dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3122

richtig
Music Is Emotion
Premium Member
join:2003-02-19
Australia

richtig

Premium Member

Anyone know Fileassurity OpenPGP?

From the company's web site the product looks like value for money:-

»www.articsoft.com/produc ··· hart.htm

Does anyone have experience with this company, or its products? I am considering the $59 Fileassurity OpenPGP product. Any other comments?
eburger68
Premium Member
join:2001-04-28

eburger68

Premium Member

richtig:

That is indeed an interesting product with an interesting feature set. Unfortunately, I don't have any experience with the company or the product, nor have I heard any reports from others.

I would point out, though, that not only does PGP 8.0 Personal Desktop compare favorably feature-wise (see below), but it's actually cheaper ($50 as opposed to $59).

As for features, PGP 8.0 Personal Desktop lacks only the following significant features found in the Articsoft product:

* free reader
* secure text editor
* some other minor differences (See below)

Here's ActicSoft's comparison of their product w/ PGP:

»www.articsoft.com/fileas ··· _pgp.htm

But note that they're comparing with what's now known as PGP Workgroup Desktop, which is designed as an enterprise product (thus the higher price), not PGP Personal Desktop, which has roughly the same feature set but is also cheaper than the ArticSoft product.

There are some other problems with their comparison, the biggest being that they neglect to mention PGP's PGPdisk, which makes the mass encryption of files and folders much more convenient than anything their product has to offer. PGPdisk comes with PGP Personal Desktop.

The other advantage that PGP Personal Desktop has over the ArticSoft product is the availability of the source code for peer review. PGP Corp. makes the source code for all their PGP products open for review, and that review process (which has been going on for years with PGP products) makes their products inherently more trustworthy.

Some additional info about PGP Personal Desktop:

PGP Personal Desktop
»www.pgp.com/products/per ··· dex.html

Product Features
»www.pgp.com/products/per ··· res.html

Data Sheet
»www.pgp.com/products/per ··· eet.html

Tech Specs
»www.pgp.com/products/per ··· ecs.html

Source Code
»www.pgp.com/products/sou ··· ode.html

PGP Store Prices & Ordering
»store.pgp.com/default.ph ··· cPath=79

I guess it comes down the features that you were interested in. What were you planning to use the product for?

Best,

Eric L. Howes
eburger68

3 edits

eburger68 to richtig

Premium Member

to richtig
richtig:

Out of curiosity, I downloaded and installed FileAssurity OpenPGP (FAOPGP) 2.02 trial version and played around with it for a while. What follows is a summary of what I found:

** Key Store **

FAOPGP protects your key store (which is equivalent to PGP's keyrings) with a password, which you must set at the end of the setup/installation. Once your key store is protected, you must logon to gain access to your keys and perform encryption/decryption, signing/verifying operations.

You can log on and off using the tray icon. Once you do logon, all those operations are automatic, meaning that you won't be prompted for the password used to protect a key when decrypting or signing files and messages. Once you're through using FAOPGP, you can log off, which protects your key store until you log on again.

This arrangement has the advantage of convenience, but that convenience comes at the price of security. Once your logged on, anyone who sits down at the computer can access your private keys and use them automatically.

PGP gives you the option of convenience with passphrase caching for a specified period of time, but you also have the option of protecting your private keys continually (which means prompting for each and every operation that requires your private keys). With FAOPGP, you don't have that option.

** Key Management **

FAOPGP has its own key manager program, which resembles PGPkeys in some ways.

You can import standard PGP keys from ASCII Armored key files. When importing, you'll be prompted for the passphrase protecting the private key (if any). Once imported, though, that private key is protected by the key store passphrase. Once you're logged on, you have access to the private key and you won't be prompted for the passphrase when performing operations that require the private key.

The FAOPGP key manager doesn't provide as much detail in the main window about the keys in your key store as PGPkeys does, although you can bring up the "Advanced" box for individual keys and get more information about the keys.

The FAOPGP key manager has a number of root certs for CAs already installed.

FAOPGP also lets you create "groups," which allow for more efficient operations when dealing with groups of people. This is a feature that PGP doesn't have -- at least not the end user versions.

** Key Generation **

The FAOPGP key manager also lets you generate keys, although you don't have as many options as with PGP. You can generate the following keys:

* DH/DSS (2048/1024)
* RSAv4 (2048)

That's it -- no keys sizes above 2048; no odd key sizes. FAOPGP will handle PGP keys of larger sizes (tested up to 4096), but you can't generate those larger key sizes.

PGP, by contrast, gives you many more options for key generation and allows you to generate those larger key sizes. Also, it will not generate RSAv3 keys (RSA keys are always RSAv4).

Still further, FAOPGP doesn't give you control over the symmetric encryption and hashing algorithms like PGP does. You're stuck with the defaults:

DH/DSS: AES256 / SHA1
RSAv4: AES256 / SHA1

Several other annoyances:

* The keygen wizard demands information beyond your name and email address (organization, address, county/state, country) and will not proceed without it. Just what this info is used for is beyond me, as it's not standard info for a PGP key's UserID and it doesn't appear on the "Advanced" properties box for the key in the key manager.

* You must specify a key expiration date. You cannot create keys that do not expire. Grrrr...

Key generation is roughly the same speed as PGP, and when you're finished, your new key appears in the key manager.

Unfortunately, FAOPGP does not prompt the user to generate a keypair, leading to potential confusion with new users because you must have a keypair in order to perform message and file operations (you cannot symmetrically encrypt files and password protect them).

You can export keys from the FAOPGP key manager. When exporting RSA keys you can select whether to export them to standard PGP .ASC files or export them to a digital certificate format (.P12/.P7B).

When exporting keys with private keys, you'll be prompted for a passphrase to protect the private key.

** File/Message Operations **

FAOPGP does allow you to set some preferences for file and message operations (e.g., file names, formats, destinations, etc.).

Message Operations:

Most message operations are handled through the Secure Text Editor. In the Secure Text Editor you can type text, then specify a key to encrypt to as well as a key to sign with.

Once you hit the "Protect text" button, the text you typed is encrypted and signed, leaving you with an ASCII Armored text block that can be copied and pasted into an email program. In fact, the text block is automatically copied to the clipboard for you. This text block can be decrypted and verified just fine by PGP.

This arrangement is much more inconvenient than PGP's methods for encrypting and signing email messages. PGP allows you to type text directly in your email program, then encrypt and sign with either an email plugin or with the PGPtray Current Window or Clipboard functions. You can also specify Hot Keys for these operat- ions.

This Secure Text Editor does, theoretically, have the advantage of preventing plain text from escaping into other Window memory areas, but just how "secure" it is not known.

One big annoyance: you cannot clearsign text. When signing text messages but, not encrypting them, the entire text is protected. FAOPGP will not leave the plaintext as is an simply append a signature for it. Funny enough, it can verify clearsigned messages.

You can decrypt email messages by copying the ciphertext to the clipboard and hitting the "Unprotect" button in the Secure Text Editor.

Again, this is much less covenient than PGP, doesn't force you to open a separate program -- instead, you can decrypt either automatically with an email plugin or you can decrypt with PGPtray's Current Window or Clipboard options. You can also use Hot Keys for these operations.

One very big annoyance: message and file operations are VERY slow. Compared with PGP, FAOPGP takes a long time to encrypt and sign messages: 5 seconds (or thereabouts) compared with the almost instantaneous time for PGP.

File Operations:

When you open FAOPGP from the Start menu, you're presented with a file manager of sorts that allow you to perform operations on those files.

You can also encrypt, decrypt, sign, and verify, files using the context menu options from within Windows Explorer. When you elect to "Protect" a file from the context menu, you're presented with a dialog box asking you to specify the key to encrypt to, the key to sign with, and the destination or output. The default output is a binary .PGP file (though that can be changed to .ASC).

If you select email as an output, FAOPGP automatically sends the .PGP file to your default email program as an attachment. While convenient, this is not a significant advantage over PGP, which also allows you to create .PGP files that can be sent as attachments (you simply have to attach the .PGP file yourself to your message).

If you select "Archive" as an output, FAOPGP doesn't create a self-decrypting archive (like PGP does); neither does it create a password protected and encrypted .ZIP file, like WinZip, does. What it does is create a non-password-protected .ZIP file with the encrypted .PGP file inside. That's it. PGP's self-decrypting archives are much more useful and versatile because they don't require the recipient or user to have a PGP compatible program or a keypair that can be used for encryption/decryption.

One big annoyance: you cannot create detached signatures for files (nor does FAOPGP know what to do with detached sig files).

One final annoyance: you cannot symmetrically encrypt files and protect them with a password. You must have a keypair.

You can also decrypt and verify files using the context menu within Windows Explorer.

Files encrypted and signed with FAOPGP decrypt and verify just fine in PGP.

Interestingly, when encrypting and signing files, you can also elect to create a text message to go along with the ecnrypted & signed file. When you hit the "Protect" button, the file is encrypted to a .PGP file, your text message is encrypted and signed to an ASCII Armor text block, and both file and text block are sent to your default email program.

Again, I don't see any huge improvement over the way PGP handles this combo. In PGP, you can type your text message into your email program and encrypt/ sign it with a plugin or PGPtray. Then you can encrypt and sign a file and attach it to your message. The end product is the same.

** Summary **

So, in summary, FAOPGP is certainly interesting. It is roughly compatible with PGP:

* It generates encrypted and signed files and messages that are fully compatible with PGP.
* It decrypts and verifies files and messages generated by PGP.
* It can use and generate PGP compatible keys.

It does have several significant drawbacks:

* It cannot generate RSAv4 and DH/DSS key sizes larger than 2048/1024.
* It cannot generate smaller key sizes or odd key sizes.
* It cannot generate RSAv3 keys.
* It cannot generate keys without an expiration date.
* It does not allow the user to specify symmetric encryption and hashing algorithms.
* The keygen wizard demands useless information.
* The key manager is poorly laid out.
* The key store system is convenient, but forces you to leave your private keys unprotected, unlike PGP which gives you the option of trading off security for convenience.
* Message operations are a pain, requiring the use of a separate program. There is nothing as convenient as PGP's email plugins or PGPtray.
* It cannot clearsign messages (though it can handle them).
* It cannot create symmetrically encrypted, password-protected files.
* It cannot create self-decrypting archives.
* It cannot generate detached signatures for files (nor can it handle them).
* File and message operations are very slow compared with PGP.

In short, the latest versions of PGP (including PGP 8.0 Personal Desktop and Freeware as well as PGP 6.5.8ckt build 08 or 09 beta 3) are much more functional, versatile, powerful, and easy to use.

Moreover, PGP 8.0 Personal Desktop ships with PGPdisk, for which there is no equivalent in FAOPGP.

Finally, PGP 8.0 Personal Desktop is cheaper than FAOPGP. And, of course, PGP 8.0 Freeware is completely free.

If you're not interested in PGPdisk or the email plugins, then save your money and download PGP 8.0 Freeware. If you're interested in the email plugins and PGPdisk, then save yourself $9.00 and go with PGP 8.0 Personal Desktop. Both are a better bargain and much more trustworthy than FAOPGP.

** Notes **

FileAssurity OpenPGP 2.02 can be downloaded from:
»www.articsoft.com/products.htm

The online manual for FileAssurity OpenPGP 2.02 can be found here:
»www.articsoft.com/fileas ··· ndex.htm

PGP 8.0 Personal Desktop can be purchased from PGP.com:
»www.pgp.com/products/per ··· dex.html

PGP 8.0 Freeware can be downloaded from:
»www.pgp.com/products/fre ··· are.html

Notes on installing and using PGP 8.0 can be found here:
»www.staff.uiuc.edu/~ehow ··· p8fw.htm

PGP 6.5.8ckt build 08 or 09 beta 3 can be downloaded from:
»ftp://ftp.zedz.net/pub/crypto/ ··· 658_ckt/

Notes on PGP 6.5.8ckt can be found here:
»www.staff.uiuc.edu/~ehow ··· kt-about

Best,

Eric L. Howes
eburger68

1 recommendation

eburger68 to richtig

Premium Member

to richtig
richtig:

To round out my comparison of FAOPGP with PGP 8.0 Personal Desktop, let me return to the FAOPGP/PGP comparison on this page:

»www.articsoft.com/fileas ··· _pgp.htm

That page lists the following features as missing or comparatively deficient in PGP:

1. Secure archives (.zip files)

I don't understand this one. FAOPGP does not create "Secure archives" as most folks understand them. It creates .ZIP files with encrypted .PGP files inside them. The .ZIP archive itself is not secure. Not only can you do this with PGP (create .PGP file then embed in a .ZIP file), but you can do one better: you can create a self-decrypting archive that does not require the recipient user to have a PGP compatible program or a key pair.

2. Secure file deletion (US Gov DOD standards)

I don't understand this one either. PGP does secure deletion (not as well as, say, Heidi Eraser), but it does do secure deletion. The "US Gov DOD standards" is a bit of a bugaboo -- there's much debate as to what this means. Different agencies have different procedures/requirements.

3. Secure text editor

PGP is indeed missing this and it would be a nice addition. PGP does have a secure reader, though. And PGP's memlock driver protects your secret key.

4. Trusted Authorities - no need to import root certificates in order to verify keys signed by a Certificate Authority

Yes, FAOPGP does include a number of root certs for major CAs by default. This is a minor advantage over PGP, but only minor as many certs exported from email programs like Outlook Express will include the entire cert chain in the exported cert. When you import that cert, you'll get all the certs in the path, up to and including the root cert for the CA.

5. Group support (can allocate users into groups for easy selection)

PGP doesn't have this. Might be nice. I think PGP's enterprise offerings address this deficiency, but for end users this function is missing.

6. Free Reader (decryption / verification of files)

This is a dubious advantage. PGP can create self-decrypting archives that don't require the user to have any additional program at all.

7. Cost of Ownership

The price comparisons on the page are completely misleading as FAOPGP is compared against PGP's enterprise offerings (Workgroup Desktop), not PGP's Freeware and Personal Desktop offerings, which are in fact cheaper than FAOPGP.

Bottom line: compare the very few advantages that FAOPGP has over PGP in the above list versus my own list (previous post) of what PGP has over FAOPGP.

FAOPGP is certainly an interesting application, and it's good to see more OpenPGP compliant products on the market. It still has a ways to go, though, before it can be considered to be a true alternative to PGP.

Best,

Eric L. Howes

richtig
Music Is Emotion
Premium Member
join:2003-02-19
Australia

richtig

Premium Member

Thank you for a most comprehensive analysis, Eric.

Perhaps the one thing which attracted me to ArticSoft's product was, in a sense, the non-integration with an email client. I believed, perhaps wrongly, that this seemed to provide a way to work with Mozilla Mail, which currently has neither PGP nor S/MIME support.

I definitely need to think a lot more about this...
eburger68
Premium Member
join:2001-04-28

eburger68

Premium Member

richtig:

A couple of points:

1) PGP *can* work with Mozilla mail -- even though there's no plug-in, you can use:

* PGPtray - Current Window
* PGPtray - Clipboard
* Hot Keys

See here for more details:

»www.staff.uiuc.edu/~ehow ··· #no-plug

2) Mozilla Mail *does* have S/MIME support -- you need to get a digital certificate from a CA like Thawte, though, in order to use it:

»www.thawte.com/html/COMM ··· dex.html

Best,

Eric L. Howes