Pretty Good Privacy? (PGP?) is a powerful cryptographic tool that provides privacy and strong authentication for users. As the de facto standard for data protection with over six million users, PGP enables you to store data and exchange messages securely. You can learn more about PGP technology at www.pgp.com and http://web.mit.edu/network/pgp.html. You can download PGP freeware without cost for personal, noncommercial use at http://web.mit.edu/network/pgp.html.

Some PC mail agents (notably Eudora) will decrypt the PGP message embedded within the message text. In that case, you can simply embed the [value mv_credit_card_info] call right in the message and be done with it. If your mailer will not decrypt on the fly, the best way to read the credit card number is to set up MIME encoding of the order email. To do this, find the order report you are using. In the standard demos it is pages/ord/report.html or etc/report.

Otherwise, if you're not quite that paranoid, PGP-2.6.2 is on the login servers in /usr/um/bin and /usr/um/pgp-2.6.2. Check it out.

The big unknown in any encryption scheme based on RSA is whether or not there is an efficient way to factor huge numbers, or if there is some backdoor algorithm that can break the code without solving the factoring problem. Even if no such algorithm exists, it is still believed that RSA is the weakest link in the PGP chain. It would be beyond the goal of this FAQ to discuss all possible attacks against or possible flaws in PGP.

The following list of bugs is limited to version 2.4 and later, and is limited to the most commonly seen and serious bugs. For bugs in earlier versions, refer to the documentation included with the program. If you find a bug not on this list, follow the procedure above for reporting it. The PGP 2.6.2 sources do not build under Linux/ELF. To build an ELF binary for PGP 2.6.2, two changes to source files 80386.S and zmatch.S are necessary.

PGP 5.x is backward compatible to PGP 2.6.x. It implies, that PGP 5.x can work with everything generated by PGP 2.6.x. Only if RSA keys are used with MD5 hashes and IDEA encryption, PGP 2.6.x can work with a PGP 5.x output. There is a small problem with DSS or ElGamal certificates of RSA keys: The PGP 2.6.x check of keyring (-kc) reports some strange errors. PGP 2.6.3in fixes this (negligible) bug. PGP 2.6.x and PGP 5.

Under UNIX, there's a PGP command line utility (pgpe) which does the encryption. However, under NT, PGP 5 is GUI based only. PGP 6.5.1 brings back the command line, but I haven't got it to work in conjunction with Soupermail yet. All is not lost though, as you can use the DOS version of PGP 5 under NT. A couple of caveats; Use an up to date version of perl. Activestate build 509 hung when calling PGP 5, build 518 seemed fine.

This is really a quick answer to the above question. For a more detailed explanation (relating to RSA versions only though :-() see the excellent "The PGP attack FAQ" [Inf96]. A thoroughly broken hash-function (e.g. where collisions can be found in computationally feasible time). This would allow an adversary to create second messages that hash to the same value as a first message, which implies that signatures can be forged.

PGP is used all over the world by human rights groups, human rights activists who are documenting the atrocities of death squads, interviewing witnesses and using that to keep track of human rights abuses, and they encrypt that stuff with PGP, and they tell me that if the government there could get their hands on it they would round up all the witnesses and kill them, after torturing them first. That's in Central America, and I talked to somebody working down there on it.

PGP is an evolving standard and as such is constantly improving. The following list highlights common gripes about cryptographic elements of OpenPGP: Disparity in signature key size for DSS. DH keys can be up to 4096-bits, signature keys limited to 1024-bits. Situation should change with the introduction of a new federal signature standard, but this could take some time. As a work-around implementations could offer ElGamal signatures greater than 1024-bits (as supported in the OpenPGP standard).

PGP is very widely available, so much so that a separate FAQ has been written by Micheal Paul Johnson for answering this question. It is called, Where to get the Pretty Good privacy program (PGP); it is posted in alt.security.pgp regularly, is in the various FAQ archive sites, and is also available online. Many of the previously mentioned versions, as well as older versions, are widely mirrored, for example at Zedz.net.