4um: Introduction to PGP

Title: Introduction to PGP
Source: http://www.queen.clara.net/pgp/pgp.html
URL Source: http://www.queen.clara.net/pgp/pgp.html
Published: May 16, 2006
Author: ??
Post Date: 2006-05-16 12:27:03 by Neil McIver
Keywords: PGP
Views: 56
Comments: 9

Introduction to PGP

Beginner's section

What is PGP?

I have set up this page in response to questions I get about PGP - what it is, where to get it, and how to use it.

PGP (short for Pretty Good Privacy), created by Philip Zimmermann, is the de facto standard program for secure e-mail and file encryption on the Internet. Its public-key cryptography system enables people who have never met to secure transmitted messages against unauthorized reading and to add digital signatures to messages to guarantee their authenticity.

Why do we need PGP? E-mail sent over the Internet is more like paper mail on a postcard than mail in a sealed envelope. It can easily be read, or even altered, by anyone with privileged access to any of the computers along the route followed by the mail. Hackers can read and/or forge e-mail. Government agencies eavesdrop on private communications.

For further discussion of what PGP is for, and what it can do, read the following articles:

transcript of an interview on the radio show High Tech Today Phil Zimmermann himself explains why he wrote PGP.

More detailed information about PGP, and copies of the program itself for various platforms, can be found from the links given below.

Basic tutorials for beginners

There is considerable overlap between these tutorials. If you don't find the information you need in one of them, try another, or try the FAQ. Some of these sites are out of date, referring only to older versions of PGP, but they still provide generally useful information.

Downloading PGP

The proliferation of different PGP versions can be rather confusing. The following links provide an explanation of the various versions and what they can do:

The first two versions do the same thing, though the international version has certain minor advantages. Two different versions existed for legal reasons.

PGP 2.6.3ia for RISC OS. Here you can find a collection of PGP software and other security utilities for RISC OS (Acorn) computers. There is also a RISC OS version of GnuPG, which is compatible with (and even superior to) modern versions of PGP.

PGP versions 5 to 8 are available for Windows 95/98/NT, MacOS, Unix, Linux, OS/2 and Amiga, but not every version is available for every platform. Whichever operating system you use, you can find an appropriate version on one of the following sites:

Some PGP-related links

Although some of the following links are not up to date and lack information about the latest versions of PGP, they all provide useful general information.

The UKERNA Secure E-Mail Project

The United Kingdom Education and Research Networking Association (UKERNA) runs the Joint Academic Network (JANET) on behalf of the Academic Community of the U.K. (approximately ac.uk). UKERNA sees the current solution to authentication and privacy of documents to be PGP and is investigating how PGP can be made easy to use for sending e-mail.

How PGP works (in part)

If you are mathematically inclined and understand (or are willing to learn) a little about modular arithmetic, you can read about the maths behind some public-key cryptosystems at the following URLs:

The above link to André Bacard's article Non-Technical PGP FAQ is a good read for nubies:

Question: If someone makes a privacy program that prevents the gubmint from reading emails, does that program somehow become illegal or could the author be construed a "terrorist"?

I think your question will carry much more significance if/when someone creates an public key encryption system for VoIP phones, rendering government wiretapping worthless.

thanks, Neil. Boonie Rat put PGP in my computer and instructed me on its usage...i forgot what to do already so i'll bookmark this.

"If the president made us go to war with Iraq, why doesn't he go over there and fight the war?" Christian May [6th grader]

How easy is it for the average internet user to make a phone call secure enough to frustrate the NSA's extrajudicial surveillance program?

Wired News took Phil Zimmermann's newest encryption software, Zfone, for a test drive and found it's actually quite easy, even if the program is still in beta.

Zimmermann, the man who released the PGP e-mail encryption program to the world in 1991 -- only to face an abortive criminal prosecution from the government -- has been trying for 10 years to give the world easy-to-use software to cloak internet phone calls.

On March 14, Zimmermann released a beta version of the widely anticipated Zfone. The software is currently available only for OS X (Tiger) and Linux, though a Windows version is due in April.

The open-source software manages cryptographic handshakes invisibly, and encrypts and decrypts voice calls as the traffic leaves and enters the computer. Operation is simple, and users don't have to agree in advance on an encryption key or type out long passcodes to make it work.

Would-be beta testers must provide Zimmermann with an e-mail address. That seems an odd requirement for a privacy product, but the process itself was painless, and an e-mail with a download code arrived immediately.

In our test, Zfone installed easily and quickly on OS X, though there were some mild hitches in actually getting it to work.

Zfone is designed to work with VoIP clients that use the industry standard SIP>http://en.wi kipedia.org/wiki/Session_Initiation_Protocol">SIP protocol, and has been tested with clients such as X-lite, Free World Dialup and Gizmo Project.

Following Zfone's instructions, Wired News was able to fairly quickly configure Gizmo Project to work with the software. But initial efforts to make phone calls with the system failed. Eventually, a little trial and error revealed that Zfone needed to be started before Gizmo Project, and that to see if a secure connection has been created, both Gizmo and Zfone's interface needed to be visible on the desktop.

Once that happens, and the caller on the other end also has Zfone installed, the interface cleanly indicates that the call is secure. It also displays two different three-character codes. One party reads his code, e.g. "CF8," while the other says hers, "TKP."

This bit of cloak-and-dagger isn't just fun, it helps prevents what is known as a man-in-the-middle attack, in which an eavesdropper sits between two callers, intercepting their cryptographic keys and then relaying the communications between them. If someone tries that with Zfone, the spoken codes won't match what the callers see on their screens.

Using Zfone didn't add any noticeable latency or distortion to calls made with Gizmo Project. Once it's up and running, you're simply talking on the phone.

But make no mistake: to eavesdroppers, Zfone is anything but routine. The protocol is based on SRTP, a system that uses the 256- bit>http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">256-bit AES cipher and adds to that a 3,000-bit key exchange that produces the codes callers can read off to one another. It has been submitted to IETF for approval as an internet standard, and by most accounts is strong enough to defy even the most sophisticated code- breaking technologies, from a hacker's packet sniffer to the acres of computers beneath Ft. Meade.

That makes Zfone the "most secure telephone system anyone has ever used," according to PGP Corporation's CTO Jon Callas, who worked with Zimmermann on the protocol

Of course, security is nice, but the value of an end-to-end crypto system is partially a function of its popularity. If you're the only one using the system, there's nobody to talk to.

The Gizmo Project ostensibly uses its own encryption for Gizmo-to-Gizmo calls, though the company won't reveal what algorithms they use. But primarily, Zfone is competing with the built-in crypto that comes with Skype, which is closed-source, uses its own proprietary protocols, and employs its own encryption scheme -- which, significantly, is not available for inspection and peer-review (though some have evaluated>http:/ /www.tacticaltech.org/files/Skype_Security.pdf">evaluated (.pdf) it and others purportedly cracked it anyway).

Those are all troubling signs for a security system. But as a standard element in Skype's popular VoIP software, this unproven crypto has already achieved a market penetration that will likely elude Zimmerman's system.

So as nice as it is, unless Zfone is adopted by mainstream VoIP providers, it will probably occupy the same limited market niche as the hyper-secure PGP program that ruffled so many government feathers over a decade ago.

PGP didn't become standard e-mail fare outside of the community of geeks, cypherpunks and those with special privacy needs, like human rights workers and people living in countries where the government routinely spies on its citizens without oversight. Fortunately for Zimmerman, there are a lot more of us these days.