A little background on encryption and why it’s necessary to keep Big Brother from watching you. Or me, for that matter. My Public Key and the Web of Trust. Encouragement not to make me a solitary, quixotic figure on a singular journey to encryption loneliness. Pathos overdose. Be my Sancho Panza.
Why Encrypt?
It’s probably not going to be easy to convince some of you to use an encryption program for your electronic mail. You’re not the typical drug runners or Mafia-types. You’re more the occasional jaywalker. Maybe you drive a touch fast. I don’t know. Regardless, I’m betting that you send your letters in envelopes when you send correspondence by U.S. Mail, and what I’m trying to say here is that you should do the same for your electronic mail. If you think about the function of envelopes, it’s to ensure privacy of communication. Not a bad idea on computers, either, and that’s basically what PGP does.
When you send unencrypted e-mail it passes through a bunch of computers called servers. Your message can easily be read by anyone who has access to even one of these machines. It’s even worse if you’re sending mail from work: Legally, any e-mail you create or send belongs to the company, not you! Just image writing some e-mail message at work which you don’t want anyone to see and then your boss steps up and says, “Let me see your computer.” Scary thought, unless you’ve encrypted your message.
(For the more governmentally paranoid among you, you’ll be happy to know that the U.S. government hates PGP because they can’t crack it. They’d prefer to be able to read everybody’s e-mail.)
Personally, I don’t want anyone but the intended receipient looking through my e-mail. An essential part of freedom of speech is the freedom to decide with whom you’re communicating, and PGP gives the common person that ability in the computer age.
If you’re still not convinced, well, that’s fine. I’m not going to do a hard sell. Secret codes and stuff are just for cool people, anyway. But will someone please, please send me a message encrypted with my Public Key? I have no way of know if this stuff works until someone does. And who knows, maybe you’ll decide it’s fun to be cool after all.
How Does PGP Work?
The short form is this: I type a “pass phrase” (like a “password” but longer) into PGP and from this PGP generates a code pattern which it splits into two pieces. The first piece, the Public Key, I give away to all my friends, family, etc. They can use that to send PGP-encrypted e-mail to me which I then decode using the second piece of the previously generated code, known as the Secret Key. Because only I have the Secret Key which matches my Public Key, I can receive secure e-mail from anyone using PGP with my Public Key.
Now what if Big Brother stomps into my computer room and takes my computer? Well, the Secret Key is encrypted too. Remember my pass phrase? Without that, good luck trying to read any of the encrypted e-mail I received.
(Do note that without a utility like Burn or Norton Utilities’ Wipe Info some unencrypted files may still be on your hard drive; before PGP encrypts a file there is a source file which is, general speaking, unencrypted. Also, remember that simply deleting file or putting it in the Trash is not the same as using one of the aforementioned programs. Undeleting files isn’t hard, and the FBI even has a device which will resurrect information off formatted hard drives.)
The other obvious question is how you know that I, Ty Davison, am really the one supplying you my Public Key. How do you know this Public Key belongs to me and not my evil twin, Mr. Nosivad? In short, unless I’ve handed you a disk and said, “This here’s my Public Key,” you can’t be absolutely certain.
But there are a couple of ways around this. One is what’s called “The Web of Trust,” which simply means that it’s possible for me to add my digital signature (which, for length’s sake, I won’t go into here) to a Public Key to give my stamp of approval, as it were. Sort of an electronic notary public function. For example my friend Bob gives me his Public Key. I can add my digital signature to Bob’s Public Key so that when I give Bob’s Public Key to my friend Tom (who doesn’t know Bob), Tom has my good word that Bob’s Public Key is in fact his.
So how do you get my Public Key? Well, you can e-mail me and I’ll send it to you, or, preferably, you’ll download PGP 5.0 and get my Public Key off the MIT key server. All you have to do is search for either “Ty Davison” or “[email protected]” and my Public Key will be with you in moments. What could be easier?
Yeah, okay, lots of things. Next topic.
Is PGP Secure?
I’m not nearly bright enough to explain the mathematics behind how PGP works. I can tell you, however, that it is considered strong encryption—so much so that the U.S. government does not allow it to be exported out of the country. PGP uses a 128-bit key. Unless there is a flaw in the algorithm used in PGP’s encryption scheme (nobody has found one yet), it would take thousands—if not millions—of years to crack your code. Only you can determine if that’s enough security for your needs.
I should point out that I’m only talking about the encrypted message itself. There are two other means that someone could use to attempt cracking your messages. One is to steal your pass phrase, though the way to thwart that is to (1) not write it down and (2) never tell it to anyone. The other method is to hack your Public Key. However, if you set your Public Key at 1024 bits or greater, you can rest assured that all the computers in the world, working in tandem, could not crack your messages before you died of old age. Which should be long enough.
Where to download
By using my public key, you can safely send me encrypted messages using PGP v2.6 or greater. If at all possible, you should use PGP 5.0 or later. My address (without the quotes) is: “Ty Davison ”
If you’re in the United States, you can download PGP from MIT’s server at http://web.mit.edu/network/pgp.html. Disregard the stuff about earlier version of PGP and integrating them into e-mailer programs. Just get the latest PGP and it will work with your e-mail program fine. (You can also get PGPFone here as well.)
If you’re looking for a MacOS X version, see PGP Corp’s web site at http://www.pgp.com/products/freeware.html. You can also purchase a feature-enhanced version here for a nominal fee.
Now will somebody please send me some encrypted e-mail?
Recommended reading
PGP: Pretty Good Privacy by Simon Garfinkel, published by O’Reilly & Associates, Inc., 1995.
E-Mail Security by Bruce Schneier, published by John Wiley & Sons, Inc., 1995.