Welcome to Newsletter #7.
As promised last issue, I have more information about PGP 7.0. I've just installed PGP Desktop Security 7.0, and have read the readme file and scanned the User Guide looking for new features. I've only started playing around with it, but can give a few early observations.
Of course, it includes a fix for the ADK bug. But there are several new features as well.
PGP 7.0 allows a greater level of administrative "lockdown" control than previous versions when used in a corporate environment. PGPnet has been upgraded to include IDS Intrusion Detection to identify and block common network attacks. It also includes a Personal Firewall for configurable packet filtering, and intruder tracing.
PGPdisk now allows encrypted virtual drives to be created using either passphrase (conventional) encryption or public/private key encryption; previous versions only supported passphrase access.
To me, the most interesting new features are those involving key types and encryption algorithms. A new RSA key format has been introduced that supports the same extended features as DH/DSS -- including optional photograph and ADK. As far as I can determine, this doesn't affect the actual encryption algorithm, just the storage format of the key. It does mean that the new format RSA keys are not compatible with earlier PGP versions, so be careful about adopting them yet. Unfortunately, the new RSA keys are still limited to 2048 bits. The official versions of PGP have never supported generation of RSA keys larger than 2048 bits, but all of the unofficial CKT builds have supported much larger RSA keys. Since the new format keys are not backward compatible, I was disappointed that the maximum key size was not increased to at least 4096 bits. I don't expect to use the new RSA format.
More exciting is a new encryption algorithm for conventional encryption, the Twofish algorithm. This was one of the contenders for the new federal Advanced Encryption Standard (AES), which is intended to replace the aging DES. Twofish is "a relatively new, but well regarded 256-bit cipher" created by Bruce Schneier. I'm no expert here, but I think Twofish evolved from Schneier's 128-bit Blowfish algorithm. Cryptographers will draw their own conclusions, but other things being equal, a 256-bit algorithm is many orders of magnitude more secure than a 128-bit algorithm. I expect to make use of Twofish.
PGP now offers a plugin for recent versions of ICQ to support all of ICQ's "client-to-client communications." I hope to play with this a bit and report on it.
If I find other notable features in PGP 7.0, I'll report on them in a future issue.
Besides the official PGP 7.0 release, there has been a release from CKT of PGP 6.5.8ckt. I have been having some problems with downloads, and haven't been able to download the package. I did look at the readme file, however, and was not particularly impressed. The readme includes the version history, and this indicated that 6.5.8ckt was just a patch to 6.5.1ckt to fix the ADK bug. Two things about that disappoint me. First, with all the tweaking of PGP sources that CKT has done, it is disappointing that they didn't find the bug. This isn't meant to condemn CKT, just that I would have hoped they were looking deeply enough into the PGP code to notice it. Second, apparently they are calling their release 6.5.8ckt when in fact it is derived from official 6.5.1 source code. This tells me that other, perhaps subtle, improvements that PGP Inc made in 6.5.3 and 6.5.8 not related to the ADK bug may not be incorporated in the so-called PGP 6.5.8ckt. I do not fault CKT for releasing a patched 6.5.1ckt to fix the ADK bug, but if that is all that was done it should not have been called 6.5.8ckt, as doing so leads to confusion over feature sets for anyone trying to compare the CKT offerings to other PGP releases. At least for now, my preference is the official PGP Desktop Security 7.0. I have previously used Desktop Security versions 6.5.3 and 6.5.8, and was happy with them. I'm not willing to give up other ongoing code improvements in the official versions for the cool but non-essential features of the CKT versions.
For those who may be wondering, the Desktop Security versions are commercial versions, and are not intended for free public distribution. If you want a free version you can choose from the official PGP Inc Freeware releases, the PGPi releases, or the CKT releases. In general, for a given version number, the PGP Inc Freeware release has the smallest feature set. The PGPi release gives back key and algorithm options that are limited in the PGP Inc Freeware release. The CKT release adds unique features such as support for large key sizes and the ability to customize the version ID string. The commercial Desktop Security release includes major components not present in any of the freeware releases, such as PGPdisk and PGPnet. Desktop Security is available alone for about $80 or as part of larger packages priced at $220 to $250. Quantity discounts are available. It may be purchased online from PGP Inc. See my main PGP page for links to the free versions.
Until next newsletter.....
-------------------- Jim Saraske --------------------
Back to
JSaraske's Home Page
This site created by PC
Possibilities (TM)
Copyright © 1999,2000 -- All rights reserved