Advertisment

Pretty Good Privacy

author-image
PCQ Bureau
New Update

Pretty Good Privacy (PGP) protects the privacy of your e-mail

messages and files by encrypting them, so that only intended recipients can read

them. It also lets you digitally sign messages and files, which ensures their

authenticity. A signed message verifies that the information has not been

tampered with in any way. In this article, we’ll see how to use PGP. The

software–PGP 6.5.8–is available on the accompanying PC Quest CD.

Advertisment

The PGP software is easy to install and can be accessed from

your system tray. During setup, it also adds a couple of keys to your mail

client that you can use to encrypt and digitally sign messages.

PGP is based on a widely accepted and highly trusted public

key encryption system, in which PGP users generate a key pair consisting of a

private key and a public key. As the name suggests, a private key is private to

its creator. The public key has to be exchanged with whoever you want to

communicate with. You’ll use your private key to add your digital signature to

e-mail messages and file attachments and to decrypt messages you receive. You’ll

use a person’s public key to send encrypted messages to him and verify his

digital signatures. The key thing to understand here is that each key performs

two operations–add signatures and decrypt messages with your private key, and

encrypt and verify signatures with the public keys of others.

So, the first thing you need to do is create a key pair. This

is simple to do. You need to enter your name, e-mail address, the key’s bit

size, its lifetime, etc, and the software does the rest. You can choose keys to

be made based either on the Diffie-Hellman/DSS or the RSA encryption techniques.

While the Diffie-Hellman/DSS offers better security, RSA ensures compatibility

with older versions. You can also create a key pair for each algorithm.

Advertisment

Your private key is protected by a password called a "passphrase",

so that nobody can access it while you’re away from your computer. Your public

key has to be distributed to others, so that you can have encrypted

communication with them. Before you do that, it’s important to know that the

public key can be further broken up into sub-keys. One of the most common uses

of this feature is to create multiple sub-keys that have been set for use during

different periods of the key’s lifetime. For example, if you create a key that’ll

expire in three years, you can create three sub-keys for it that will last one

year each. This provides an automatic way to periodically switch to a new

encryption key without having to recreate and distribute a new public key. A

public key can also hold the owner’s photograph and some more information, if

desired.

Since public and private keys work in conjunction, earlier

versions of PGP didn’t let you create and revoke new public keys without

sacrificing your private key. However, PGP 6.5 onwards lets you do this.

Now we’ll come to key distribution. This can be done in

three ways–making it available through a public certificate server, sending it

via e-mail, or exporting it to a text file and then sending it. The first method

is the best way to distribute your public key, because it’ll be accessible to

anyone across the globe. That way, people can start sending you encrypted e-mail

without having to explicitly request you for a copy of your public key. There

are a number of certificate servers worldwide, where you can make your keys

available. The software includes support for uploading your key onto such

servers. Any changes made later in the keys locally, such as e-mail addresses,

can also be reflected in the uploaded copy of the key from within the software

itself.

Advertisment

If you want to send encrypted e-mail, you can search for

other people’s public keys through the PGP software itself. You can ask for a

public key via e-mail and use it directly from there, or get a text file from

the person and import it through PGP. Having received a person’s public key,

it’s important to check its integrity, which can be done either over phone

(recommended) or by finding it on a server and comparing its fingerprint. The

fingerprint is made up of special authentication words that PGP uses and are

carefully selected to be phonetically distinct and easy to understand. Once you’ve

verified the public key, you can sign it with your private key and use it to

send encrypted messages to the person.

Putting PGP to work

Now let’s put our hard work into practice, and see how to

send encrypted messages using PGP. PGP seamlessly integrates with common e-mail

clients like Eudora, Outlook Express, Outlook, etc, to provide high level of

security with a few simple clicks. E-mail is composed as usual and when you are

done, all you need to do is click the appropriate buttons on the toolbar of your

e-mail client itself to encrypt or digitally sign a mail. If you don’t have a

POP account and use Web mail, all you need to do is copy the message body onto

the clipboard and do the necessary operations using the PGP tools from the

system tray. File attachments need to be secured separately. Decrypting a

received encrypted message is similar–either from within the e-mail client

itself or copying the text to the clipboard and using the PGP tools menu.

Advertisment

You can use PGP to secure files locally too. Upon

installation, PGP adds its own sub-menu to the right-click menu. It contains the

following options–Encrypt, Sign, Encrypt & Sign, Decrypt & Verify, and

Wipe. The first four are self-explanatory. The fifth option "Wipe"

removes all traces of a file, so that no one can use a software tool to recover

it. PGP acts like a virtual paper shredder, and removes not only the file name,

but also all the data in it.

All said and done, PGP is a great product that provides a

high level of security for home and corporate users alike. Though the software

is easy to use and closely integrated with applications and Windows itself, some

users might find the concepts and the technology a bit intimidating. But you can’t

beat its price. It’s yours for a free download from www.pgpi.org,

besides being on this month’s CD.

Kunal Dua

Advertisment