GnuPG 1.0.6 versus PGP 2.6.3i

Johan Wevers
Tue Sep 25 23:03:01 2001

Marek Schneider wrote:

> what would be "the better" choice due to security issues?
> GnuPG 1.0.6 or PGP 2.6.3i
Are you sure you don't want to start a howly war here? This is the kind of question to trigger that. I'll try to be as objective here as possible and describe the advantages and disadvantages of both programs. Then you can decide for yourself which program you trust most. An advantage of 263ia over GnuPG are that 263ia has been around for many years now and has been examined very thouroughly. No serious bugs are known, but it is still vulnerable to the recently discovered man in the middle attacks and the dangers when someone can edit your secret key, issues where GnuPG has protections. It is further much less complex than GnuPG, so the chance of having undetected bugs is smaller. On the other hand, GnuPG uses more algorithms, both asymmetric and symmetric ciphers, and hash functions. From a security point of view, the ciphers used in 263ia (RSA and IDEA) are very good tested and no weaknesses are known, except for a range of weak keys for IDEA. I must admit that I don't know if 263ia tests if its generated session keys are in this range and then calculates a new one or ignores this issue. However, the only criticism I hear on this list on IDEA is that it is patented, not that it is insecure. GnuPG offers the same algorithms as 363ia (IDEA only via a plugin), and some more. As long as no better attacks against IDEA than brute force are known the choice of the symmetric algorithm won't matter much from a security point of view. For tha asymmetric algorithm, DH keys seems to be much more vulnerable to implentation bugs (as pgp 5.0i for Unix has shown), so I see no direct _security_ advantages here (I consider the usage of different encryption and signing keys that v4 keys offer (also v4 RSA keys that GnuPG can use but not generate) and smaller signatures more as a ease of use issue). A disadvantage of GnuPG is that it currently can't generate RSA keys, but the next version will be able to. However, IMO then again the "being arround for some years without bugs found" arguments is in favor of 263ia. A disadvantage of 263ia is that it uses only one hashfunction, MD5, which is unbroken but since a not very much weakened version of MD5 is broken usage of MD5 for signing is considered a potential risk. GnuPG offers MD5, SHA-1, RIPEMD160, and with plugins, TIGER192 and SHA256, 384 and 512 (the last 3 also require minor changes in the source when used for clearsigning). -- ir. J.C.A. Wevers // Physics and science fiction site: // PGP/GPG public keys at