Home » Security Tutorials » Word of Warning — All versions of PGP are NOT created equally!
Click Here To Hide Tor

Word of Warning — All versions of PGP are NOT created equally!

The version lines that are usually shown by default in PGP keys and PGP signature blocks, often reveal which OS the person is using.

PGP/GPG Version strings:

You can tell a fair bit about a user’s PGP/GPG setup from their Version: string. Here are some typical examples:

Version: GnuPG v1.4.11 (GNU/Linux)

This key belongs to a Linux user.

Version: GnuPG v2.0.19 (MingW32)

This key belongs to a Windows user.

Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

This key belongs to a Mac OS X user.

Versions that should make you nervous:

Version: 9.9.0.397

This person is using the official PGP version, as published by Symantec. I’ve read statements by Kevin Mitnick that he no longer trusts PGP, since it was acquired by Symantec.   In his post, Mitnick refers to the case of Diskreet, which back in the early days, was an encryption package sold by Symantec. This software purported to use the full 56-bit DES cipher algorithm, which was quite strong for its day. Mitnick stated that he acquired a copy of the Diskreet source code, and discovered that the actual key was nowhere near 56-bits, but was incredibly weak. He went on to say that based on his experience, he would not trust any version of PGP published by Symantec.

His caution is only underscored by the Snowden revelations earlier this Summer, which set out the NSA’s campaign of attempting to weaken or backdoor crypto.
I, for one, would not trust any closed-source crypto software published by an American company — that goes double for companies with a history like Symantec.

To the best of my knowledge, Symantec does not publish PGP source code, and as an American company, their crypto software is now suspect.

Versions of PGP  that should make you run away screaming:

Versions of PGP with these Version: strings are based on the BouncyCastle Java crypto libraries. They should be avoided like the plague.

Version: BCPG v1.45
Version: BCPG v1.47

These versions of PGP are absolutely NOTORIOUS for generating MASSIVELY UNSAFE PGP keys by default. These versions typically generate DSS/Elgamal keys
with signing keys with a size of 1024-bits, and an encryption sub-key of as little as 512-bits.
By: Nightcrawler

512-bit keys are so unsafe, that they were being broken by hobbyists on spare hardware a dozen years ago. 1024-bit keys were deprecated by NIST more than 3 years ago.

Version: BCPG C# v1.6.1.0

This version of PGP generates by default a PGP key of 1024-bits, with NO encryption sub-key. Again, these keys are unsafe/obsolete.

Recommendations:

Any software that uses the Java Bouncycastle crypto libraries (like PortablePGP) should be avoided like the plague. These typically contain BCPG in the Version: string.

GPG4Win/Kleopatra/GPA are also deprecated — Kleopatra generates RSA keys without an encryption sub-key. Dual RSA keys, with one RSA key for signing, and the other exclusively for encryption have been standard since the Fall of 2009.
GPA will not generate keys over 3072-bits in length.

GPG4USB or Gnu Privacy Tray (GnuPT) are recommended, as they are:

* Easy to use

* Standards compliant

GnuPT, in particular, is frequently updated. Usually, when there is a new GPG version (e.g. 1.4.15), the GnuPT developers issue an update with a day or two, reflecting the change.

Download links:

GPG4USB: http://gpg4usb.cpunk.de/index.html

GnuPT: http://www.gnupt.de/ (Site is in German)

7 comments

  1. If I may elaborate on this as long as we’re going down the road of security, when downloading either of these please ensure to check the checksum after downloading. A MitM attack on you while downloading either GPG4USB or GnuPT would render the protection of PGP pointless.

    If you download a checksum utility, also use an online verifier to check the integrity of that utility. I have a decent portable utility but if anyone knows of a great one please point me in the right direction, I’ve found none that are great.

    I want to stress this as I believe it’s an all too often skipped step, and verifying downloads can be a very beneficial way to ensure your security. This applies no matter where you’re downloading from.

    Lastly, I’d recommend creating and storing the private key while offline. Same logic applies, creating and saving a private key while there is a possibility that you’re already been tracked negates all security. To be even extra careful, boot into a live Linux environment that has never seen the internet.

  2. Great point re taking yourself offline before storing private keys. I think at anytime when doing anything private, it’s a good idea to just go offline for a sec, do your thing, then go back online. A good hardware firewall/VPN is good too.
    Thx for the tip on checksum.

  3. Good Privacy Google

    I made a test with kleopatra for disclose my pgp version. It was showed like Version: GnuPG v2. There are nothing related with it in this page. it’s safe or unsafe version?

  4. I’d like to know more about your statement:
    “BouncyCastle Java crypto libraries. They should be avoided like the plague.”
    Why?
    That sound rather vague, can you elaborate on this?
    Can you point us to some reliable literature on that topic?
    Anyone out there knows about the weakness point Bouncy Castle?

    Thanks

  5. Pretty sure this article is pure FUD unbacked up by actual facts. No references are provided in this article to back up claims made about the insecurity of BCPG keys and extensive searching online finds nothing to back any of that up either. In fact, many of the statements in the article demonstrate a clear misunderstanding of how pgp works, and false attributes certain things being insecure that would not actually weaken the security of your key and messages at all. This appears to be written by another amateur darknet user who got his misinformation from someone else also not qualified to know what they are talking about. I would take any security advice given on a website like this with a grain of salt and get your information from credible sources based in actual evidence. not delusional paranoid assumptions. I will take this whole comment back if someone can show a SINGLE case of a BCPG key being broken in the wild do these alleged security problems that should be avoided like the plague.

  6. hello, I use a Android and can’t do a pgp use, what program are good for me? And if you can please explain step by step how to use it. THX to all (-;

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *