How is PGP Different from other Signing and Encryption?

PGP is different from other digital signing/encryption techniques in that there are no central certificate issuing authorities. You make your own certificates (containing just your name, email address and public key but not your private one), and get other ordinary people to digitally sign them as accurate. This creates a web of trust. You know if a certificate is valid by how much you trust the people who signed the certificate. You tell PGP how much you trust various certificates and how much you trust various people to accurately sign other’s certificates and it computes a trustworthiness of each certificate on your keyring.

Terminology

PGP people sometimes erroneously refer to your private key as a secret key. Granted the the key is secret, but in crytography the term secret implies there is no corresponding public key.

You can safely give exported public keys to others and your public keyring file of your entire key collection, but not your private/secret keyring file.

Backups

With Zimmerman’s PGP that I use, the public keys are stored in pubring.pkr and the private/secret keys are stored in secring.skr.

Be very careful when reinstalling software that you don’t leave you old keys behind.

How to Find and Import Other People’s Public Keys

After you import someone’s public key you must sign it with your private key, to indicate you consider it valid. You can then adjust the trust level you feel about public keys that person has validated. There is no central authentication agency. It all works by a peer to peer web of trust. There is a central registry like a phone book of email addresses and public keys, but there is no guarantee that any of its information is valid.

You can receive PGP certificates via unsecured email. You can discover them in Newsgroup postings. PGP 7.0 contains a feature to lookup a public key or register yours in any one of a number of central registries.

Once you declare my public key as trustworthy, then you can send me encrypted email, and you can verify if any digitally signed mail from me really came from me.

If you just want to send me PGP-signed mail, you don’t even have to do that much.

You importing my public key, however, is not sufficient to let me send you encrypted email. (I need your public key for that.) It won’t let me verify that email from you really came from you. (I need your public key for that.) Of course we both need some sort of PGP software installed on our machines.

There is also a feature you can register a third party with the right to revoke your key in case you lose your private key or forget your passphrase. However, it is too late to do that once you lose you key or passphrase. If you lose your private key, mail continues to arrive encrypted with your old key and databases persist in handing out the obsolete key. All you can do is publicly ask people to use the new key and email address and stop using the old ones. (How do I know this?…)

Where to Get PGP

All that is left of the original Network Associates (bought out by McAfee) PGP website are products with prices so high they won’t even post them. You have to request a formal price quotation. These are clearly not aimed at personal users.

The freeware products are for non-commercial use. There are now a suite of reasonably priced commercial products at the PGP Store. For example a PC PGP 1 year licence is $80.00 USD The freeware editions don’t have integration into email. The freeware version asks you to fill in a licence key. If you don’t, it turns off some features. If you do, it upgrades to the commercial version.

The old, free Network Associates PGP version 7.0.3 works with Eudora email integration.

The patent recently expired on PGP and, in recent years, the patentholder, Network Associates, seems to have lost all interest in supporting its former PGP products. They are attempting to sell off their PGP product line. Presumably soon third parties will take up the slack. In recent years, we saw signing authorities like Thawte dropping PGP support. Perhaps they will start re-instating it.

PGP and Eudora

Signed formatted messages arrive as mysterious enclosures ending in .ems. You must double click them to view them and verify the signature. Eudora encrypts the body and your tagline, but not the subject.

When you click encrypt nothing happen until you hit send. Then it automatically looks up the public key of the recipient in the keyserver.pgp.com database. Encrypted messages come in looking like gibberish with nothing telling you what they are. It is up to you to recognize what them as encrypted messages and right click plugins, decrypt and verify.

Sometimes the encrypted message arrives as a *.ems attachment. You must double click it and give your passphrase to decrypt it and verify the signature. Eudora wisely gives you the option of leaving the message in encrypted or unencrypted form in your mail folder. You may be trying to protect it from prying eyes at your end as well as en route.

You can also digitally sign and/or encrypt your messages with PGP by having it sign the clipboard then paste the text back into pretty well any newsreader/mailreader. That way your mailreader/newsreader need not support PGP directly. Unfortunately, only the message body then is signed. The header including the message subject:, to: and from: are unprotected.

PGP and the Thunderbird Mail Reader

PGP and Agent Newsreader

How PGP Works

The PGP message format is described in RFC 2440.

PGP also has a wipe feature for securely erasing files and also erasing the free space including the space at the tail end of each file in its allocated cluster.

When you install it, make sure you choose a directory for your public and secret keyrings that won’t be lost or erased and that will be backed up.

PGP Hex Encoding

e.g. My 160-bit public PGP key is rendered either in hex:
9AA3 43B6 324D F154 4098 F58F EF62 A55F 92CB 3EDD
or as a grid of words: 9A=pupil A3=pandemic etc.

Legal Issues

The Alternative — S/MIME