PGP Tutorial from Mike's

(Michael T. Babcock <[email protected]>)
PGP public key Grab my PGP public keys

home | intro | tutorial | books | news | web of trust | signing keys | key servers ]
chat & USENET | ring | links | my keys | page sigs ]

Getting Started

PGP Tutorial

For starters, there are many tutorials on the use of PGP. How to use pgp and how to get a pgp key. For more references, see my links page. I'll try to be somewhat specific in what I deal with here, but I won't necessarily focus on the Windows, Mac or Unix versions of PGP. Rather, I'll assume that you're willing to use the help available to you (F1 in Windows, man pages for us Unix people) for figuring out the interface you're using. This way I'll be able to discuss more of how PGP works to help you feel comfortable playing with it initially and eventually using it seriously. If you're looking for more information about PGP, consider my links page or the search engine to the right.


What is PGP

You should skip over to my Introduction to PGP first, then come back once you know a bit about what PGP is. I will assume throughout this page that you have a basic understanding of the concepts outlined in that short document.


Where can I get PGP?

This page is dealing with how to use PGP, and you may want to read it over before downloading and installing it. Or, you may wish to go over to my PGP Links page, download a copy and then come back here and keep reading while it's downloading if you have a relatively slow Internet connection.

Which version do I want?

The versions numbered 2.6.2 or 2.6.3 are what I will call the older PGP versions. They were basically unlimited in functionality and had the source code available if you're a programmer and want to see how it works. Unfortunately, they're incompatible with the newer free versions (although not with the new commercial versions).

PCCrypto 2.1

You probably want to download the most recent version of PGP that you can find on a legitimate site (mit.edu, pgp.com or pgpi.com). If you're in the United States or Canada, you can simply pay a visit to PGP's homepage and download a freeware version from there. Please read their license restrictions on commercial use. If you're from outside the United States, feel free to visit the International PGP homepage and download a copy from there instead.

Dave Central has a list of traditional PGP GUIs if you're interested.

That's all I'll be discussing here about PGP versions. The functionality in all versions is very similar for what will be discussed in this tutorial, so don't worry about it too much. It wasn't until the newer versions (version 5 and up) that PGP came with a GUI DEF interface by default and so if you feel you need that, download a recent version or use an older version with a third-party front-end.


Where do I start?

Before you can do much of anything with PGP, you'll need your own key-pair DEF. This is usually done automatically the first time you run PGP (in recent versions). PGP will ask you what size of keys to generate. Generally, larger keys provide better protection of any information you encode with them, but are slower to use. If you generate a 5000 bit key on a Pentium system, it may take up to a minute to sign a message with it, and you won't gain much in the way of security. In general, take the default or (in 1999) use 2048 bits.

Encryption

Symmetric ciphers are those that use the same key (often a password) to both encrypt and decrypt the same file. Public-key encryption is also referred to as asymmetric because one half of a key-pair is for encryption and the other half is for decryption.

When you want to encrypt a message or a file to someone, you must have that person's public key. Don't encrypt something to someone's public key unless you know its theirs. What really happens is PGP creates a "random" session key which is used to encrypt the message using a standard (symmetric) cipher. This key is then encrypted using the recipient's public key and the encrypted session key is stored with the encrypted message and the whole thing is then your encrypted message. You can send this message by E-mail or by whatever means you wish and only the proper recipient can decrypt the session key which is then used to decrypt the actual message. This is all hidden from you, but it is useful to know because of some of the techno-babble in the PGP help files.

N.B. Because encryption is done using the recipient's public key, just because your key is large doesn't mean an encrypted message is extremely secure. The strength of the encryption process (the difficulty for an intruder to read the message) is directly related to the size of the recipient's public key. You should check the recipient's key's information before using it to see if it's large enough for your intended use.

If a business associate has an old 256 bit RSA key and you want to send them highly confidential documents, you may wish to ask them to generate a newer, larger key-pair for future communications.

By way of example, back when I generated my very first public key pair (in the early 1990s on a 386-40), I generated two pairs. The first was a 1024 bit key pair for E-mail and signing messages and whatnot (key ID 0x50C899A5). I generated a second, 2556 bit key (ID 0xCE9A5CA5 as well for people who wanted to send me what were in their opinion highly sensitive files or documents. By generating both, I was giving others the option. However, with the speed of computers today, you're best to simply generate the largest practical key you can and it. You can see all the keys that are mine (or other mbabcock's) through the public keyservers.

Depending on your computer, PGP may ask you to type random characters or move the mouse around. This is to create some true randomness for PGP to use. Good encryption often depends on true randomness. Read the full PGP documentation for better information on why this is important.


PGP will ask you for a passphrase DEF to secure your private key with. Read this document on passphrases for more detailed information about selecting one. PGP does not use this passphrase to encrypt / sign your E-mail, etc. even though it does prompt you for it every time you sign or decrypt a message. This is so that if someone else gets in front of your computer (which gives them access to your private key(s)) and creates a quick, faked E-mail to your boss about his wife, they won't be able to sign it with PGP because they'll need the passphrase to use your private key. You may still get into trouble from your boss, though, if they send it without your signature.

Should you ever suspect that someone has stolen a copy of your private key file off your hard drive, over the network, etc., you should immediately go through the procedure of revoking your key (read the PGP documentation for nwo) and generating a new one so that your old key can't be used by someone who spends day and night guessing at your password.


Still lost?

I haven't checked it out thoroughly, but there is a site available called PGP for absolute beginners which you may find helpful.

For more information, see my web links and books list.

Of course, the actual PGP documentation is something you ought to sit down and read at some point for those details I've left out (accidentally or purposefully).


home | intro | tutorial | books | news | web of trust | signing keys | key servers ]
chat & USENET | ring | links | my keys | page sigs ]


This page Copyright © 1995 ... 2016 Michael T. Babcock.
It was last updated on the 29th of August, 2016.