effect of this change, which will remove any legal controversy from the use of PGP in the U.S., will benefit PGP users outside the U.S. as well as within the U.S. *** Q: How can PGP users outside the U.S. upgrade, if PGP 2.6 might be subject to U.S. export controls? A: The format change that will become effective on September 1, 1994 can be accomplished by a simple modification to the PGP 2.3a code, which was developed outside the U.S. MIT has published the new format specification. Consequently, a non-U.S. version of PGP that interoperates with PGP 2.6 can be produced without the need for anyone to attempt to export PGP software from the U.S. *** Q: With this incompatible change, what provisions are being made for users of ViaCrypt PGP (PGP 2.4) ? A: ViaCrypt has announced a new release of their product, called PGP 2.7, that supports both the old and new formats. They will also provide upgrade kits for users for version 2.4. For further information, contact Paul E. Uhlhorn Director of Marketing, ViaCrypt Products Mail: 2104 W. Peoria Ave Phoenix AZ 85029 Phone: (602) 944-0773 Fax: (602) 943-2601 Internet: viacrypt@acm.org Compuserve: 70304.41 *** Q: Does PGP 2.6 use RSAREF version 1, or RSAREF 2.0? A: PGP 2.6 uses RSAREF version 1. PGP 2.5 used RSAREF version 2.0. During the discussions that led to the creation of PGP 2.6, RSA Data Security requested that MIT switch to RSAREF 1. Furthermore, RSADSI gave MIT formal written permission to make calls to internal program interfaces in RSAREF 1, consistent with the RSAREF 1 license. From a technical standpoint, it doesn't matter which version of RSAREF is used by PGP. The major enhancements to RSAREF 2.0 have to do with functionality not required by PGP. Also, RSADSI's licensing restrictions (which require non-commercial use only) are not significantly different from RSAREF 1 to RSAREF 2. It is possible that later releases of PGP from MIT may use a different release of RSAREF, but we see no reason to do so at this time. *** Q: What is PGP 2.5 and what is its status? A: MIT initially released PGP 2.5 for beta test on May 9, 1994. During the beta test period, we continued discussions with RSA Data Security. These discussions led us to decide to install the September 1 format change, as well to use RSAREF 1 (see question above). PGP 2.5 contained several important bugs that have been fixed in PGP 2.6. PGP 2.5 does *not* contain the software necessary to understand messages generated by PGP 2.6 after September 1. We therefore urge all U.S. users to upgrade to PGP 2.6 (or a subsequent version). *** Q: What is PGP 3.0? A: PGP 3.0 is an anticipated upgrade to PGP. Unlike PGP 2.6, PGP 3.0 will be a major rewrite and reconstruction of the PGP internal software. PGP 3.0 might be ready before the end of 1994, but there are no specific release plans yet. *** Q: Will there be further incompatible changes to PGP? A: Almost certainly. As new features are added, the format of messages and other data structures will no doubt be changed. For example, we have considered adding a new packet type for signatures that places the signature at the end of a signed packet rather then the beginning. This will permit restructuring the PGP software so that it can operate in one pass, with no need to create the numerous temporary files that PGP now creates. This will facilitate applications that are not now currently possible. For example, a one-pass PGP could be used to encrypt data to a tape drive during backup. This cannot be done with PGP today because it would need to create temporary files that consume almost twice as much disk space as the data being backed up! *** Q: Will keys generated prior to PGP 2.6 continue to be usable? A: Yes. PGP 2.6 will always be able to use keys created by prior versions. New keys, generated *after* September 1 will *not* be usable by prior versions of PGP. However we hope that all PGP users will have upgraded to PGP 2.6 or better (or its non-U.S. equivalent) by September. *** Q: Why did MIT release PGP 2.6, when PGP 2.3 is already available? A: Using PGP 2.3 in the U.S. potentially infringes patents licensed exclusively to Public Key Partners by Stanford University and MIT. This sticky patent situation has deterred the spread of PGP, because many people and institutions did not wish to risk violating intellectual property restrictions. MIT has addressed this problem in PGP 2.6 by using RSAREF, which is licensed by RSA Data Security, Inc. RSADSI acknowledges that PGP 2.6 is a legitimate RSAREF application. The RSAREF license includes rights to all of the relevant U.S. patents on public key cryptography for non-commercial use. *** Q: Will there be version of PGP 2.6 for the Mac? A: People are working on this, but it's not ready yet. We hope it will be available within a couple of weeks. *** Q: Is MIT distributing PGP 2.6 to Canada? A: No, or at least not yet. There are some legal issues involved, having to do with possible U.S. export control restrictions, and we're getting advice on how to deal with these. We hope to sort this out next week. *** Q: Who are the people who are working on the PGP 2.6 release? A: People outside MIT working directly on the 2.6 release are Phil Zimmermann and Colin Plumb. People at MIT coordinating the PGP 2.6 release are Jeff Schiller, MIT Network Manager; Hal Abelson, Prof. of Computer Science and Engineering; Brian LaMacchia, graduate student in Computer Science; and Derek Atkins, graduate student in Media Arts and Sciences. Support from the MIT administration was provided by Jim Bruce, MIT Vice-President for Information Systems; David Litster, MIT Vice-President and Dean for Research; Karen Hersey, MIT Intellectual Property Counsel; and John Preston, MIT Director of Technology Development. *** Q: Are there more questions? A: Certainly. If there are other questions about PGP 2.6 that you think ought to be answered here, please send us to them (at pgp-bugs@mit.edu) and we will try to include answers in future versions of this FAQ. ------------------------------------------------------------------------------- Compilation Copyright (c) 1994 by the Massachusetts Institute of Technology. All rights reserved. Permission to use, copy, modify, and distribute this compilation for any non-commercial purpose is hereby granted without fee, subject to the following license: 1. Any copy or modification of this compilation must include the above copyright notice and this license. 2. Software included in this compilation includes a feature that causes the format of messages generated by it to change on September 1, 1994. Modification to this software to disable this feature is not authorized and will make this license, and the license in the underlying software, null and void. 3. Users of the software included in this compilation agree to use their best efforts to provide MIT with any modifications containing improvements or extensions and hereby grant MIT a perpetual, royalty-free license to use and distribute such modifications under the terms of this license. Such modifications may be provided to MIT by email to pgp-bugs@mit.edu. 4. The software included in this compilation makes use of the RSAREF(TM) Cryptographic Toolkit, use and distribution of which are covered by the RSA Data Security, Inc., Program License Agreement included in this compilation. This compilation also contains materials copyrighted by Philip Zimmermann under terms also included in this compilation. (See the "Legal Issues" section of the PGP User's Guide, Volume 2.) 5. MIT makes no warranty or representation that the operation of the software in this compilation will be error-free, and MIT is under no obligation to provide any services, by way of maintenance, update, or otherwise. THE SOFTWARE AND ANY DOCUMENTATION ARE PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL MIT OR ANY OTHER CONTRIBUTOR BE LIABLE FOR DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF MIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 6.Users will not use the name of the Massachusetts Institute of Technology nor any adaptation thereof in any publicity or advertising, without prior written consent from MIT in each case. 7. Export of this software from the United States may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. ------------------------------------------------------------------------------- RSA LABORATORIES PROGRAM LICENSE AGREEMENT January 5, 1993 RSA LABORATORIES, A DIVISION OF RSA DATA SECURITY, INC. ("RSA") GRANTS YOU A LICENSE AS FOLLOWS TO THE "RSAREF" PROGRAM: 1. LICENSE. RSA grants you a non-exclusive, non-transferable, perpetual (subject to the conditions of section 8) license for the "RSAREF" program (the "Program") and its associated documentation, subject to all of the following terms and conditions: a. to use the Program on any computer in your possession; b. to make copies of the Program for back-up purposes; c. to modify the Program in any manner for porting or performance improvement purposes (subject to Section 2) or to incorporate the Program into other computer programs for your own personal or internal use, provided that you provide RSA with a copy of any such modification or Application Program by electronic mail, and grant RSA a perpetual, royalty-free license to use and distribute such modifications and Application Programs on the terms set forth in this Agreement. d. to copy and distribute the Program and Application Programs in accordance with the limitations set forth in Section 2. "Application Programs" are programs which incorporate all or any portion of the Program in any form. The restrictions imposed on Application Programs in this Agreement shall not apply to any software which, through the mere aggregation on distribution media, is co-located or stored with the Program. 2. LIMITATIONS ON LICENSE. a. RSA owns the Program and its associated documentation and all copyrights therein. You may only use, copy, modify and distribute the Program as expressly provided for in this Agreement. You must reproduce and include this Agreement, RSA's copyright notices and disclaimer of warranty on any copy and its associated documentation. b. The Program and all Application Programs are to be used only for non-commercial purposes. However, media costs associated with the distribution of the Program or Application Programs may be recovered. c. The Program, if modified, must carry prominent notices stating that changes have been made, and the dates of any such changes. d. Prior permission from RSA is required for any modifications that access the Program through ways other than the published Program interface or for modifications to the Program interface. RSA will grant all reasonable requests for permission to make such modifications. 3. NO RSA OBLIGATION. You are solely responsible for all of your costs and expenses incurred in connection with the distribution of the Program or any Application Program hereunder, and RSA shall have no liability, obligation or responsibility therefor. RSA shall have no obligation to provide maintenance, support, upgrades or new releases to you or to any distributee of the Program or any Application Program. 4. NO WARRANTY OF PERFORMANCE. THE PROGRAM AND ITS ASSOCIATED DOCUMENTATION ARE LICENSED "AS IS" WITHOUT WARRANTY AS TO THEIR PERFORMANCE, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF THE PROGRAM IS ASSUMED BY YOU AND YOUR DISTRIBUTEES. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU AND YOUR DISTRIBUTEES (AND NOT RSA) ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 5. LIMITATION OF LIABILITY. EXCEPT AS EXPRESSLY PROVIDED FOR IN SECTION 6 HEREINUNDER, NEITHER RSA NOR ANY OTHER PERSON WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THE PROGRAM SHALL BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF RSA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 6. PATENT INFRINGEMENT OBLIGATION. Subject to the limitations set forth below, RSA, at its own expense, shall: (i) defend, or at its option settle, any claim, suit or proceeding against you on the basis of infringement of any United States patent in the field of cryptography by the unmodified Program; and (ii) pay any final judgment or settlement entered against you on such issue in any such suit or proceeding defended by RSA. The obligations of RSA under this Section 6 are subject to: (i) RSA's having sole control of the defense of any such claim, suit or proceeding; (ii) your notifying RSA promptly in writing of each such claim, suit or proceeding and giving RSA authority to proceed as stated in this Section 6; and (iii) your giving RSA all information known to you relating to such claim, suit or proceeding and cooperating with RSA to defend any such claim, suit or proceeding. RSA shall have no obligation under this Section 6 with respect to any claim to the extent it is based upon (A) use of the Program as modified by any person other than RSA or use of any Application Program, where use of the unmodified Program would not constitute an infringement, or (B) use of the Program in a manner other than that permitted by this Agreement. THIS SECTION 6 SETS FORTH RSA'S ENTIRE OBLIGATION AND YOUR EXCLUSIVE REMEDIES CONCERNING CLAIMS FOR PROPRIETARY RIGHTS INFRINGEMENT. NOTE: Portions of the Program practice methods described in and subject to U.S. Patents Nos. 4,200,770, 4,218,582 and 4,405,829, and all foreign counterparts and equivalents, issued to Leland Stanford Jr. University and to Massachusetts Institute of Technology. Such patents are licensed to RSA by Public Key Partners of Sunnyvale, California, the holder of exclusive licensing rights. This Agreement does not grant or convey any interest whatsoever in such patents. 7. RSAREF is a non-commercial publication of cryptographic techniques. Portions of RSAREF have been published in the International Security Handbook and the August 1992 issue of Dr. Dobb's Journal. Privacy applications developed with RSAREF may be subject to export controls. If you are located in the United States and develop such applications, you are advised to consult with the State Department's Office of Defense Trade Controls. 8. TERM. The license granted hereunder is effective until terminated. You may terminate it at anytime by destroying the Program and its associated documentation. The termination of your license will not result in the termination of the licenses of any distributees who have received rights to the Program through you so long as they are in compliance with the provisions of this license. 9. GENERAL a. This Agreement shall be governed by the laws of the State of California. b. Address all correspondence regarding this license to RSA's electronic mail address, or to RSA Laboratories ATTN: RSAREF Administrator 100 Marine Parkway, Suite 500 Redwood City, CA 94065