check out my sponsor!
[EFC Blue Ribbon - Free Speech Online]
Click here to earn money from your site!

Mike's Intro to PGP

(Michael T. Babcock <mikebabcock@pobox.com>)
Grab my PGP public keys
to   (Translation provided by Digital Altavista)

home | intro | tutorial | books | news | web of trust | signing keys | key servers ]
utilities | chat & USENET | ring | links | my keys | page sigs ]

What is PGP?

Don't forget that you can click on the DEF's to see a definition of the word in question.

You're about to get the 30 second history lesson. It's going to be pretty easy reading, but you can skip it if you prefer.

PGP stands for Pretty Good Privacy, a program originally by Phil Zimmermann. It is an encryption DEF program that uses the RSA DEF (public key) and IDEA (block) ciphers for data encryption and integrity checking instead of the traditional DES DEF. Note: you don't have to know or understand what IDEA, DES or RSA are or even the concept of a CIPHER is to use PGP.

NAI PGP has evolved from a personal project of Phil's to being a de facto standard for E-mail encryption on the Internet. It became the primary product of PGP Incorporated which has now merged with several other companies that now form Network Associates Incorporated.


The present

PGP now has a variety of ciphers it uses to encrypt / decrypt / sign and verify files or messages. These are less relevant then they sound, as PGP quite kindly hides them from you to a large degree. All you really need to know is that if you are using the free US version of PGP, you can't interact with people using older PGP clients, they'll have to upgrade to a more recent version.

Ignore your rights an they'll go away [Button]

Have you ever sent an E-mail containing information you didn't want other people to read? Of course you have. If you haven't, you will. What you probably didn't know is that the Internet protocolsDEF we use are quite insecure. Especially E-mail. Anyone who takes the time to find out how can read your E-mail, either by getting into your Internet server or by "watching" the data pass by on its way to the recipient.

What you need to do is put it in a digital envelope so that no-one can read it except the person who's supposed to get it. That's one of the things PGP does that has made it so popular. This process is called encryption and decryption. You, the sender, compose an E-mail and then pass it through PGP (see the Tutorial) and encrypt it to the person you want to be able to read it. You can even choose multiple people if you're sending the message to two or three people. All you need is the recipient's public key.

What on earth is a public key? Secret or private key cryptography is the more traditional way of doing things, whereby you select a password or code, and you communicate it to the person receiving your message and they use that code to decipher it.

Whereas in public key cryptography, which PGP happens to fall in the category of, each person has two keys, which are mathematically related (don't worry about it for now). They have a private key, which they keep to themselves and hide from other people at all costs (usually just a file on your harddrive or on diskette) and they have a public key which they give out freely to other people by E-mail, their web page or over the public key servers (see my page on the keyservers). If you have someone's public key, you can send a secret message to them. And only they can read it.

What about signatures you put on paper letters? Or the fact that you recognise your friends' and collegues' voices over the phone when you speak to them? How can you replicate this kind of positive identification in the digital world? In case you didn't know, anyone can create an E-mail that looks like it came from you without much difficulty. This is easier then reading others' E-mail and in fact can cause more problems. Especially when you try to explain to your boss that you did not E-mail a pass to his wife.

Well, another interesting thing you can do with public key encryption is to reverse the operations and create signatures. (Just follow me for a minute, if you don't understand, it's ok, you can still do this without understanding how it works). PGP can generate a hashDEF which represents the file or message you want to positively ID as being from you. It then encrypts it with your private key (instead of your public key) and anyone with your public key can decipher this hash. So what? Well, they can just as easily create a hash of the message they received and verify that the two hashes match. Plus, if they managed to decipher the encrypted version of the hash, they've proven that it was created with the private key that matches the public key they used to decipher it.


Robustness:

Do you really need something as powerful and versatile as PGP? Yes. If you're going to bother at all, you have to do a good job. Unlike driving a cheap car (which will still get from A to B), cheap cryptography doesn't (essentially) hide anything from prying eyes. For more information, see the Snake Oil FAQ.

HELP! Don't worry, it's a bit more complex then that, but much easier to do. In most cases, you end up hilighting your message, copy-ing it, clicking on a PGP icon, selecting "sign", typing in the passphrase PGP makes you use to secure your private key, and then paste-ing in the now signed version. All the signature ends up being is about 5 lines of gibberish at the end of the message wrapped snuggly in "--- PGP SIGNATURE ---" tags. Again, more detail that is easier to understand, with more examples are found in my tutorial.

Feeling somewhat confused, but pretty sure you should get this tool and use it? Read my synopsis that follows, then go on to the books list if you prefer reading black on white print on paper, the links if you want to keep perusing through what I've collected in my web travels, or the tutorial for my (excellent?) introduction to actually using PGP.


Speed:

PGP is quite fast these days and computer technology is such that encryption and decryption take almost no time at all. Encrypting a 100k text file to myself took just ~ 1.8 seconds. Decrypting it took under 10 seconds, including the time to type my 20+ character passphrase. For these reasons, it's quite sensible to use a relatively large key-pair size, such as 2500 to 4000 bits. At some point around there, it becomes more mathematically feasible to guess your passphrase then to crack the code directly.


Security:

PGP is, in my mind (and many, many others') the best consumer and commercial grade encryption package available. Using methods like one-time pads are more secure, but are nearly impossible to use in normal circumstances (read: anywhere but the military, and it takes the military a lot of work to implement them too). If you are worried about your privacy at all, use PGP.

If you want perfectly secure communications, note this introduction to cryptography. In summary:

... perfect secrecy is impractical: [Shannon] proved that the shared secret key in any perfectly secure cryptosystem must be at least as long as the plaintext to be encrypted. (The one-time pad is the prime example of a perfectly secure but impractical system.) Unconditional security was therefore considered too expensive for a long time. For proving his impracticality theorem, Shannon assumed that the adversary has perfect access to the same information as the users.


Legalities:

The US and Canada have some fairly strong restrictions on the exporting of munitions. You know, nuclear weapons and the like. Good encryption software happens to be included. I would not suggest setting up a site in the US or Canada and offering a free download of PGP to people without considering that if you're caught giving it to foreign persons that you could be charged with as serious a crime as arms export. Please see the official PGP website for more information.

If you're from outside the US and Canada, check out the International PGP homepage for downloads, etc. of legally exported versions of PGP. If you're from Canada, you can use the international version of PGP found there as well. US citizens must use the official versions because of other legal issues around patents held by RSA Data Security.


Summary:

PGP can be used to encrypt, with very high security, a message or a file to someone, without having to exchange a set of private encryption keys before-hand. It can also create a digital signature that can be verified to make sure messages received are from who they claim to be from. If you want more information on how use PGP, check out my revised tutorial for which I've received many compliments and congratulations. If you're still asking questions after that, or you would just like to get your greedy little hands on it, check out the list of sites I have gathered (which, by the way, are unaffiliated with myself and for whose content I do not vouch for by having their links here) or my book list.

Not from the US or Canada? Want to use an "International" version of PGP? Check out the International PGP page. That's where you can download it in binary or source code format. It also has more details about why it exists and how it gets "exported".


home | intro | tutorial | books | news | web of trust | signing keys | key servers ]
utilities | chat & USENET | ring | links | my keys | page sigs ]


Click for details This page Copyright © 1995 ... 1999 Michael T. Babcock.
It was last updated on the 29th of August, 1999.