PGP (Pretty Good Privacy)

• Overview
• My personal use of PGP
  • My public key
• Legal issues
• Definitions
  • communicate securely
  • insecure channels
  • public key cryptography

Overview

If you want to use insecure channels to communicate securely, then you have to use cryptographic techniques. For centuries, the good ones were only available to state and military organizations, but nowadays there is a program called Pretty Good Privacy available for everyone's use, even with the source code, so you can assume that it has been analyzed for potential weaknesses.

Users outside the USA (see also the legal issues) should download PGP from a site outside of the USA, for example [a mirror site of] the The International PGP Home Page in Norway, which also contains further information and links to add-ons.

PGP uses public key cryptography, which makes installation more complex, but makes it possible to securely communicate with people you never met before. Still, key management is an issue that has to be understood, so make sure you read the manual, which is also available in windows help

My Personal Use of PGP

On my old 386 with Windows 3.1 (yes!) I use PGP in conjunction with PGP Windows, a very small (42 kB) one of the many available Front-end shells. It includes the possibility of encrypting and decrypting the clipboard contents (handy for email messages) and key management.

If you want to send me a message that nobody else should be able to read (such as my new password for a WWW account on your server), you can encrypt your message with my public key. Only I have the corresponding secret key to decrypt it.

My public key

Type Bits/KeyID    Date       User ID
pub  2048/BF57BB69 1997/05/10 Martin Stut <martin.stut@iname.com

The fingerprint (checksum, designed for verification over the phone) of this public key is

62 1A 47 0D 62 FE FB 7F  75 91 1B FA 0B 43 B9 87

Hot Stuff - Lawwise

Because it is good enough to be very difficult to crack even by secret services, it's use has been forbidden in countries like Iran, Iraq and France, and export from the USA falls under a law forbidding ammunitions export (the author of PGP got a lot of trouble with US courts). Even here in Germany the lawmakers are thinking about regulation (the state should have access to everyone's secret key), but the business world (which has a lot of influence on politicians) and civil rights acitivists are against it, because

1. people (organized crime etc.) who really have to hide bad things will have ways to do so, whether strong cryptography is forbidden or not
2. there are ways to transport secret messages hidden in harmless looking pictures or sound files (steganography)
3. a central registry of secret keys, as proposed by Manfred Kanther, the German interior minister, will be so interesting to attacks (imagine bribery and/or infiltration) by bad people, that businesses (imagine banks) would not trust those regulated systems

Definitions

communicate securely

one or both of the following:

• hide (encrypt) the contents of your message in such a way, that an adversary, reading the encrypted message, has to take so time and/or money consuming effort to reveal it's contents, that it is no longer rewarding for him to try it
• checksum (sign) the message in such a way, that it can be trusted to have originated from someone who has a very secret piece of knowledge - the secret key of the sender

insecure channel

a path of communication, where messages can be listened to and/or altered by sufficiently adversary people. Email over the Internet is insecure, because messages are stored on provider's disks and lines might be quite open (imagine satellite links - they can be listened to by half of the globe).

public key cryptography

every user has two keys, that have to match: a secret and a public one. The public one is widely published (like an email address), the secret one is kept - well secret. The security of the method comes from the extreme difficulty to find the matching secret key for the known public key (in PGP: finding the prime factors of a number of several hundred digits) except when generating a new set of both. Encryption is done by the sender with the public key of the receiver, such that one has to know the secret key to decrypt - so only the designated receiver can decrypt. Signing (checksum) a message is done with the secret key of the sender, so everyone can check with the public key.

Links to other related sites

• The International PGP Home Page in Norway - a convenient place to find things to download that cannot be exported from the USA
• PGP tools & add-ons for Windows
• www.pgp.net (german mirror site) contains lots of information about FAQs and keyservers
• PGP-Public-Keyserver: UniGH Paderborn (Germany) - a place to look for keys of other people. I'm registered there, there are many others.

Home | Christian Missions | Christustreff Marburg | Pictures of Marburg | Job | Remote Communications | Linux OS | Psion page | Contact

Last updated: 05.05.2007 17:43:03 Martin Stut, email: , Marburg, Germany
URL: http://www.stut.de/pgp.htm