What is PGP, Anyway?

Most of the references below give very good explanations of PGP, and I'm a real beginner myself, so I'll try to make mine quick and easy.

PGP is a cryptography program written by Philip R. Zimmermann. It's designed to give private individuals access to an element of computer security.

How Does it Work?

Check references if you want a technical explanation. I'll just try my hand at explaining how you use it. There are two basic ways - encryption and signing.

PGP Keys

Using PGP you generate two "keys", a public key and a secret key:

Public Key
  • Requires PGP to use
  • Should be made widely available
  • No password required
  • Encodes private messages to you
  • Recognizes your signature
 Secret Key
  • Requires PGP to use
  • Should be kept secret
  • Password Protected
  • Decodes private messages to you
  • Generates your signature
The keys are generated together, as a matched set. How secure the key pair is depends on their complexity, which you choose when you create the set. The more "bits", the more secure the encryption.

PGP for Privacy

Anyone with PGP can use your public key to encrypt a private message. They get you that message (for example by e-mailing it to you), and you use your secret key to decrypt it.

see diagram:

The use of this is pretty obvious. It means that no-one can read the message except for you. Not your sysadmin, ( but see below ) not the sysadmin at the sender's end, and not even anyone who manages to break into your e-mail account.

PGP for Identity Verification

Likewise, anything you encrypt with your secret key can be read by anyone with your public key. Since you're already trying to distribute your public key as widely as you can, how can this be useful? Obviously, these messages are far from secret.

But only your secret key can generate messages which can be decrypted with by your public key. Since PGP can tell which of the public keys it has recorded is used to decrypt a message, it can verify which secret key was used to generate it. If you're properly careful of your secret key and your password, the result is as individual as a signature. You would then have an encrypted message that can only be read with your public key, so only you can send it.

But what if you want a message that can be read without PGP, but still could only have been sent by you? That can be done, too. When PGP encrypts a message it makes a checksum of the message. This checksum is generated in such a way that it is nearly impossible to make two messages with the same checksum. PGP encrypts the checksum and attaches it to the end of the message. When the receiver uses PGP to verify signatures, calculates what the right checksum should be, decrypt the signature (using your PGP public key) and compares the two checksums. If your public key doesn't decode it, then it didn't come from you, and if the checksums don't match then the message has been altered.2

see diagram:

This can be useful if you upload documents to a network along with many other people. It can also be useful to protect you from various forms of internet abuse, since it can't be spoofed or forged the way an e-mail address can.

It's called "Pretty Good" for a Reason

 PGP has, in fact, been cracked, for small (384 bit) key size. That means that, when you generate your public key/secret key pair, it is theoretically possible that someone can read and write messages as if they had your secret key.

Possible, but not very likely. I've been told it would probably take a very long time and much resources ("1 year of several thousand workstation's time,or something of that order"1), to break a 512 bit key and they certainly won't be making the effort for every citizen who uses it. So, unless you've already got a national government after you, or have an enemy who is likely to use a Cray to get you mail bombed, it's as secure as you make it...

The biggest security hole is your secret key. It would be far easier for someone to break into your house and copy the file from your computer than to break the coding. Of course, if you keep your secret key on-line it's trivial for your sysadmin to copy it, and monitor your keystrokes to get the password. But, protect your key and your password, and you're secure!

Pretty good, eh?

Pretty Good References

PGP Homepages

Pretty Good Privacy, Inc. Homepage
The International PGP Homepage

More About PGP

DC Sage PGP Page

PGP on Usenet

comp.security.pgp
alt.security.pgp
comp.security.pgp.resources

Download PGP

From MIT's distribution site if you're in the US or Canada only
From the International PGP Homepage if you're not.

Note: Due to US export laws, it is illegal to use the MIT version outside of the US or Canada. Due to patent laws, it is illegal to use the international version within the US. Since the two versions will easily encrypt and decrypt each other's documents, and can exchange keys, this is not a logistical problem. I suggest you use the appropriate version for your location.

Related Issues

Anonymity and Privacy on the Internet

Frequently Asked Question Lists (FAQs)

Where to get the latest PGP (Pretty Good Privacy) FAQ ftp download
The comp.security.pgp FAQ
The Passphrase FAQ v1.04

My PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

mQGiBEFGO78RBADMbMpuLjezniULGfNZgFhwdel9kI1FqcTnnfCPfH41bAiqHTpP
xPb0qT2VjUpU13GcZpIOpc9x6bBmu8XzJdHG3UO3pEd76DkA02ncfGiTA6PnQbQ1
0Jdv6W7q0mkhvVUm0BXjiFCduble+QqCOmsmkiOeat4RL5SpOMlft2mOZQCg/1ll
KRCvlAgkxRuWgpqmJpqpalMEAMlWxCrIvJJhyFT4V1pTDaW13ouKJP8YCHLDLLyk
S8ZJRboKsV8Wdff8DTq0jHrqRYUdUGWVvBfwX8M+XKH/RlQu0MSNSwYsM+Yl8rr/
UWpSIGBbNmYjFqKnHRlN9LltK8D5W+MDFIoPOb9Hjwh71HAhGJopKSE8ugYyH4qo
rJUaA/9iiEmrDiR2FjVxI3mV64c+gVvEdX10wVatLIXGB2yqdoLawzYOtlAOglNj
9ZHqv6V2s+9ij2xouiG6h2N/B8Yd/t1IkCSAucGhIWcp6nOk4KYPPbo7KKUAv5Pg
ie5axPXmuffeaOIwkB7op/inLGh3l7j7DLGj60hbFalOUjHcVLQmTGlzZSBNZW5k
ZWwgPG1lbmRlbGtyYW1lckBjb21jYXN0Lm5ldD6JAF0EEBECAB0FAkFGO78HCwkI
BwMCCgIZAQUbAwAAAAUeAQAAAAAKCRB5e13sQACX1zWIAKDHdFyae71PSXXCPHCs
il8tDLXtxACgz0mjN1O1+OyPgh2jcF4BkRJHXme5Ag0EQUY7vxAIAPZCV7cIfwgX
cqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyD
vWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5
u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98
iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlA
GBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqr
ol7DVekyCzsAAgIH/iqjR4HfVKrC/3xhyTV2G7RYD5UDW33GaNxmUXFrbakQlhGZ
xMugUQ/3+G1ZY68wRA3f8URzh8z2aYuSZPWlqhBkzm8yE4adg6RTHyuuW47ui3fK
X2RJVZZKwcMBHTuSvl5gXpH03gx2UZqYSvUvbAiMW99lgzFX5phy0qUc9nWvcAG4
y3svJ9kaEM//3q0Ep2jW1iiM29PgNnBXkE/Ks/lf87/4Fw1a6NOehKuAZD+YCRO9
IlCrhM60L2Ne1XUFONvHx2vQy6eARCIL2Q248FsXjn0aRYO3ypjfcuk8jCV+8h3x
nzd/piwIkI1yjLpcmIIlEivGAicQvTynKU27BSWJAEwEGBECAAwFAkFGO78FGwwA
AAAACgkQeXtd7EAAl9e94gCfbqYsCVmH6fnugUxRi0AtMXjAthEAoKkudx++lH5e
VdMx2YwS7vLcT7tY
=sNfN
-----END PGP PUBLIC KEY BLOCK-----

Acknowledgements

 Thanks to the following people who have so kindly helped me to understand vital points:

1Boudewijn Visser, Dep. of Applied Physics,Delft University of Technology private correspondance
2M. Plumb private correspondance
back to original content index.
updated June 9, 97