RSA & IDEA Howto (Was Re: Signing (with) old pgp 2 keys)
mroth at nessie.de
Tue Jul 20 13:57:10 CEST 1999
this is a small howto for frequently asked questions about RSA & IDEA in
To encrypt in an PGP2.6x compatible format or to check signatures from
RSA keys and sign other keys with a RSA key or decrypt PGP 2.6 created
messaged you need the IDEA and RSA modules. You should check if you need a
license for these patented algorithms first.
* If you're inside the US or Canada you should use the RSAREF glue code
for GnuPG. Get it from ftp://ftp.guug.de/pub/gcrypt/contrib/rsaref.c
Of course you need the RSAREF library compiled and installed already.
Take a look in the documentation of the RSAREF library for the way to
Compile the GnuPG RSAREF glue module with:
gcc -Wall -O2 -shared -fPIC -o rsa rsaref.c /usr/lib/rsaref.a
Please note: This line is a little bit different from the one noted in
the RSAREF code for GnuPG but this is intended.
The path `/usr/lib/rsaref.a' is the location of the installed RSAREF
library. If you installed the RSAREF library in a different place, you
must change this path of course. To speak clearly: This is not the path
of a GnuPG directory nor depends this path on GnuPG. This path depends
on the place where you installed the RSAREF library.
* If you're outside the US or Canada please use the normal native RSA
implementation for GnuPG: ftp://ftp.guug.de/pub/gcrypt/contrib/rsa.c
Compile the native RSA implementation with:
gcc -Wall -O2 -shared -fPIC -o rsa rsa.c
You don't need any additional libraries nor packages for the native RSA
* Get the idea source code from ftp://ftp.guug.de/pub/gcrypt/contrib/idea.c
Compile this module with:
gcc -Wall -O2 -shared -fPIC -o idea idea.c
Installing the compiled modules:
After you compiled these two modules you get two files `rsa' and `idea'
which are the modules you must install in the GnuPG module directory.
The default GnuPG module directoy is `/usr/local/lib/gnupg'. If you
compiled GnuPG with a different install prefix using "--prefix PREFIX"
when you configured your GnuPG source, then the module directoy is equal
Copy the two files `rsa' and `idea' into the module directory described
above. Make sure everyone could read these files. You don't have to make
these files executale. These files aren't programms but shared modules.
Using the modules:
When you would like to use the installed modules you must tell GnuPG that.
GnuPG will never load modules automatically!
Their is an option "--load-extension MODULE" to tell GnuPG which
additional modules to load. Simply add these options to every call to
GnuPG when you would like to use RSA and/or IDEA:
--load-extension rsa --load-extension idea
Of course you could also add these options to the GnuPG config file found
from the homedir in ".gnupg/options". Add the following lines:
# load RSA & IDEA
You could check proper compilation and installation of these modules with
the "--version" command of GnuPG. If you added the above lines to
your config file use "gpg --version". If you didn't changed your config
file, use: "gpg --load-extension rsa load-extension idea --version"
No matter which way you choose, RSA and IDEA should appear in the cipher
and pubkey listings:
Cipher: IDEA, 3DES, CAST5, BLOWFISH, TWOFISH
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Hash: MD5, SHA1, RIPEMD160
PGP 2.6 issues:
To encrypt in PGP 2.6 readable format, use these options to your normal
gpg commands additionally:
--rfc1991 --cipher-algo idea --digest-algo md5 --compress-algo 1
Please note, PGP 2.6 could read the resulting message only if all keys you
used to encrypt or sign were RSA keys. If you used only one none RSA key,
PGP 2.6.x will fail. Further more, you must use files when encrypting.
PGP 2.6 is unable to process messages you encrypted using stdin/stdout
If you use shells like KMail, Geheimnis or GnomePGP it may be possible
that these programms use stdin/stdout to feed data to and from GnuPG. So
creating PGP 2.6 compatible messages with these tools might be not
Currently it is not possible to create PGP 2.6 compliant signatures with
GnuPG. However, you could decrypt and verify messages signed with PGP 2.6
using GnuPG without problems. The reason is that GnuPG doesn't use
tempfiles which were necessary to create PGP 2.6 compliant signatures. To
check such signatures it isn't necessary to use tempfiles. However, their
is work on a frontend to GnuPG in progress which will create PGP 2.6
compliants signatures. Please note: This tool is not yet finished.
You could not create convetionally encrypted messages readable for PGP 2.6
nor could you decrypt such messages created from PGP 2.6 with GnuPG.
I hope I could help a little bit.
More information about the Gnupg-devel