Pretty Good Privacy (PGP) protects the privacy of your e-mail
messages and files by encrypting them, so that only intended recipients can read
them. It also lets you digitally sign messages and files, which ensures their
authenticity. A signed message verifies that the information has not been
tampered with in any way. In this article, we’ll see how to use PGP. The
software–PGP 6.5.8–is available on the accompanying PC Quest CD.
The PGP software is easy to install and can be accessed from
your system tray. During setup, it also adds a couple of keys to your mail
client that you can use to encrypt and digitally sign messages.
PGP is based on a widely accepted and highly trusted public
key encryption system, in which PGP users generate a key pair consisting of a
private key and a public key. As the name suggests, a private key is private to
its creator. The public key has to be exchanged with whoever you want to
communicate with. You’ll use your private key to add your digital signature to
e-mail messages and file attachments and to decrypt messages you receive. You’ll
use a person’s public key to send encrypted messages to him and verify his
digital signatures. The key thing to understand here is that each key performs
two operations–add signatures and decrypt messages with your private key, and
encrypt and verify signatures with the public keys of others.
So, the first thing you need to do is create a key pair. This
is simple to do. You need to enter your name, e-mail address, the key’s bit
size, its lifetime, etc, and the software does the rest. You can choose keys to
be made based either on the Diffie-Hellman/DSS or the RSA encryption techniques.
While the Diffie-Hellman/DSS offers better security, RSA ensures compatibility
with older versions. You can also create a key pair for each algorithm.
Your private key is protected by a password called a "passphrase",
so that nobody can access it while you’re away from your computer. Your public
key has to be distributed to others, so that you can have encrypted
communication with them. Before you do that, it’s important to know that the
public key can be further broken up into sub-keys. One of the most common uses
of this feature is to create multiple sub-keys that have been set for use during
different periods of the key’s lifetime. For example, if you create a key that’ll
expire in three years, you can create three sub-keys for it that will last one
year each. This provides an automatic way to periodically switch to a new
encryption key without having to recreate and distribute a new public key. A
public key can also hold the owner’s photograph and some more information, if
desired.
Since public and private keys work in conjunction, earlier
versions of PGP didn’t let you create and revoke new public keys without
sacrificing your private key. However, PGP 6.5 onwards lets you do this.
Now we’ll come to key distribution. This can be done in
three ways–making it available through a public certificate server, sending it
via e-mail, or exporting it to a text file and then sending it. The first method
is the best way to distribute your public key, because it’ll be accessible to
anyone across the globe. That way, people can start sending you encrypted e-mail
without having to explicitly request you for a copy of your public key. There
are a number of certificate servers worldwide, where you can make your keys
available. The software includes support for uploading your key onto such
servers. Any changes made later in the keys locally, such as e-mail addresses,
can also be reflected in the uploaded copy of the key from within the software
itself.
If you want to send encrypted e-mail, you can search for
other people’s public keys through the PGP software itself. You can ask for a
public key via e-mail and use it directly from there, or get a text file from
the person and import it through PGP. Having received a person’s public key,
it’s important to check its integrity, which can be done either over phone
(recommended) or by finding it on a server and comparing its fingerprint. The
fingerprint is made up of special authentication words that PGP uses and are
carefully selected to be phonetically distinct and easy to understand. Once you’ve
verified the public key, you can sign it with your private key and use it to
send encrypted messages to the person.
Putting PGP to work
Now let’s put our hard work into practice, and see how to
send encrypted messages using PGP. PGP seamlessly integrates with common e-mail
clients like Eudora, Outlook Express, Outlook, etc, to provide high level of
security with a few simple clicks. E-mail is composed as usual and when you are
done, all you need to do is click the appropriate buttons on the toolbar of your
e-mail client itself to encrypt or digitally sign a mail. If you don’t have a
POP account and use Web mail, all you need to do is copy the message body onto
the clipboard and do the necessary operations using the PGP tools from the
system tray. File attachments need to be secured separately. Decrypting a
received encrypted message is similar–either from within the e-mail client
itself or copying the text to the clipboard and using the PGP tools menu.
You can use PGP to secure files locally too. Upon
installation, PGP adds its own sub-menu to the right-click menu. It contains the
following options–Encrypt, Sign, Encrypt & Sign, Decrypt & Verify, and
Wipe. The first four are self-explanatory. The fifth option "Wipe"
removes all traces of a file, so that no one can use a software tool to recover
it. PGP acts like a virtual paper shredder, and removes not only the file name,
but also all the data in it.
All said and done, PGP is a great product that provides a
high level of security for home and corporate users alike. Though the software
is easy to use and closely integrated with applications and Windows itself, some
users might find the concepts and the technology a bit intimidating. But you can’t
beat its price. It’s yours for a free download from www.pgpi.org,
besides being on this month’s CD.
Kunal Dua