richtig:
Out of curiosity, I downloaded and installed FileAssurity OpenPGP (FAOPGP) 2.02 trial version and played around with it for a while. What follows is a summary of what I found:
** Key Store **
FAOPGP protects your key store (which is equivalent to PGP's keyrings) with a password, which you must set at the end of the setup/installation. Once your key store is protected, you must logon to gain access to your keys and perform encryption/decryption, signing/verifying operations.
You can log on and off using the tray icon. Once you do logon, all those operations are automatic, meaning that you won't be prompted for the password used to protect a key when decrypting or signing files and messages. Once you're through using FAOPGP, you can log off, which protects your key store until you log on again.
This arrangement has the advantage of convenience, but that convenience comes at the price of security. Once your logged on, anyone who sits down at the computer can access your private keys and use them automatically.
PGP gives you the option of convenience with passphrase caching for a specified period of time, but you also have the option of protecting your private keys continually (which means prompting for each and every operation that requires your private keys). With FAOPGP, you don't have that option.
** Key Management **
FAOPGP has its own key manager program, which resembles PGPkeys in some ways.
You can import standard PGP keys from ASCII Armored key files. When importing, you'll be prompted for the passphrase protecting the private key (if any). Once imported, though, that private key is protected by the key store passphrase. Once you're logged on, you have access to the private key and you won't be prompted for the passphrase when performing operations that require the private key.
The FAOPGP key manager doesn't provide as much detail in the main window about the keys in your key store as PGPkeys does, although you can bring up the "Advanced" box for individual keys and get more information about the keys.
The FAOPGP key manager has a number of root certs for CAs already installed.
FAOPGP also lets you create "groups," which allow for more efficient operations when dealing with groups of people. This is a feature that PGP doesn't have -- at least not the end user versions.
** Key Generation **
The FAOPGP key manager also lets you generate keys, although you don't have as many options as with PGP. You can generate the following keys:
* DH/DSS (2048/1024)
* RSAv4 (2048)
That's it -- no keys sizes above 2048; no odd key sizes. FAOPGP will handle PGP keys of larger sizes (tested up to 4096), but you can't generate those larger key sizes.
PGP, by contrast, gives you many more options for key generation and allows you to generate those larger key sizes. Also, it will not generate RSAv3 keys (RSA keys are always RSAv4).
Still further, FAOPGP doesn't give you control over the symmetric encryption and hashing algorithms like PGP does. You're stuck with the defaults:
DH/DSS: AES256 / SHA1
RSAv4: AES256 / SHA1
Several other annoyances:
* The keygen wizard demands information beyond your name and email address (organization, address, county/state, country) and will not proceed without it. Just what this info is used for is beyond me, as it's not standard info for a PGP key's UserID and it doesn't appear on the "Advanced" properties box for the key in the key manager.
* You must specify a key expiration date. You cannot create keys that do not expire. Grrrr...
Key generation is roughly the same speed as PGP, and when you're finished, your new key appears in the key manager.
Unfortunately, FAOPGP does not prompt the user to generate a keypair, leading to potential confusion with new users because you must have a keypair in order to perform message and file operations (you cannot symmetrically encrypt files and password protect them).
You can export keys from the FAOPGP key manager. When exporting RSA keys you can select whether to export them to standard PGP .ASC files or export them to a digital certificate format (.P12/.P7B).
When exporting keys with private keys, you'll be prompted for a passphrase to protect the private key.
** File/Message Operations **
FAOPGP does allow you to set some preferences for file and message operations (e.g., file names, formats, destinations, etc.).
Message Operations:
Most message operations are handled through the Secure Text Editor. In the Secure Text Editor you can type text, then specify a key to encrypt to as well as a key to sign with.
Once you hit the "Protect text" button, the text you typed is encrypted and signed, leaving you with an ASCII Armored text block that can be copied and pasted into an email program. In fact, the text block is automatically copied to the clipboard for you. This text block can be decrypted and verified just fine by PGP.
This arrangement is much more inconvenient than PGP's methods for encrypting and signing email messages. PGP allows you to type text directly in your email program, then encrypt and sign with either an email plugin or with the PGPtray Current Window or Clipboard functions. You can also specify Hot Keys for these operat- ions.
This Secure Text Editor does, theoretically, have the advantage of preventing plain text from escaping into other Window memory areas, but just how "secure" it is not known.
One big annoyance: you cannot clearsign text. When signing text messages but, not encrypting them, the entire text is protected. FAOPGP will not leave the plaintext as is an simply append a signature for it. Funny enough, it can verify clearsigned messages.
You can decrypt email messages by copying the ciphertext to the clipboard and hitting the "Unprotect" button in the Secure Text Editor.
Again, this is much less covenient than PGP, doesn't force you to open a separate program -- instead, you can decrypt either automatically with an email plugin or you can decrypt with PGPtray's Current Window or Clipboard options. You can also use Hot Keys for these operations.
One very big annoyance: message and file operations are VERY slow. Compared with PGP, FAOPGP takes a long time to encrypt and sign messages: 5 seconds (or thereabouts) compared with the almost instantaneous time for PGP.
File Operations:
When you open FAOPGP from the Start menu, you're presented with a file manager of sorts that allow you to perform operations on those files.
You can also encrypt, decrypt, sign, and verify, files using the context menu options from within Windows Explorer. When you elect to "Protect" a file from the context menu, you're presented with a dialog box asking you to specify the key to encrypt to, the key to sign with, and the destination or output. The default output is a binary .PGP file (though that can be changed to .ASC).
If you select email as an output, FAOPGP automatically sends the .PGP file to your default email program as an attachment. While convenient, this is not a significant advantage over PGP, which also allows you to create .PGP files that can be sent as attachments (you simply have to attach the .PGP file yourself to your message).
If you select "Archive" as an output, FAOPGP doesn't create a self-decrypting archive (like PGP does); neither does it create a password protected and encrypted .ZIP file, like WinZip, does. What it does is create a non-password-protected .ZIP file with the encrypted .PGP file inside. That's it. PGP's self-decrypting archives are much more useful and versatile because they don't require the recipient or user to have a PGP compatible program or a keypair that can be used for encryption/decryption.
One big annoyance: you cannot create detached signatures for files (nor does FAOPGP know what to do with detached sig files).
One final annoyance: you cannot symmetrically encrypt files and protect them with a password. You must have a keypair.
You can also decrypt and verify files using the context menu within Windows Explorer.
Files encrypted and signed with FAOPGP decrypt and verify just fine in PGP.
Interestingly, when encrypting and signing files, you can also elect to create a text message to go along with the ecnrypted & signed file. When you hit the "Protect" button, the file is encrypted to a .PGP file, your text message is encrypted and signed to an ASCII Armor text block, and both file and text block are sent to your default email program.
Again, I don't see any huge improvement over the way PGP handles this combo. In PGP, you can type your text message into your email program and encrypt/ sign it with a plugin or PGPtray. Then you can encrypt and sign a file and attach it to your message. The end product is the same.
** Summary **
So, in summary, FAOPGP is certainly interesting. It is roughly compatible with PGP:
* It generates encrypted and signed files and messages that are fully compatible with PGP.
* It decrypts and verifies files and messages generated by PGP.
* It can use and generate PGP compatible keys.
It does have several significant drawbacks:
* It cannot generate RSAv4 and DH/DSS key sizes larger than 2048/1024.
* It cannot generate smaller key sizes or odd key sizes.
* It cannot generate RSAv3 keys.
* It cannot generate keys without an expiration date.
* It does not allow the user to specify symmetric encryption and hashing algorithms.
* The keygen wizard demands useless information.
* The key manager is poorly laid out.
* The key store system is convenient, but forces you to leave your private keys unprotected, unlike PGP which gives you the option of trading off security for convenience.
* Message operations are a pain, requiring the use of a separate program. There is nothing as convenient as PGP's email plugins or PGPtray.
* It cannot clearsign messages (though it can handle them).
* It cannot create symmetrically encrypted, password-protected files.
* It cannot create self-decrypting archives.
* It cannot generate detached signatures for files (nor can it handle them).
* File and message operations are very slow compared with PGP.
In short, the latest versions of PGP (including PGP 8.0 Personal Desktop and Freeware as well as PGP 6.5.8ckt build 08 or 09 beta 3) are much more functional, versatile, powerful, and easy to use.
Moreover, PGP 8.0 Personal Desktop ships with PGPdisk, for which there is no equivalent in FAOPGP.
Finally, PGP 8.0 Personal Desktop is cheaper than FAOPGP. And, of course, PGP 8.0 Freeware is completely free.
If you're not interested in PGPdisk or the email plugins, then save your money and download PGP 8.0 Freeware. If you're interested in the email plugins and PGPdisk, then save yourself $9.00 and go with PGP 8.0 Personal Desktop. Both are a better bargain and much more trustworthy than FAOPGP.
** Notes **
FileAssurity OpenPGP 2.02 can be downloaded from:
»
www.articsoft.com/products.htmThe online manual for FileAssurity OpenPGP 2.02 can be found here:
»
www.articsoft.com/fileas ··· ndex.htmPGP 8.0 Personal Desktop can be purchased from PGP.com:
»
www.pgp.com/products/per ··· dex.htmlPGP 8.0 Freeware can be downloaded from:
»
www.pgp.com/products/fre ··· are.htmlNotes on installing and using PGP 8.0 can be found here:
»
www.staff.uiuc.edu/~ehow ··· p8fw.htmPGP 6.5.8ckt build 08 or 09 beta 3 can be downloaded from:
»
ftp://
ftp.zedz.net/pub/crypto/ ··· 658_ckt/Notes on PGP 6.5.8ckt can be found here:
»
www.staff.uiuc.edu/~ehow ··· kt-aboutBest,
Eric L. Howes