Electronic mail sent in plain text is about as safe as a postcard; it is susceptible to eavesdropping, falsification, and fraudulent repudiation. Public key cryptography can protect against these risks.
About PGP
OpenPGP is the industry standard protocol for securing email. In order to use it, you need a locally installed copy of PGP or GnuPG. (Running the program on a remote machine is technically possible, but less secure.) For simplicity, in this document, I will refer to the entire system as PGP.
PGP is a public key infrastructure. This means that every user has one or more public keys, which can be freely distributed (public key servers make this particularly easy), as well as corresponding private keys, which must be kept secret.
PGP allows you to create your own keys, and back them up, as you deem necessary. Many other public key infrastructures ignore these important requirements of confidentiality and availability.
Basic PGP functions
Digital signing and signature verification
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can sign a message (using your private key) by having PGP create a digital signature that corresponds to the message in question. When a signature successfully verifies (using the sender's public key), you can be sure that the message was signed with the key in question, and that it has not been altered since. Signatures are easy to apply to everyday email, even when one does not know whether or not the recipient uses PGP. They are also used e.g. to protect downloadable software from tampering, as well as for time stamping. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBRyyUoelROe8ye3NFEQIwaACglY7lEAHZwF4yoblSdyxmCiiWi0IAnR6z wMo3D6dAUzb63FQcgLYwcHM1 =8hS+ -----END PGP SIGNATURE-----
Data encryption and decryption
PGP empowers you to easily encrypt a message with the recipient’s public key, so that only someone who holds the private key of the designated recipient can decrypt the message. This means that you can send non-public information in ordinary Internet email messages. For additional security, encrypted messages are usually signed as well.
Key administration
Create, modify and revoke key pairs and signatures. Retrieve, sign, store and disseminate public keys.
The global PGP web of trust wants you!
Using PGP does not require that you pay or trust a commercial certificate authority such as VeriSign. Instead, the PGP community relies on a distributed model in which anyone can sign any key, but every user will decide whose signatures to trust.
In practice, you should sign the key of another user when (and only when) you have checked, first-hand, that the owner of that key is the person described by the user ID on the key. His key then becomes valid for you to use.
However, you might not be able to perform this kind of check personally on everyone to whom you send mail. This is where trust signatures come in - you can assign trust to keys you have signed so that your copy of PGP will consider keys signed by those users as valid as if you would have signed them yourself. To take the same concept a step further, you can also designate meta-introducers, who will be able to introduce new introducers. PGP keeps track of your signatures, calculating key validity and trust for you.
Links
- PGP Corporation products
- GNU Privacy Guard - the GNU project’s complete and free implementation of the OpenPGP proposed standard
- GPA - a graphical user interface for GnuPG
One Comment
And if you think it’s all to hard, take a look here at this “how to” guide.
http://www.vanish.org/security/pgpi1.htm
Post a Comment