|How is PGP Different?||How PGP Works|
|Finding Public Keys||Keyword Encoding Applet|
|Where to Get PGP||Legal Issues|
PGP is different from other digital signing/encryption techniques in that there are no central certificate issuing authorities. You make your own certificates (containing just your name, email address and public key but not your private one), and get other ordinary people to digitally sign them as accurate. This creates a web of trust. You know if a certificate is valid by how much you trust the people who signed the certificate. You tell PGP how much you trust various certificates and how much you trust various people to accurately sign other’s certificates and it computes a trustworthiness of each certificate on your keyring.
PGP people sometimes erroneously refer to your private key as a secret key. Granted the key is secret, but in crytography the term secret implies there is no corresponding public key.
You can safely give exported public keys to others and your public keyring file of your entire key collection, but not your private/secret keyring file.
With Zimmerman’s PGP that I use, the public keys are stored in pubring.pkr and the private/secret keys are stored in secring.skr.
Be very careful when reinstalling software that you don’t leave you old keys behind.
After you import someone’s public key you must sign it with your private key, to indicate you consider it valid. You can then adjust the trust level you feel about public keys that person has validated. There is no central authentication agency. It all works by a peer to peer web of trust. There is a central registry like a phone book of email addresses and public keys, but there is no guarantee that any of its information is valid.
You can receive PGP certificates via unsecured email. You can discover them in Newsgroup postings. PGP 7.0 contains a feature to lookup a public key or register yours in any one of a number of central registries, e. g.
RFC 4880 describes how client PGP software such as EnigMail or GnuPG talks to the public key servers. Some webservers also allow you to search for keys with your browser.
Once you declare my public key as trustworthy, then you can send me encrypted email, and you can verify if any digitally signed mail from me really came from me.
If you just want to send me PGP-signed mail, you don’t even have to do that much.
You importing my public key, however, is not sufficient to let me send you encrypted email. (I need your public key for that.) It won’t let me verify that email from you really came from you. (I need your public key for that.) Of course we both need some sort of PGP software installed on our machines.
There is also a feature you can register a third party with the right to revoke your key in case you lose your private key or forget your passphrase. However, it is too late to do that once you lose you key or passphrase. If you lose your private key, mail continues to arrive encrypted with your old key and databases persist in handing out the obsolete key. All you can do is publicly ask people to use the new key and email address and stop using the old ones. (How do I know this?…) In Thunderbird Enigmail, you can create a revoke certificate you can later use if you lose your keys to revoke the certificate.
All that is left of the original Network Associates (bought out by McAfee) PGP website are products with prices so high they won’t even post them. You have to request a formal price quotation. These are clearly not aimed at personal users.
The freeware products are for non-commercial use. There are now a suite of reasonably priced commercial products at the PGP Store. For example a PC (Personal Computer) PGP 1 year licence is The freeware editions don’t have integration into email. The freeware version asks you to fill in a licence key. If you don’t, it turns off some features. If you do, it upgrades to the commercial version.
The old, free Network Associates PGP version 7.0.3 works with Eudora email integration.
The patent recently expired on PGP and, in recent years, the patentholder, etwork Associates lost all interest in supporting its former PGP products. In recent years, we saw signing authorities like Thawte dropping PGP support. Perhaps they will start re-instating it. Enigmail-PGP does not supportthe latest Firefox. It looks like PGP for the masses has disappeared.
Signed formatted messages arrive as mysterious enclosures ending in *.ems. You must double click them to view them and verify the signature. Eudora encrypts the body and your tagline, but not the subject.
When you click encrypt nothing happen until you hit send. Then it automatically looks up the public key of the recipient in the keyserver.pgp.com database. Encrypted messages come in looking like gibberish with nothing telling you what they are. It is up to you to recognize what them as encrypted messages and right click plugins, decrypt and verify.
Sometimes the encrypted message arrives as a *.ems attachment. You must double click it and give your passphrase to decrypt it and verify the signature. Eudora wisely gives you the option of leaving the message in encrypted or unencrypted form in your mail folder. You may be trying to protect it from prying eyes at your end as well as en route.
You can also digitally sign and/or encrypt your messages with PGP by having it sign the clipboard then paste the text back into pretty well any newsreader/mailreader. That way your mailreader/newsreader need not support PGP directly. Unfortunately, only the message body then is signed. The header including the message subject:, to: and from: are unprotected.
The PGP message format is described in RFC 4880.
PGP also has a wipe feature for securely erasing files and also erasing the free space including the space at the tail end of each file in its allocated cluster.
When you install it, make sure you choose a directory for your public and secret keyrings that won’t be lost or erased and that will be backed up.
PGP public keys (fingerprints) are 160 bits long, or 20 bytes, or 40 hex digits.
Public keys are sometimes represented by selections from a pair of 16 × 16 row-wise grids of 256 English words each using this list to encode the each byte of the key, selecting the row as the high order nibble and the column as the low order nibble. The advantage of the keywords is you can speak a public key over the phone accurately. It protects you against dropping, transcription, and mishearing. Words are all quite distinct. See the PGP keywords Applet to interconvert back and forth or to experiment to understand how it works.
|Even two-syllable PGP Words|
|Odd three-syllable PGP Words|
e.g. A typicial 160-bit, 20-byte, 40-hex-digit, 20-word, public PGP
key fingerprint is rendered
either in hex:
9AA3 43B6 324D F154 4098 F58F EF62 A55F 92CB 3EDD
or as a grid of words: 9A=pupil (i.e. word at row 9 column A of the even table), A3=pandemic (row A column 3 of the odd table ), 43=crucial (row 4 column 3 of the even table ), B6=potato (row B column 6 of the odd table ) etc.
available on the web at:
optional Replicator mirror
Please email your feedback for publication, letters to the editor, errors, omissions, typos, formatting errors, ambiguities, unclear wording, broken/redirected link reports, suggestions to improve this page or comments to Roedy Green : . If you want your message, your name or email kept confidential, not considered for public posting, please explicitly specify that. Unless you state otherwise, I will treat your message as a letter to the editor that I may or may not publish in the feedback section. After that, it will be too late to retract it. If you disagree with something I said, especially when sending an ad-hominem attack, a rant composed mainly of obscenities or a death threat, please quote the offending passage and cite the web page where you found it, tell me why you think it is wrong, and, if possible, provide some supporting evidence. I can’t very well fix erroneous or ambiguous text if I can’t find it.
Your face IP:[188.8.131.52]
|Feedback||You are visitor number 35,929.|