Questions and Answers
		    about MIT's Release of PGP 2.6
				   
				  by
    Hal Abelson, Jeff Schiller, Brian LaMacchia, and Derek Atkins

			     June 2, 1994


Q: Is PGP 2.6 an official release from MIT?

A: Yes.  PGP 2.6 is distributed via the Internet to non-commercial
U.S. users by MIT Information Systems, via anonymous ftp from
net-dist.mit.edu in the directory pub/PGP.  Planning for the PGP 2.6
release was conducted with the knowledge and approval of the MIT
administration.  The MIT News Office officially announced the
availability of PGP 2.6 in a press release dated May 26, 1994.

***

Q: Was PGP 2.6 released in cooperation with RSA Data Security, Inc.?

A: Yes.  PGP 2.6 uses the RSAREF(TM) Free Cryptographic Toolkit
(Version 1) licensed by RSADSI.  RSADSI has granted MIT permission to
access the non-published routines in RSAREF required to support PGP.

***

Q: Was Phil Zimmermann involved in the PGP 2.6 release?

A: Yes.  Zimmermann has been fully involved in the release process.
In addition, he approved all code changes from earlier versions of
PGP and updated the PGP documentation for version 2.6.

***

Q:  Can PGP 2.6 interoperate with previous versions of PGP?

A: Not completely.  There are two different incompatibilities between
PGP 2.6 and earlier versions of PGP.  The first incompatibility is a
deliberate format change that will trigger on September 1, 1994.  The
intent of this change is to discourage PGP users in the U.S. from
using PGP 2.3a, which potentially infringes patents.  The second
incompatibility is that PGP 2.6 requires signatures to be in PKCS
format, which has been the default since PGP 2.3, although PGP 2.3
was able to process non-PKCS signatures.

***

Q: What's the effect of the September 1 format change?  Will I still
be able to use my old keys?  Will I still be able to decrypt old
messages?

A: Both now and after September 1, PGP 2.6 will decrypt messages and
uses keys generated by PGP 2.3a.  To quote from the PGP 2.6 manual:

        PGP version 2.6 can read anything produced by versions 2.3,
        2.3a, 2.4, or 2.5.  However, because of a negotiated
        agreement between MIT and RSA Data Security, PGP 2.6 will
        change its behavior slightly on 1 September 1994, triggered
        by a built-in software timer.  On that date, version 2.6 will
        start producing a new and slightly different data format for
        messages, signatures and keys. PGP 2.6 will still read and
        process messages, signatures, and keys produced under the old
        format, but it will generate the new format.

***

Q: What about the PKCS requirement?

A: PKCS Stands for Public Key Cryptography Standards and is a
voluntary standard created by RSA Data Security and several industry
leading organizations, including MIT. PKCS specifies standard
encodings for encrypted and signed objects as well as some key
formats. The standard documents themselves may be obtained via
anonymous FTP from rsa.com.

Starting with PGP version 2.3, PGP signatures have conformed to the
PKCS signature standard.  Although PGP version 2.3 generated PKCS
format signatures, it was capable of understanding the non-PKCS format
generated by PGP 2.2 and earlier versions.  PGP 2.6 removes this
compatibility code. This makes some of the PGP 2.6 code cleaner and
ensures compatibility with future versions of RSAREF and other future
standard software.  Making the change now also encourages people to
obtain fresh signatures on their keys, which is a prudent thing to do
every so often.

Note: The PKCS requirement has nothing to do with the September 1 PGP
format change. It is an independent decision of the PGP development
team.

***

Q: Is there a technical reason for the September 1 format change?

A: No. The format change is being made for legal reasons, not
technical reasons.  MIT wanted to bring out a version of PGP that
would have the support of RSADSI.  RSADSI would not lend their support
to a product that fully interoperates with PGP 2.3, which, when used
in the United States, potentially infringes patents licensed to them
by Stanford and MIT.  The intent of this format change is to
discourage people from continuing to use the earlier software, which
will mitigate the patent-caused problems that have hampered use of PGP
within the U.S.  The time delay between now and September is to give
people adequate time to upgrade to the new software.

***

Q:  Does using RSAREF make PGP 2.6 run more slowly than previous
versions of PGP?

A: No.  The speed-critical portions of PGP 2.6 use the same
multi-precision integer libraries as in PGP 2.3a.  We have noticed no
appreciable speed difference between PGP 2.3a and PGP 2.6 on any of
the platforms we have tried.  If you observe a performance problem
with PGP 2.6, please send details to pgp-bugs@mit.edu.  Be sure to
tell us what platform and compiler you are using.

***

Q: Is there a back door in PGP 2.6?

A: No. You need not take our word for it.  PGP is distributed in
source code, so that you can verify its integrity yourself, or get
someone you trust to verify it for you.  The 2.6 MSDOS executable file
that we distribute has been digitally signed, so you will know that it
has not been tampered with.  In general, you should be wary of using
encryption programs that you receive as object code, whose origin you
cannot authenticate.

***

Q: Why is PGP 2.6 limited to 1024-bit keys?  Does this compromise the
security of PGP 2.6?

A: To quote from the PGP 2.6 manual:

        Beginning with version 2.4 (which was ViaCrypt's first
        version) through at least 2.6, PGP does not allow you to
        generate RSA keys bigger than 1024 bits.  The upper limit was
        always intended to be 1024 bits.  But because of a bug in
        earlier versions of PGP, it was possible to generate keys
        larger than 1024 bits.  These larger keys caused
        interoperability problems between different older versions of
        PGP that used different arithmetic algorithms with different
        native word sizes.  On some platforms, PGP choked on the
        larger keys.  In addition to these older key size problems,
        the 1024-bit limit is now enforced by RSAREF.  A 1024-bit key
        is very likely to be well out of reach of attacks by major
        governments.

Cracking a 1024-bit key is far beyond any publicly known computational
capability.  The table below, originally posted to Usenet in October,
1993, gives some numbers for the expected amount of work required to
crack keys of various sizes. The prediction for RSA129, which was
finally factored in April, 1994, was very close to the actual time
required.  (The time was about 5000 MIPS-years, depending on your
definition of a MIPS.)

    RSA129 (429 bits):      4,600 MIPS-YEARS
    a 512 bit key         420,000 MIPS-YEARS (safe for a little while!) 
    a 700 bit key   4,200,000,000 MIPS-YEARS (seems pretty safe to me!)
    a 1024 bit key    2.8 x 10^15 MIPS-YEARS (Wow!)

The above table is based on the Multiple-Polynomial Quadratic Sieve
(MPQS). Other algorithms under development may have slightly better
performance.

The bottom line is that cracking a 1024-bit key using anything like
presently known factoring methods will probably not happen within the
lifetime of anyone reading this FAQ at the time of this writing
(1994).  A breakthrough in computer technology or algorithm efficiency
that threatens a 1024 bit key is likely to be so powerful that it will
threaten much larger keys as well, and then all bets are off!

Any successful attack on PGP with large key sizes is more likely to
come from exploiting other aspects of the system (such as the prime
number generation algorithm) than by brute-force factoring of keys.
Given this, it is not at all clear that key sizes larger than 1024
bits provide increased security in any practical sense.

Nevertheless, RSADSI has granted MIT permission to modify RSAREF to
increase the key size, and larger keys will be supported in a future
PGP release.  These larger keys, however, will not be manipulated by
PGP 2.6 and earlier releases, so users will need to upgrade in order
to use them.

***

Q: There is no patent problem with using PGP 2.3a outside the U.S.
Isn't it offensive to impose a change on PGP users around the world
to accommodate a legal problem in the U.S.?

A: To quote from the PGP 2.6 manual:

        Outside the United States, the RSA patent is not in force, so
        PGP users there are free to use implementations of PGP that
        do not rely on RSAREF and its restrictions.  Hopefully,
        implementors of PGP versions outside the US will also switch
        to the new format, whose detailed description is available
        from MIT.  If everyone upgrades before 1 September 1994, no
        one will experience any discontinuity in interoperability.

We apologize to PGP users outside the U.S.  We are asking them to
undergo the inconvenience of making a change to the non-U.S. version
of PGP for no technical reason.  We hope that the effect of this
change, which will remove any legal controversy from the use of PGP in
the U.S., will benefit PGP users outside the U.S. as well as within
the U.S.

***

Q: How can PGP users outside the U.S. upgrade, if PGP 2.6 might be
subject to U.S. export controls?

A: The format change that will become effective on September 1, 1994
can be accomplished by a simple modification to the PGP 2.3a code,
which was developed outside the U.S.  MIT has published the new format
specification.  Consequently, a non-U.S. version of PGP that
interoperates with PGP 2.6 can be produced without the need
for anyone to attempt to export PGP software from the U.S.

***

Q: With this incompatible change, what provisions are being made for
users of ViaCrypt PGP (PGP 2.4) ?

A: ViaCrypt has announced a new release of their product, called PGP
2.7, that supports both the old and new formats.  They will also
provide upgrade kits for users for version 2.4.  For further
information, contact

    Paul E. Uhlhorn
    Director of Marketing, ViaCrypt Products
    Mail:          2104 W. Peoria Ave
		   Phoenix AZ 85029
    Phone:         (602) 944-0773
    Fax:           (602) 943-2601
    Internet:      viacrypt@acm.org
    Compuserve:    70304.41

***

Q: Does PGP 2.6 use RSAREF version 1, or RSAREF 2.0?

A: PGP 2.6 uses RSAREF version 1.  PGP 2.5 used RSAREF version 2.0.
During the discussions that led to the creation of PGP 2.6, RSA Data
Security requested that MIT switch to RSAREF 1.  Furthermore, RSADSI
gave MIT formal written permission to make calls to internal program
interfaces in RSAREF 1, consistent with the RSAREF 1 license.  From
a technical standpoint, it doesn't matter which version of RSAREF is
used by PGP.  The major enhancements to RSAREF 2.0 have to do with
functionality not required by PGP.  Also, RSADSI's licensing
restrictions (which require non-commercial use only) are not
significantly different from RSAREF 1 to RSAREF 2.  It is possible that
later releases of PGP from MIT may use a different release of RSAREF,
but we see no reason to do so at this time.

***

Q: What is PGP 2.5 and what is its status?

A: MIT initially released PGP 2.5 for beta test on May 9, 1994.
During the beta test period, we continued discussions with RSA Data
Security.  These discussions led us to decide to install the September
1 format change, as well to use RSAREF 1 (see question above).  PGP
2.5 contained several important bugs that have been fixed in PGP 2.6.
PGP 2.5 does *not* contain the software necessary to understand
messages generated by PGP 2.6 after September 1. We therefore urge all
U.S.  users to upgrade to PGP 2.6 (or a subsequent version).

***

Q: What is PGP 3.0?

A: PGP 3.0 is an anticipated upgrade to PGP.  Unlike PGP 2.6, PGP 3.0
will be a major rewrite and reconstruction of the PGP internal
software.  PGP 3.0 might be ready before the end of 1994, but there
are no specific release plans yet.

***

Q: Will there be further incompatible changes to PGP?

A: Almost certainly.  As new features are added, the format of
messages and other data structures will no doubt be changed.  For
example, we have considered adding a new packet type for signatures
that places the signature at the end of a signed packet rather then
the beginning.  This will permit restructuring the PGP software so
that it can operate in one pass, with no need to create the numerous
temporary files that PGP now creates. This will facilitate
applications that are not now currently possible.  For example, a
one-pass PGP could be used to encrypt data to a tape drive during
backup.  This cannot be done with PGP today because it would need to
create temporary files that consume almost twice as much disk space as
the data being backed up!

***

Q: Will keys generated prior to PGP 2.6 continue to be usable?

A: Yes. PGP 2.6 will always be able to use keys created by prior
versions. New keys, generated *after* September 1 will *not* be
usable by prior versions of PGP. However we hope that all PGP users
will have upgraded to PGP 2.6 or better (or its non-U.S. equivalent)
by September.

***

Q: Why did MIT release PGP 2.6, when PGP 2.3 is already available?

A: Using PGP 2.3 in the U.S. potentially infringes patents licensed
exclusively to Public Key Partners by Stanford University and MIT.
This sticky patent situation has deterred the spread of PGP, because
many people and institutions did not wish to risk violating
intellectual property restrictions.

MIT has addressed this problem in PGP 2.6 by using RSAREF, which is
licensed by RSA Data Security, Inc. RSADSI acknowledges that PGP 2.6
is a legitimate RSAREF application.  The RSAREF license includes
rights to all of the relevant U.S. patents on public key cryptography
for non-commercial use.

***

Q: Will there be version of PGP 2.6 for the Mac?

A: People are working on this, but it's not ready yet.  We hope it
will be available within a couple of weeks.

***

Q: Is MIT distributing PGP 2.6 to Canada?

A: No, or at least not yet.  There are some legal issues involved,
having to do with possible U.S. export control restrictions, and we're
getting advice on how to deal with these.  We hope to sort this out
next week.

***

Q: Who are the people who are working on the PGP 2.6 release?

A: People outside MIT working directly on the 2.6 release are Phil
Zimmermann and Colin Plumb.

People at MIT coordinating the PGP 2.6 release are Jeff Schiller, MIT
Network Manager; Hal Abelson, Prof. of Computer Science and
Engineering; Brian LaMacchia, graduate student in Computer Science;
and Derek Atkins, graduate stomputer Science;
and Derek Atkins, graduate student in Media Arts and Sciences.
Support from the MIT administration was provided by Jim Bruce, MIT
Vice-President for Information Systems; David Litster, MIT
Vice-President and Dean for Research; Karen Hersey, MIT Intellectual
Property Counsel; and John Preston, MIT Director of Technology
Development.

***

Q: Are there more questions?

A: Certainly.  If there are other questions about PGP 2.6 that you
think ought to be answered here, please send us to them (at
pgp-bugs@mit.edu) and we will try to include answers in future versions
of this FAQ.