GnuPG 1.0.6 versus PGP 2.6.3i

Johan Wevers johanw@vulcan.xs4all.nl
Tue Sep 25 23:03:01 2001 

Marek Schneider wrote:


> what would be "the better" choice due to security issues?

> GnuPG 1.0.6 or PGP 2.6.3i


Are you sure you don't want to start a howly war here? This is the kind of
question to trigger that.

I'll try to be as objective here as possible and describe the advantages
and disadvantages of both programs. Then you can decide for yourself which
program you trust most.

An advantage of 263ia over GnuPG are that 263ia has been around for many
years now and has been examined very thouroughly. No serious bugs are known,
but it is still vulnerable to the recently discovered man in the middle
attacks and the dangers when someone can edit your secret key, issues where
GnuPG has protections. It is further much less complex than GnuPG, so the
chance of having undetected bugs is smaller.

On the other hand, GnuPG uses more algorithms, both asymmetric and symmetric
ciphers, and hash functions. From a security point of view, the ciphers used
in 263ia (RSA and IDEA) are very good tested and no weaknesses are known,
except for a range of weak keys for IDEA. I must admit that I don't know
if 263ia tests if its generated session keys are in this range and then
calculates a new one or ignores this issue. However, the only criticism I
hear on this list on IDEA is that it is patented, not that it is insecure.

GnuPG offers the same algorithms as 363ia (IDEA only via a plugin), and some
more. As long as no better attacks against IDEA than brute force are known
the choice of the symmetric algorithm won't matter much from a security
point of view. For tha asymmetric algorithm, DH keys seems to be much more
vulnerable to implentation bugs (as pgp 5.0i for Unix has shown), so I see
no direct _security_ advantages here (I consider the usage of different
encryption and signing keys that v4 keys offer (also v4 RSA keys that GnuPG
can use but not generate) and smaller signatures more as a ease of use
issue). A disadvantage of GnuPG is that it currently can't generate RSA
keys, but the next version will be able to. However, IMO then again the
"being arround for some years without bugs found" arguments is in favor of
263ia.

A disadvantage of 263ia is that it uses only one hashfunction, MD5, which is
unbroken but since a not very much weakened version of MD5 is broken usage
of MD5 for signing is considered a potential risk. GnuPG offers MD5, SHA-1,
RIPEMD160, and with plugins, TIGER192 and SHA256, 384 and 512 (the last 3
also require minor changes in the source when used for clearsigning).

-- 
ir. J.C.A. Wevers         //  Physics and science fiction site:
johanw@vulcan.xs4all.nl   //  http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html