|
Information Security
< Previous Next >
re: FIX Protocol & Encryption
Scott Atwell / American Century <>
5 Sep 2000 9:02AM ETAs a follow-up, a real crypto expert within the FIX community provided me this which provides a more detailed explanation:
===========================
This is a direct quote from 'An
Introduction to Cryptography', written by Phil Zimmerman and included with PGP from Network Associates. This might somewhat clarify the
discussions that are taking place regarding this.
"...PGP offers a selection of different secret key algorithms to encrypt the actual
message. By secret key algorithm, we mean a conventional, or symmetric,
block cipher that uses the same key to both encrypt and decrypt. The three
symmetric block ciphers offered by PGP are CAST, Triple-DES, and IDEA.
They are not "home-grown" algorithms. They were all developed by teams of
cryptographers with distinguished reputations.
"PGP public keys that were generated by PGP Version 5.0 or later have
information embedded in them that tells a sender what block ciphers are
understood by the recipient's software, so that the sender's software knows
which ciphers can be used to encrypt. Diffie-Hellman/DSS public keys accept
CAST, IDEA, or Triple-DES as the block cipher, with CAST as the default
selection. At present, for compatibility reasons, RSA keys do not provide
this
feature. Only the IDEA cipher is used by PGP to send messages to RSA keys,
because older versions of PGP only supported RSA and IDEA."
===================
> I believe the PGP software in use today with FIX uses the RSA cipher. That is, what's in use today is based upon ViaCrypt PGP as it was implemented in 1996 or an alternate implementation compatible with that.
>
>
> > As far as I know PGP does not identically define the crypting schema. Moreover, different versions of software realizes different schema. What can be understood under PGP crypto technology? Does it mean, for instance, that IDEA encryption is used? How can I provide compatibility and interoperability with other vendors?
> >
> > > Not exactly. PGP (Pretty Good Privacy) is one of several de-facto crypto "standards". It has been around for a while (originally developed by Phil Zimmerman). FIX's use of "PGP-DES-MD5" is a custom approach using three existing and understood crypto technologies. The reference implementation of how to implement "PGP-DES-MD5" which was published by a member of the FIX Committee back in 1996 used ViaCrypt PGP (firm's name changed from ViaCrypt to PGP Inc. and then later acquired by Network Associates) on Unix which had to be invoked from the command line. Thus the reference implementation "shells out" to the command line to invoke PGP. I know that the Windows version of this software is API-based and does not require command line invocation. PGP is also available in downloadable form from Ireland, I beleive.
> > >
> > > In short, FIX uses PGP but doesn't supply and didn't create PGP, rather FIX defined how PGP can be combined with the use of DES and MD5 to implement what we refer to as "PGP-DES-MD5". A white paper regarding how this is implemented and the reference implementation can be found under "Specifications", "App Notes".
> > >
> > >
> > > > As I understand, FIX standard is based on developed software (PGP) instead of developed encryption standards, isn't it?
> > > > So, to realize the encryption schema PGP-DES-MD5 I have to execute the external program PGP. Is that right?
> >
> >
>
re: FIX Protocol & Encryption
Scott Atwell / American Century 5 Sep 2000 9:02AM ET
|
