Anonymity
Privacy
Security
vanish.org
PGP
Download PGP
PGP Installation
Encrypting Mail
Decrypting Mail
Change Passphrase
Hash Function
Subkeys

PGP - Pretty Good Privacy



What is PGP?

PGP [ Pretty Good Privacy ] is a programme originally written by Phil Zimmerman. It is an encryption programme that used the RSA and IDEA ciphers for data encryption and integrity checking.

Note: You don't have to know or understand what IDEA, DES, RSA or even the concept of a CIPHER to use PGP.

PGP has become the de facto standard for encrypted communications over the Internet. The strong cryptographic algorithms employed, the open nature of the source code, informal peer review by civilian cryptographers, have all given PGP an aura of invincibility against potential eavesdroppers.

At the present, PGP's reputation seems justified. Modern cryptanalysis methods haven't discovered any glaring weaknesses and brute force attacks against 1024 bit and above keys are unrealistic. Barring undisclosed advances in factoring or quantum computing, we can speculate that government agencies have run into the same crypto-analytical roadblocks encountered by the civilian cryptographers.

Have you ever sent an E-mail containing information you didn't want other people to read? Of course you have. If you haven't, you will. What you probably didn't know is that the Internet protocols we use are quite insecure. Especially E-mail. Anyone who takes the time to find out how can read your E-mail, either by getting into your Internet server or by "watching" the data pass by on its way to the recipient.

What you need to do is put it in a digital envelope so that no-one can read it except the person who's supposed to get it. That's one of the things PGP does that has made it so popular. This process is called encryption and decryption. You, the sender, compose an E-mail and then pass it through PGP and encrypt it to the person you want to be able to read it. You can even choose multiple people if you're sending the message to two or three people. All you need is the recipient's public key.

What are Keys?

In public key cryptography, the category to which PGP belongs, each person has two keys, which are mathematically related (don't worry about it for now). They have a private key, which they keep to themselves and hide from other people at all costs (usually just a file on your harddrive or on diskette) and they have a public key which they give out freely to other people by E-mail, their web page or over the public key servers. If you have someone's public key, you can send a secret message to them. And only they can read it.

The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely. The need for sender and receiver to share secret keys via some secure channel is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared.

Click here to see a public key.

Let's assume the PUBLIC KEY viewed above is mine [it is not]. You are now able to store my PUBLIC KEY in your PGP programme and use my PUBLIC KEY to encrypt a message that only I can read. One beauty of PGP is that I am able to advertise my PUBLIC KEY in the same way that I able to distribute my telephone number. If you have my telephone number, you are able to ring me; however, you cannot answer my telephone. Similarly, if you have my PUBLIC KEY, you are able to send me mail; however, only I can read it.

Signatures?

What about signatures you put on paper letters? Or the fact that you recognise your friends' and collegues' voices over the phone when you speak to them? How can you replicate this kind of positive identification in the digital world? In case you didn't know, anyone can create an E-mail that looks like it came from you without much difficulty. This is easier than reading others' E-mail and in fact can cause more problems. Especially when you try to explain to your boss that you did not E-mail a pass to his wife.

Well, another interesting thing you can do with public key encryption is to reverse the operations and create signatures. (Just follow me for a minute, if you don't understand, it's ok, you can still do this without understanding how it works). PGP can generate a hash which represents the file or message you want to positively ID as being from you. It then encrypts it with your private key (instead of your public key) and anyone with your public key can decipher this hash. So what? Well, they can just as easily create a hash of the message they received and verify that the two hashes match. Plus, if they managed to decipher the encrypted version of the hash, they've proven that it was created with the private key that matches the public key they used to decipher it.

Do you really need something as powerful and versatile as PGP? Yes. If you're going to bother at all, you have to do a good job. Unlike driving a cheap car (which will still get from A to B), cheap cryptography doesn't (essentially) hide anything from prying eyes.

HELP! Don't worry, it's a bit more complex then that, but much easier to do. In most cases, you end up copying your message, pasteing it, clicking on a PGP icon, selecting "sign", typing in the passphrase PGP makes you use to secure your private key, and then re-pasteing in the now signed version. All the signature ends up being is about 5 lines of gibberish at the end of the message wrapped snuggly in "--- PGP SIGNATURE ---" tags.

Speed:

PGP is quite fast these days and computer technology is such that encryption and decryption take almost no time at all. Encrypting a 100k text file to myself took just ~ 1.8 seconds. Decrypting it took under 15 seconds, including the time to type my 20+ character passphrase. For these reasons, it's quite sensible to use a relatively large key-pair size, such as 2500 to 4000 bits. At some point around there, it becomes more mathematically feasible to guess your passphrase then to crack the code directly.

Security:

PGP is, in my mind (and many, many others) the best consumer and commercial grade encryption package available. Using methods like one-time pads are more secure, but are nearly impossible to use in normal circumstances (read: anywhere but the military, and it takes the military a lot of work to implement them too). If you are worried about your privacy at all, use PGP.

How difficult is it to learn PGP?

PGP has around two dozen commands.
It is a relatively easy programme to learn.
No harder than learning the basics of many other progz you are probably using now.

Summary:

PGP can be used to encrypt, with very high security, a message or a file to someone, without having to exchange a set of private encryption keys before-hand. It can also create a digital signature that can be verified to make sure messages received are from who they claim to be from.

Installing PGP
For a complete guide to help you set up PGP - Which version of PGP do I use ?     CLICK HERE




Vanish.Org Copyright © 2006 All rights reserved