RSA & IDEA Howto (Was Re: Signing (with) old pgp 2 keys)

Michael Roth mroth at
Tue Jul 20 13:57:10 CEST 1999


this is a small howto for frequently asked questions about RSA & IDEA in

To encrypt in an PGP2.6x compatible format or to check signatures from
RSA keys and sign other keys with a RSA key or decrypt PGP 2.6 created
messaged you need the IDEA and RSA modules. You should check if you need a
license for these patented algorithms first.

Compiling RSA:
* If you're inside the US or Canada you should use the RSAREF glue code
  for GnuPG. Get it from
  Of course you need the RSAREF library compiled and installed already.
  Take a look in the documentation of the RSAREF library for the way to
  do this.

  Compile the GnuPG RSAREF glue module with:

	gcc -Wall -O2 -shared -fPIC -o rsa rsaref.c /usr/lib/rsaref.a

  Please note: This line is a little bit different from the one noted in
  the RSAREF code for GnuPG but this is intended. 
  The path `/usr/lib/rsaref.a' is the location of the installed RSAREF
  library. If you installed the RSAREF library in a different place, you
  must change this path of course. To speak clearly: This is not the path
  of a GnuPG directory nor depends this path on GnuPG. This path depends
  on the place where you installed the RSAREF library.

* If you're outside the US or Canada please use the normal native RSA
  implementation for GnuPG:

  Compile the native RSA implementation with:

	gcc -Wall -O2 -shared -fPIC -o rsa rsa.c

  You don't need any additional libraries nor packages for the native RSA

Compiling IDEA:
* Get the idea source code from

  Compile this module with:

	gcc -Wall -O2 -shared -fPIC -o idea idea.c

Installing the compiled modules:
After you compiled these two modules you get two files `rsa' and `idea'
which are the modules you must install in the GnuPG module directory.
The default GnuPG module directoy is `/usr/local/lib/gnupg'. If you
compiled GnuPG with a different install prefix using "--prefix PREFIX"
when you configured your GnuPG source, then the module directoy is equal
to "PREFIX/lib/gnupg".
Copy the two files `rsa' and `idea' into the module directory described
above. Make sure everyone could read these files. You don't have to make
these files executale. These files aren't programms but shared modules.

Using the modules:
When you would like to use the installed modules you must tell GnuPG that.
GnuPG will never load modules automatically!
Their is an option "--load-extension MODULE" to tell GnuPG which
additional modules to load. Simply add these options to every call to
GnuPG when you would like to use RSA and/or IDEA:

	--load-extension rsa --load-extension idea

Of course you could also add these options to the GnuPG config file found
from the homedir in ".gnupg/options". Add the following lines:

	# load RSA & IDEA
	load-extension rsa
	load-extension idea

You could check proper compilation and installation of these modules with
the "--version" command of GnuPG. If you added the above lines to
your config file use "gpg --version". If you didn't changed your config
file, use:  "gpg --load-extension rsa load-extension idea --version"
No matter which way you choose, RSA and IDEA should appear in the cipher
and pubkey listings:

	Supported algorithms:
	Hash: MD5, SHA1, RIPEMD160

PGP 2.6 issues:
To encrypt in PGP 2.6 readable format, use these options to your normal
gpg commands additionally:

   --rfc1991 --cipher-algo idea --digest-algo md5 --compress-algo 1

Please note, PGP 2.6 could read the resulting message only if all keys you
used to encrypt or sign were RSA keys. If you used only one none RSA key,
PGP 2.6.x will fail. Further more, you must use files when encrypting.
PGP 2.6 is unable to process messages you encrypted using stdin/stdout
with GnuPG.
If you use shells like KMail, Geheimnis or GnomePGP it may be possible
that these programms use stdin/stdout to feed data to and from GnuPG. So
creating PGP 2.6 compatible messages with these tools might be not

Currently it is not possible to create PGP 2.6 compliant signatures with
GnuPG. However, you could decrypt and verify messages signed with PGP 2.6
using GnuPG without problems. The reason is that GnuPG doesn't use
tempfiles which were necessary to create PGP 2.6 compliant signatures. To
check such signatures it isn't necessary to use tempfiles. However, their
is work on a frontend to GnuPG in progress which will create PGP 2.6
compliants signatures. Please note: This tool is not yet finished.

You could not create convetionally encrypted messages readable for PGP 2.6
nor could you decrypt such messages created from PGP 2.6 with GnuPG.

I hope I could help a little bit.


More information about the Gnupg-devel mailing list