![[PGP 5.x]](../images/pgp5.gif)
Pretty Good Privacy (PGP) Pretty Good Privacy (PGP)
[ What Is PGP?
| Why Use it?
| How Does it Work?
| Digital Signatures ]
[ How Strong is it?
| Does it Have a Backdoor?
| Where Can I Get it? ]
[ PGP FAQ
| PGP Newsgroup
| PGP Users Mailing List
| My Public Keys ]
[ Eudora Info | PGP Info | Linux Stuff | Contact | Home ]
Pretty Good Privacy (PGP) is strong encryption software that enables you to protect your email and files by scrambling them so others cannot read them. It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.
PGP was first released in 1991 as a DOS program that earned a reputation for being difficult. In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs. The plugins for Microsoft Outlook, Microsoft Outlook Express, Qualcomm's Eudora, and Claris Emailer install themselves into their respective email programs and appear as a menu item and a set of buttons on the message window, as shown below:
![[Outlook Message Window]](../images/pgpoutlk.png)
![[Eudora Message Window]](../images/msgwdw.png)
With the current versions of PGP, strong encryption is no longer difficult to install and use. PGP makes it easy for you to protect your email and files. In addition to working with your email software, PGP can use copy/paste to protect text in any word processor or newsreader and can protect files with a right-click in Windows Explorer.
Security
You can use PGP to communicate securely about
business plans, legal, financial, or medical matters, or any other
personal matters that you would rather keep private. You would use PGP
with email for the same reasons that you use envelopes with paper mail.
Perhaps a coworker or a member of your household is a little too curious
for your comfort. Perhaps you share a computer with other people and
want to be sure your email and files remain private. Have you ever sent
email to the wrong address or had it bounce for some reason? Email can
end up in places it's not supposed to go. It's easy for
unethical mail system administrators, disgruntled employees, hackers,
and just plain nosey folks to read unprotected email. It's as easy as
reading a postcard. Email stored on the typical Win95, Win98, WinME, or XP Home
computer is accessible to anyone who sits at the keyboard. Internet
email is plain text, perfectly readable with a text editor like
the Windows Notepad. Protecting your email and files is easy with PGP.
Flexibility
Because PGP includes plugins for the most
popular email software and can be used via copy/paste with any
email software, newsreader, word processor, or text editor, you and your
correspondents can continue to use your favorite software. Unlike some other
email-only security packages, PGP can protect your files too. A
right-click in Windows
Explorer lets you protect any file. PGP is available for all
popular operating systems.
It's Free!
PGP is free for personal use. You can download
the software for the cost of your connect time. You generate and sign
your own keys. There's no annual fee imposed by a central key
certificate service.
Worldwide Strength and Compatibility When you install PGP, you will generate a pair of keys for yourself;
a "public key" and a "private key". The private key is like a regular
key. You will use it to unlock your messages. The public key is like a
set of keyed-alike locks. You publish your public key (your lock) by
sending it to a PGP key server on the Internet (PGP can do this for
you). People who wish to send you private email use a copy of your lock
to lock the message. You keep the (private) key to yourself, so that
only you can open and read the messages.
PGP is available in
full strength versions all over the world. A lot of work was put into
legally exporting PGP in order to make sure that full-strength
compatible versions are available outside the U.S. and Canada. Competing
email security packages may not be available in full strength versions
outside of the U.S. and Canada. The keys used in exportable versions of
some other packages are much weaker and have been broken by college
students. Such packages are only good for casual security. PGP is
strong enough to protect your business, financial, and medical
information, no matter where you or your correspondents are.
How Does it Work?
Email Encryption Using PGP
![[Public Key Diagram]](../images/pubkey.gif)
Digital Signatures
![[Signature Verification Log]](../images/pgplog-screenshot.gif)
PGP also allows you to sign a message or a file, with or without locking (encrypting) it. Each digital signature is uniquely generated by PGP based on the contents of the message and the signer's private key. The signature can be checked by anyone using the signer's public key. Since the signature is based partly on the contents of the message, if even one character of the message is changed, PGP will report that the signature is invalid. The signature is also based on the signer's private key, and the private key is held only by the signer, so recipients can be sure of exactly who signed the message.
The important thing to remember is that while handwritten signatures are supposedly unique per signer, digital signatures are unique per document and signer. Written signatures can be photocopied from document to document and still appear valid. Digital signatures fail verification when applied to another document.
Note: The "(Invalid Key)" in the image above only means that I have not personally verified that the key actually belongs to "RSG Buyonet AB".
PGP uses the strongest encryption generally available outside the government. It's strong enough that until a few years ago it could not be exported out of the U.S. without a license. Even the NSA has attested to it's strength:
"If all the personal computers in the world - ~260 million computers - were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message." - William Crowell, Deputy Director of the National Security Agency, in testimony to the U.S. Congress, March 20, 1997
Sometimes you hear that encryption software has a back door for someone to be able to read your messages. Then why should you trust PGP? Because the source code is available. You can audit the code and compile your own copy to verify its operation.
One alternative is GNU Privacy Guard. GnuPG (or GPG) is an OpenPGP compatible replacement for PGP. It is Open Source software that is licensed under the GNU General Public License (GPL). This means that not only is the software free from cost (gratis) it is also free for viewing and modification (libre). The GPL requires, among other things, that the source code be made available to anyone who receives the software. So you can be sure that no company will be able to restrict access to the source code. The source code for GnuPG will always be available for review.
Freeware
PGP is available for all popular personal
operating systems, including Windows, Macintosh, and Linux. U.S.
and Canadian residents can download a fully capable
Windows version of PGP from MIT.
A freeware version of PGP is also available from PGP Corp.
Users in other countries can download PGP from the
International PGP Home Page.
GNU Privacy Guard
GNU Privacy Guard (GnuPG) is a
Free Software/Open Source
encryption and authentication program that uses the
OpenPGP standard and is compatible
with PGP. GnuPG Is licensed under the
GNU Public License
(GPL) so the complete source code is available and it may be used by anyone
with no license fees. GnuPG is available for Linux, UNIX, Macintosh, and Windows.
Commercial Versions
You can purchase PGP from
PGP Corp. The suite
includes message recovery, certificate services, security policy
enforcement, and other features that are of interest to those using
PGP in an organizational setting.
Send comments to Anthony E. Greene.
[ Eudora Info | PGP Info | My PGP Key ] | Contact [ Home ]
