JSaraske's PGP Newsletter #8

Welcome to Newsletter #8. First, a correction to a statement in Newsletter #7. I stated that PGP 6.5.8ckt was derived from the PGP 6.5.1 source code from NAI. The following quote is from an e-mail I received from Imad Faiad, who maintains the CKT versions of PGP: In your latest issue you state that PGP 6.5.8ckt is based on PGP 6.5.1. This is not the case, in the 6.5.8ckt build the source code for PGP 6.5.8 which was published by NAI was used.

I started from a fresh set of the base 6.5.8 source code, then ported all the ckt modifications to it.

So, PGP 6.5.8ckt has all of the NAI bug fixes.

Also, ckt did have a fix for the ADK bug. This was implemented in 6.5.1ckt Build07. Shortly after NAI released the source code for 6.5.8. Build07 was retired and we moved to the 6.5.8 code base. I published the source code fix for the ADK bug on usenet, on 09/19/2000:-
http://x62.deja.com/getdoc.xp?AN=671403404&CONTEXT=972850550.1800732752&hitnum=0

FYI 6.5.1ckt Build 07 was released on 09/20/2000. 6.5.8ckt Build01 was released three days later. Apologies to Imad Faiad, and to all my readers, for the erroneous information.

A little more information about PGP 7.0. I found an apparent bug in key generation. Whenever I attempt to generate a 4096-bit DH/DSS key, the key generator hangs and never completes. The progress bar continues to update, so it looks like everything is going okay. The first time I tried this I waited 45 minutes (on a 750MHz Athlon with 128MB of RAM) before giving up and aborting. I found the key had actually been added to my keyring, but when I looked at the key properties I found some inconsistencies, and deleted the key. I re-tried this several times, and always got a hang. These attempts, however, did not place a key on the keyring when I aborted.

I confess, I hadn't generated keys in awhile, and so was not too familiar with the expected key generation time for various key types and lengths on various processors. Still, 45 minutes without completion on a fast machine seemed excessive. I tried other, shorter, key lengths and although some took awhile, none took anywhere close to 45 minutes. In limited testing using PGP 7.0, I was able to generate a 4088-bit DH/DSS key in 3 to 5 minutes. A 2048-bit DH/DSS key only took about 2 minutes.

I decided to do some testing with other versions of PGP. I uninstalled PGP 7.0 and installed PGP 6.5.8ckt (don't try to have both installed at once). I generated several keys of various types and lengths. The ckt versions allow longer keys than the official releases, and I made use of this feature. Before starting this test, I thought a single average generation time for each combination of key length and type would be sufficient. But after seeing how wildly key generation times vary, it was clear I needed to include all the individual test times as well as averages. Here are the results:

PGP 6.5.8ckt Key Generation Timings
4096-bit DH/DSS keys Avg: 6:03 Hint: If keygen does not complete in 5 minutes, cancel and start over.	1:31 2:05 0:41 20:30 5:58
4096-bit RSA keys Avg: 0:22 All keygen times were fast enough that no special procedures are needed.	0:13 0:35 0:35 0:23 0:06
4088-bit DH/DSS keys Avg: 4:53	2:16 2:46 9:24 5:07 4:51
4088-bit RSA keys Avg: 0:29	0:30 0:08 0:32 0:31 0:44

I did only a little testing with generating 8192-bit DH/DSS keys, as they were taking 20 minutes or more each. I plan more testing, which may include very long keys. But the next timings I want to check are for PGP Desktop Security 7.0. These (for DH/DSS keys) should be interesting to compare with the times for PGP 6.5.8ckt, as they should answer the question of whether 4096 bits is a pathological key size for PGP 7.0 or whether PGP 7.0 is just plain slow for generating all keys. Stay tuned.

Until next newsletter.....

-------------------- Jim Saraske --------------------

Back to JSaraske's Home Page