The use of strong encryption to exchange private messages is now commonplace. One of the most popular working tools to enable private exchange of messages is PGP (Pretty Good Privacy). The following may be helpful to people wanting or needing to exchange private email messages. (PGP implementations also enable computer files to be encrypted/decrypted.
How PGP Works
Learning to use PGP encryption is easier than learning to use a word processor. There are two encryption keys: public and private (secret). If you use the email plugins under Windows encrypting and "signing" a message may be done simply by clicking an Icon and choosing a public or private key respectively. A typical scenario follows:
1) You give your public key to correspondents. You can email it to them for example or post your public key on a remote keyserver, then anyone who visits that keyserver can be your secure correspondent; that's the purpose of a keyserver. Two remote keyservers are made available during the installation of PGP.
The Windows PGP install process automatically offers to put your public key on a keyserver. Also this install process will allow you to easily install PGP email plugin(s) for Eudora, Netscape, and/or Outlook Express.
2) A correspondent writes a message with their email client and then uses your public key to encrypt that message before sending it to you. Or you use their public key to encrypt a message to them.
3) You then use your private (secret) key maintained on your local computer system to decrypt a message sent to you. Email plugins do this automatically, prompting you for your private key pass-phrase. Since the message was encrypted with your public key, only your private key, and no one else's keys, can decrypt this message. So only you can decrypt such messages.
4) A sender's private key may also be used to "sign" messages. You then use the sender's public key to decrypt the signature. No one else's public or private key can decrypt this signature. Thus the signature is unique and if it decrypts using the sender's public key, this is proof that electronic signature is the sender's and no one else's. Also as stated in the PGP manual, "a signed message verifies that the information within it has not been tampered with in any way." Such secure electronic signing assumes of course, that private keys are in fact known only to their owners.
How Safe is PGP
Private keys and companion private key pass-phrase are assumed to be known only by their owner. The number theory behind PGP creates keys that are in effect a product of very large prime numbers. To date there is no known algorithm for factoring such a product in a practical amount of time. That is, Cryptographers, mathematicians and computer experts have tried unsuccessfully for years to break PGP.
There is an integrity exposure when using PGP. That is, it is crucial to back up in a secure place your private and public keys - in such a way that only you have access to them. Since these "key rings" are created in a unique fashion, even you cannot recreate them. Thus your encrypted messages or files would be useless if you lost these keys. Or privacy would be compromised if anyone but you had access to them. For more information on this, please see: Integrity of PGP Encrypted Files: http://ftp.aset.psu.edu/pub/ger/documents/DataIntegrity.htm#7)%20Encrypted
Where to Get PGP
We recommend two versions of PGP here; 1) Free version PGP 6.58 and commercial version ($39): http://www.pgpi.org/products/pgp/versions/freeware/win32
PGP Versions 6.58 and 7.03 do support email plug-ins. PGP Version 7.03 requires that two hot fixes be installed also. Both of these are available for free download at: http://www.pgpi.org/products/pgp/versions/freeware/win32
Commercial Version 8.0:
http://www.pgpi.org/products/pgp/versions/freeware/win32/
(Note that email plug-ins are installed but not functional with PGP 8.0 unless it is licensed ($39).
PGP Commercial Versions are also available via: http://www.pgpi.org/products/pgp/versions/commercial/
Email Plug-ins for platforms other than Windows:
http://www.pgpi.org/products/tools/search/
(Note: set the "Category" for search to "Email Plugin ..." )
PGP for Linux (free command line only) is available at:
http://www.pgpi.org/products/gnupg/
This free command line version is also available for Macintosh OS X and Windows DOS Prompt.
PGP Personal, Commercial Version 8 for the Macintosh OS X is available at: http://www.pgpi.org/products/pgp/versions/freeware/mac/8.0/
PGP Lists of Keyservers: http://www.keyserver.net/en/
http://www.hal-pc.org/~bunbytes/karlsson/pgp/keyservers.html#kserv
http://www.wowarea.com/english/help/keyserv.htm
References
An AIS/ASET Security Page (See the PGP section):
http://ftp.aset.psu.edu/pub/ger/documents/security.html
Basic description of PGP and brief supporting mathematics:
http://www.momentus.com.br/PGP/doc/howpgp.html
A few good short PGP tutorials that BRIEFLY tell HOW it works are:
PGP FAQ: http://www.cam.ac.uk.pgp.net/pgpnet/pgp-faq/
Yale PGP Introduction: http://www.yale.edu/its/security/pgp/pgp_intro.html
CREN PGP Tutorial: http://www.cren.net/crenca/onepagers/pgp2.html
Latest News about PGP: http://www.pgpi.org/news/#20021001.
Acknowledgment
Thanks to Pete Weiss, Penn State Administrative Information Services, for reviewing this document and for useful suggestions for improving it.