Guideline for Pretty Good Privacy
To protect your electronic mail and files stored on your hard-drive, Pretty Good Privacy (PGP) program is one of the choices for encryption. PGP can encrypt files and email. It uses digital signatures and certified keys in the encryption.
PGP first appeared in 1991, which was written by Phil Zimmermann and was available on the Internet as freeware. Since then PGP became the popular software for encryption.
Because of cryptographic software export restriction in the United States, PGP was not available to other countries initially. Some companies outside U.S. had "re-engineered" the software and developed versions that were not governed by the U.S. law. Today, with the relaxation of the U.S. law, we can download copies of the PGP software from sites in U.S. and outside U.S.
Nowadays, email becomes one of the ways for communication with others. PGP is a tool for the public to encrypt or sign an email. PGP tries to fulfill a basic need for human – Privacy. If you do not protect your email message or information, others can easily obtain your email message and your privacy will be lost.
Before you learn how PGP works, it's helpful to have some basic PGP terminology concept.
To encrypt a message for a specific person, you need that person’s public key. If someone send you an encrypted message, he requires your public key to encrypt the message before sending. The message that was encrypted with your public key can only be read and decrypted by you. The key is called public key because it can be distributed to everyone without affecting your security system.
When someone sends you a message encrypted with your public key, this message can only be decrypted with the private key kept by you. This key is called private key or secret key because you need to keep it secretly.
For every message encrypted with the public key, PGP will randomly generate a session key for that communication session. Each communication will generate a different session key.
All the keys for communication with other person, PGP will keep it in a file called key ring. There are two types of key rings, private and public key ring.
The public key ring will store the public keys you created and you collected from others in a file called “pubring.pkr”. The private key ring will store the private keys you created in a file called “secring.skr”.
A pass phrase is required each time you create a key pair. PGP requests you to enter a pass phrase that is used for manipulating your private key. Thus, the pass phrase provides extra security level. Even if someone steal your private key, he cannot use your private key without your pass phrase.
You can have a different pass phrase for each private key or same pass phrase for all of your private keys.
PGP has a powerful system for signing electronic documents called digital signatures.
To encrypt documents or emails, you need the recipient’s public key. Most of the recipient may not have the security software and so do their public key.
Sometimes you simply want to keep your documents or emails from being changed. You want a way to prevent people from changing your words without your permission and claiming that they were the original authors. Digital Signature can be used for all of these functions.
Basic steps for using PGP
- Install PGP on your computer.
- Create a private and public key pair. Before you can begin using PGP, you need to generate a key pair.
- Exchange public keys with others.
- Once you have a copy of someone's public key. You can add it to your public key ring.
- Encrypt and sign your email.
- Decrypt and verify your email.
- Verify a digital fingerprint
Step 1. Install PGP on your computer
The PGP program can be obtained from Network Associates, Inc or PGP International Homepage. After downloading the program file, simply install it and follow the instructions on screen.
The most important thing during installation is creating a key pair, i.e. your private key and public key. If you do not want to create your key pair during the installation, you can come back to the program and create your key pair anytime you like.
Step 2. Create PGP key pair
To create your PGP key pair, a pass phrase is required. Pass phrase is used to generate the 128-bit code by hash function. The hash function accepts an input string of any length; the string can contain spaces, periods, uppercase and lowercase characters, and any other symbols you can type from keyboard. Since the input can be of any length, it is called a "pass phrase". PGP uses pass phrases to encrypt files and decrypt the secret keys on your secret key ring.
Step 3. Exchange Keys
- Upload your public key to certificate/key server
Upload your public key to certificate server is one of the method for making your public key available to others. Without bothering the sender whom send you an email, he can search a copy of your public key in the certificate server where everyone has the access right. It helps reduce the number of keys to be kept, especially those not used frequently.
Certificate Server is offered by a number of organisations, e.g. Massachusetts Institute of Technology, Network Associates, Inc, etc. From where you can upload or download the public key of yours and the others. Once you uploaded your public key to one of the certificate servers, the certificate server will forward the key to other certificate servers connected around the world. If anyone wants to send you encrypted email or to verify your digital signature, he can get your copy of public key in this certificate server by searching either your name or email address.
- To obtain someone’s public key
There are 3 simple ways to obtain someone's public key.
- Search the public key in certificate server;
- Get the public key from email;
- Get the public key from file.
To obtain someone's public key from certificate server, simply connect to the certificate server and search the public key by email address or name (if the public key is already uploaded). Or else, the recipient can give you his public key directly by hand.
Step 4. Add someone’s public key to your key ring
Put the public key you received from a friend or co-worker to your public key ring. After adding public key to public key ring, you can send encrypted message to that public key’s owner or verify the digital signature from the public key’s owner.
Actually, the public key is just a block of text, the recipient can copy it from the certificate server or import it directly from a file.
Step 5. Encrypt and sign your email
- Sending Encrypted Email
Sending encrypted email with PGP is a four-step process, consisting of the following steps:
- Write the email message that you want to send.
- Get the public key of the person to whom you are sending the message.
- Encrypt the message using that person’s public key.
Send the encrypted message via your traditional electronic mail program.
Sending an encrypted email to multiple people
To send encrypted email to multiple people, simply use your email program to create your message and address the recipients as normal as you would. However, you must make sure you have all the recipient’s public keys.
When PGP encrypts for multiple recipients, it encrypts the message only once, but it encrypts a separate copy of the session key for each recipient.
Digital signature is a special number that is cryptographically produced and digitally verified.
PGP digital signature can perform two different functions they are Integrity and Authentication. Integrity tells you whether a file or a message has been modified. Authentication makes it possible for you to mathematically verify the name of the person who signed the message.
MD5 Message Digest
Digital signature is based on a kind of mathematical function known as a message digest. A message digest function distills the information contained in a file into a single large number. PGP's digital signature is based on the MD5 message digest function.
Message digest will produce a 128-bit number from a block of text of any length. Theoretically, there is a chance that same block of text will be used for different messages. However, 128 bits will have 2128 combinations and the chance for the occurrence is extremely small.
For each document published with its MD5 key, you can be sure that the copy of the document you download from the internet is an unaltered copy of the original by calculating the document’s MD5 code and comparing it with the one for the document that you published. If they match, you know this is the original one.
Step 6. Decrypt and Verify email
The quickest and easiest way to verify the email we sent to you is with an application supported by the PGP plug-ins. Although the procedure varies slightly between different email applications, when you are using an application that supports the PGP/MIME standard, you can verify the email messages by clicking an icon attached to your message.
If you are using an email application that is not supported by the PGP plug-ins, you can check the PGP signature by saving your mail message to a file and running PGP on it.
Step 7. Verify with a digital fingerprint
You can determine if a key really belongs to a particular person by checking its digital fingerprint, a unique series of numbers or words generated when the key is created. By comparing the fingerprint on your copy of someone’s public key to the fingerprint on their original key, you can be absolutely sure that you do in fact have a valid copy of their key.