A Newcomer's Introduction to

[PGP 5.x] Pretty Good Privacy (PGP)

[ What Is PGP? | Why Use it? | How Does it Work? | Digital Signatures ]
[ How Strong is it? | Does it Have a Backdoor? | Where Can I Get it? ]
[ PGP FAQ | PGP Newsgroup | PGP Users Mailing List | My Public Keys ]

[ Eudora Info | PGP Info | Linux Stuff | Contact | Home ]

What is PGP?

Pretty Good Privacy (PGP) is strong encryption software that enables you to protect your email and files by scrambling them so others cannot read them. It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.

PGP was first released in 1991 as a DOS program that earned a reputation for being difficult. In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs. The plugins for Microsoft Outlook, Microsoft Outlook Express, Qualcomm's Eudora, and Claris Emailer install themselves into their respective email programs and appear as a menu item and a set of buttons on the message window, as shown below:

Microsoft Outlook
[Outlook Message Window]

Qualcomm Eudora Pro/Light
[Eudora Message Window]

With the current versions of PGP, strong encryption is no longer difficult to install and use. PGP makes it easy for you to protect your email and files. In addition to working with your email software, PGP can use copy/paste to protect text in any word processor or newsreader and can protect files with a right-click in Windows Explorer.

Why Use PGP?

You can use PGP to communicate securely about business plans, legal, financial, or medical matters, or any other personal matters that you would rather keep private. You would use PGP with email for the same reasons that you use envelopes with paper mail. Perhaps a coworker or a member of your household is a little too curious for your comfort. Perhaps you share a computer with other people and want to be sure your email and files remain private. Have you ever sent email to the wrong address or had it bounce for some reason? Email can end up in places it's not supposed to go. It's easy for unethical mail system administrators, disgruntled employees, hackers, and just plain nosey folks to read unprotected email. It's as easy as reading a postcard. Email stored on the typical Win95, Win98, WinME, or XP Home computer is accessible to anyone who sits at the keyboard. Internet email is plain text, perfectly readable with a text editor like the Windows Notepad. Protecting your email and files is easy with PGP.

Because PGP includes plugins for the most popular email software and can be used via copy/paste with any email software, newsreader, word processor, or text editor, you and your correspondents can continue to use your favorite software. Unlike some other email-only security packages, PGP can protect your files too. A
right-click in Windows Explorer lets you protect any file. PGP is available for all popular operating systems.

It's Free!
PGP is free for personal use. You can download the software for the cost of your connect time. You generate and sign your own keys. There's no annual fee imposed by a central key certificate service.

Worldwide Strength and Compatibility
PGP is available in full strength versions all over the world. A lot of work was put into legally exporting PGP in order to make sure that full-strength compatible versions are available outside the U.S. and Canada. Competing email security packages may not be available in full strength versions outside of the U.S. and Canada. The keys used in exportable versions of some other packages are much weaker and have been broken by college students. Such packages are only good for casual security. PGP is strong enough to protect your business, financial, and medical information, no matter where you or your correspondents are.

How Does it Work?

When you install PGP, you will generate a pair of keys for yourself; a "public key" and a "private key". The private key is like a regular key. You will use it to unlock your messages. The public key is like a set of keyed-alike locks. You publish your public key (your lock) by sending it to a PGP key server on the Internet (PGP can do this for you). People who wish to send you private email use a copy of your lock to lock the message. You keep the (private) key to yourself, so that only you can open and read the messages.

Email Encryption Using PGP

[Public Key Diagram]

Digital Signatures

[Signature Verification Log]

PGP also allows you to sign a message or a file, with or without locking (encrypting) it. Each digital signature is uniquely generated by PGP based on the contents of the message and the signer's private key. The signature can be checked by anyone using the signer's public key. Since the signature is based partly on the contents of the message, if even one character of the message is changed, PGP will report that the signature is invalid. The signature is also based on the signer's private key, and the private key is held only by the signer, so recipients can be sure of exactly who signed the message.

The important thing to remember is that while handwritten signatures are supposedly unique per signer, digital signatures are unique per document and signer. Written signatures can be photocopied from document to document and still appear valid. Digital signatures fail verification when applied to another document.

Note: The "(Invalid Key)" in the image above only means that I have not personally verified that the key actually belongs to "RSG Buyonet AB".

How Strong is PGP?

PGP uses the strongest encryption generally available outside the government. It's strong enough that until a few years ago it could not be exported out of the U.S. without a license. Even the NSA has attested to it's strength:

"If all the personal computers in the world - ~260 million computers - were
put to work on a single PGP-encrypted message, it would still take an
estimated 12 million times the age of the universe, on average, to break a
single message."
- William Crowell, Deputy Director of the National Security Agency, in
testimony to the U.S. Congress, March 20, 1997

Does PGP Have A Backdoor?

Sometimes you hear that encryption software has a back door for someone to be able to read your messages. Then why should you trust PGP? Because the source code is available. You can audit the code and compile your own copy to verify its operation.

One alternative is GNU Privacy Guard. GnuPG (or GPG) is an OpenPGP compatible replacement for PGP. It is Open Source software that is licensed under the GNU General Public License (GPL). This means that not only is the software free from cost (gratis) it is also free for viewing and modification (libre). The GPL requires, among other things, that the source code be made available to anyone who receives the software. So you can be sure that no company will be able to restrict access to the source code. The source code for GnuPG will always be available for review.

Where Can I get PGP?

PGP is available for all popular personal operating systems, including Windows, Macintosh, and Linux. U.S. and Canadian residents can download a fully capable Windows version of PGP from
MIT. A freeware version of PGP is also available from PGP Corp. Users in other countries can download PGP from the International PGP Home Page.

GNU Privacy Guard
GNU Privacy Guard (GnuPG) is a Free Software/Open Source encryption and authentication program that uses the OpenPGP standard and is compatible with PGP. GnuPG Is licensed under the GNU Public License (GPL) so the complete source code is available and it may be used by anyone with no license fees. GnuPG is available for Linux, UNIX, Macintosh, and Windows.

Commercial Versions
You can purchase PGP from PGP Corp. The suite includes message recovery, certificate services, security policy enforcement, and other features that are of interest to those using PGP in an organizational setting.

Send comments to Anthony E. Greene.

[ Eudora Info | PGP Info | My PGP Key ] | Contact [ Home ]