|
Time to Renew PRAS Subscriptions New Telecom Service Request Procedures Windows 98: Personally I Like it!! Statistical Computing Tips: S-Plus The Network Connection |
By Kevin Mullet, guest columnist and NMS Datacommunications Computer Systems Manager
Pretty Good Privacy1
I recently got into a conversation about public key cryptography and the importance of PGP. You know the scheme: "What it is /what it does /what it does for us." Actually, my co-worker was pretty much cornered into the conversation when he had the, uh, good fortune to ask another PGP enthusiast and I for a system password and we said "sure... just send us your public key and we'll E-Mail it to you." Of course, requests for essential information about what PGP is ensued, thus this article.
First off, here's a URL for the software: http://bs.mit.edu:8001/pgp-form.html A caveat: That HTML form points to the freeware version of the software. For now, make your own evaluation of whether or not you can legitimately use the freeware version for more than just an evaluation based on the license agreement. Once I find out more definitive information from the Computer Associates legal department, I'll follow-up to both the netman list (a public group aimed at Network Managers here at UNT) as well as Benchmarks Online (CA bought PGP, Inc., and is now the US supplier of the commercial version of PGP.).
While I'm at it, here's a couple of additional URLs to give more information than just the vague overview in this article.
- MIT's Pretty Good Privacy homepage: http://web.mit.edu/network/pgp.html
- The comp.security.pgp FAQ has lots of good information, you might want to skim it and bookmark it for later reading. http://www.pgp.net/pgpnet/pgp-faq/
So what is PGP?
I'll start off with the answer to question 1.1 of the comp.security.pgp FAQ, "What is PGP?". Then I'll tell you why I believe the answer is misleading, or at least incomplete. According to the definition presented in that FAQ:
PGP is a program that gives your electronic mail something that it otherwise doesn't have: Privacy. It does this by encrypting your mail so that nobody but the intended person can read it. When encrypted, the message looks like a meaningless jumble of random characters. PGP has proven itself quite capable of resisting even the most sophisticated forms of analysis aimed at reading the encrypted text.
PGP can also be used to apply a digital signature to a message without encrypting it. This is normally used in public postings where you don't want to hide what you are saying, but rather want to allow others to confirm that the message actually came from you. Once a digital signature is created, it is impossible for anyone to modify either the message or the signature without the modification being detected by PGP.
While PGP is easy to use, it does give you enough rope so that you can hang yourself. You should become thoroughly familiar with the various options in PGP before using it to send serious messages. For example, giving the command pgp -sat <filename> will only sign a message, it will not encrypt it. Even though the output looks like it is encrypted, it really isn't. Anybody in the world would be able to recover the original text.
Okay, here's my two bits.
More Than Just E-Mail
PGP is much more than a utility that lets you encrypt your E-Mail, although I predict that once you start using PGP, E-Mail encryption will constitute at least 90% of your use. PGP can also be used for secure archival storage of any type of file, so you can take all your security exploit documents, encrypt them with long public key encryption and not lose any sleep over their safety.
The Core of the Matter
Here's the most concise way I can put it. PGP lets you perform encryption and electronic signature on files containing text or any other data. PGP does this by employing a mechanism called public key encryption. As opposed to single-key encryption where the same key is used to both encrypt (lock) and decrypt (unlock) files, public key encryption uses a "public key" to encrypt, and a "private key" to decrypt.
These "keys" are typically conveyed as blocks of hexadecimal text that are generated and managed from within the encryption software. Typically, you would freely give your public key to anyone who might ever want to exchange signed or encrypted information with you. Conversely, you would typically keep your private key in a very safe place, since it's a vital component of your public key encryption credentials. The combination of your private key and your "key phrase" (a phrase or sentence used like a password) permits anyone to decrypt any information intended for you, or to sign documents and claim to be you. Obviously, then, you shouldn't disclose your key phrase to anyone.
A Word About Key Management
Use PGP for any length of time, and with any variety of users, and you'll start to accumulate a bunch of public keys, usually one or two per person. All versions of PGP software provide for maintaining your "key ring". Each time you add a public key to your ring (so you can use it to encrypt documents), you must satisfy yourself that the key actually belongs to the person indicated on the key. Some people meet this requirement by using keys physically handed to them on discreet media like a floppy disk. Usually, you'll get someone's key from their Web page, through unsecure E-Mail or through a Web-based key server. Once you retrieve a key, you can add it to your ring, then contact the person to whom the key is supposed to belong, and compare "fingerprints" (actually long hexadecimal strings unique to each key) between what they believe is their key and what you believe is their key. If you're satisfied that the key truly belongs to them, then you can set the "trust" on your key accordingly. Later on, this "trust" will enable you to authenticate by proxy additional keys you might acquire. If you get a key off someone's home page or from unsecure E-Mail, and you find that it's been digitally signed by someone whose identity you HAVE confirmed, you may decided to "trust" the identity of the new key based on that signature. This arrangement is called the PGP "Web of trust."
An more highly-organized alternative is used with X.509 certificates, which are an integral part of the Secure Sockets Layer (used in https:// method URLs). In the ITU-T X.509 model, trust originates with and is assigned by formally defined certificate authorities, such as Verisign, who delegate and control trust in a downward hierarchy must more structured than the PGP Web of trust.
So the current bottom line appears to be this. PGP is the most commonly used, potentially highly secure encryption suite around. So much so that its strength and availability was one of the primary motivations for Clipper and various other anti-encryption legislative attempts by the US federal government. Using PGP isn't as cut-and-dry as one might hope, but the recent Win95-based versions have made things so easy that virtually anyone with a bit of persistence can be encrypting like nobody's business.n
[1] We have published items about PGP and privacy in Benchmarks before, including "Shhh! Honey, did you hear something?" and "Personal Privacy Pointers." Privacy in electronic communications was also the focus of one of the Network Connections columns in a 1994 Benchmarks. -- Ed.