WHERE
TO
DOWNLOAD
PGP
Mark Swearingen
mark@ephesus.com
Created Wednesday 2000 January 26
|
PGP stands for "Pretty Good Privacy," an encryption program written by
Phil Zimmermann
and published by Network Associates, Inc. Domestic freeware downloads (within the USA or Canada): | |
|
MIT distribution site for PGP http://web.mit.edu/network/pgp.html | |
|
International freeware downloads (outside the USA and Canada): | |
|
The International PGP Home Page http://www.pgpi.org/ | |
|
Buy registered software (worldwide): | |
|
Network Associates PGP Home Page http://www.pgp.com/ | |
|
Why Are There Separate Domestic and International Download Sites? Because of their potential military application, U.S. Department of Commerce export regulations have (until recently) classified computer programs with "strong encryption" capability as a "munition" and prohibited their export outside the United States and Canada. "Strong" encryption means the ability to encrypt or decrypt a message with an encryption key of longer than 40 bits. However, current processor speeds mean that a message encrypted with such a key length is actually vulnerable to "cracking" by the "brute force" method of trying all possible keys. (2^40 = 1,099,511,627,776, or approximately 1 trillion different possible keys.) In fact, encryption keys of up to 56 bits have been cracked in this way, and I am currently participating in an organized effort to crack an even longer 64-bit key and thereby show that what the government calls "strong" encryption is actually quite weak and inadequate, given today's computer technology. PGP has the ability to use symmetric "session" keys of up to 128 bits and private/public key pairs of up to 4,096 bits. Therefore, because of these key lengths, it was illegal (until two weeks ago) to export the program outside the U.S. In spite of these restrictions, however, users of PGP found a "loophole" which allowed a person outside the U.S. and Canada to obtain a copy of PGP legally, without violating U.S. export rules. Unlike the executable program, the source code can be read by humans and is therefore protected as free speech by the First Amendment to the U.S. Constitution. Hence, the source code for PGP was published in written form (over 12,000 pages!) and shipped overseas, where it was scanned in and re-compiled. This "international" version of the executable program was then posted on web servers in Norway and other mirror sites worlwide, which are not subject to U.S. law. For many software applications which use encryption (such as Netscape), there is an "international" version available which uses "weak" encryption of 40 bits and may therefore be exported in electronic form directly from the U.S. to other countries. However, this is not the case with the international version of PGP. Since it was created using the same source code, it is identical (in most respects) to the domestic version, except that it was compiled on computers outside the U.S. and Canada. | |