PGP - Pretty Good Privacy

... it may well be doubted whether human ingenuity can construct an enigma of the kind which human ingenuity may not, by proper application, resolve. -- Edgar Allan Poe, The Gold-Bug [William Legrand]

What one man can invent another can discover. -- Sir Arthur Conan Doyle, The Adventure of the Solitary Cyclist [Sherlock Holmes]

The easiest pickings for the ECHELON system are the individuals, organisations, and governments that do not use encryption. -- Nicky Hager, Secret Power

Cyberspace can be a dangerous place, sinister data interlopers waiting to seize your data, viruses infiltrating the system.

PGP, Pretty Good Privacy, can be used to deal with both problems.

PGP, designed by Phil Zimmermann, is a powerful data encryption package. Anything encrypted with PGP is as good as unbreakable.

PGP serves a dual role, it can be used to encrypt, it can also be used to authenticate a package. Many shareware authors, myself included, are now using PGP to enable users to verify the authenticity of their software. I also use my own AntiVirus software to provide integrity checking.

The second edition of my book Virus: A computer malaise will include an appendix on how PGP can be used as an anti-virus aid.

If you are are not using PGP I strongly recommend that you do, or at least give it a try. If you need convincing read what Phil Zimmermann or myself have had to say on why you should use PGP. For a brief overview of PGP read my paper What is Pretty Good Privacy?.

PGP is not an easy package to use, especially for those who are used to the crutch of Windows. There are a number of Windows front ends, but I strongly recommend that you make the effort to use the DOS version unaided as to use Windows is to weaken the security which somewhat defeats the purpose of using PGP.

To get started I recommend reading my guide to the basic commands or for something a little more in-depth the excellent EFH Workshop written by Paul Elliott. Both of these introductions should be read in conjunction with the PGP documentation, especially PGP User's Guide, Volume I: Essential Topics. Once you have started to get to grips with PGP read Jeff Licquia's PGP FAQ file.

Adam Back has writtten a brief history of PGP. For a more detailed account I recommend reading PGP: Pretty Good Privacy by Simson Garfinkel published by O'Reilly & Assoc, or the paper The First Ten Years of Public-Key Cryptography by Whitfield Diffie for a detailed account of developments in public key cryptography.

PGP is the de-facto Internet standard for e-mail encryption and digital signatures.

Action Alert! The FBI and NSA are attempting to force through the US Congress legislation that will ban the use of encryption - it will be a criminal offence to design, sell or use effective encryption. They wish to see similar measures implemented worldwide.

PGP main sites

The two principle sites for PGP, in addition to this one, are maintained by Francis Litterio and Ståle Schumacher. Ståle Schumacher also heads the International design team for PGP.

Francis Litterio has unfortunately withdrawn his excellent pages on PGP, access to Ståle Schumacher's site may be blocked.

It is also well worth visiting the home pages of these two guys as both maintain excellent links for security, privacy and other related issues.

Other Interesting Places and Useful Resources

The last six references indicate the level of surveillance on you that is now available.

PGP and related Usenet newsgroups

Mailing Lists

Computer Related privacy groups

Anyone with more than a passing interest in PGP will soon realise that security, privacy and the control of information is a hot political potato. In particular I recommend reading The Persecution of Phil Zimmermann, American by Jim Warren and the book The Hacker Crackdown by Bruce Sterling.

Hackers Crackers and Security

I have downloaded a PGP key from the guy's very own Web page, I must have the real key, right. Wrong! Using SATAN, Dan Farmer carried out a survey of banks and other sites conducting financial transactions over the 'net - more than 60% were vulnerable to attack. Cult of the Dead Cow demonstrated how easy it was to seize control of systems running MS Windows by using Back Orifice. The whole Web can be spoofed, firewalls breached, intrusion detection side stepped.

Always treat with suspicion any key got off the 'net.

Cyber Rights

Privacy and encryption to protect that privacy are one side of a coin, the other side of the coin is freedom of information and the right to free speech. Add these together and we have cyber rights. Global corporations and governments around the world are trampling on these rights. The denizens of cyberspace are fighting back.

Cookies, compiling data on Internet usage are some of the many ways that personal privacy is being invaded. Anonymous e-mailers, anonymizers are some of the ways to operate behind a smoke-screen. Surfing in a crowd takes anonymous surfing one stage further.

Action Alert! The FBI and NSA are attempting to force through the US Congress legislation that will ban the use of encryption - it will be a criminal offence to design, sell or use effective encryption. They wish to see similar measures implemented worldwide.

PGP & Privacy Papers

My PGP Public Key

The only secure way to obtain my PGP public key is direct in person from myself. Alternatively you will have to obtain it through the 'net and observe all necessary precautions. To help validate my key I provide, on request for a nominal fee, a printed personally signed copy of my PGP public key fingerprint.

Further reading

There are a number of good books around on PGP and related privacy and security issues. Read my annotated bibliography for a sideways look at what's available. My bibliography is by no means exhaustive, publishers and authors are welcome to submit review copies for possible inclusion. Books Worth Reading is an index to a more general selection of books.

Obtaining PGP

PGP is obtainable from many places. The further afield you go from the original source the greater the danger of a Trojan version. There are several different versions of PGP, which version you require depends in part upon where you live. My recommendation is to go to MIT for the USA version or Ståle Schumacher for the International version. There is also a commercial version of PGP available from ViaCrypt, a subsidiary of PGP Inc.

Foreign Language Modules

Modules are available for a large number of foreign (non-English) languages.

Integrated Mail Packages

A number of Integrated Mail Packages are starting to appear. These can be either add-ons to existing mail packages or stand alone packages such as MailPGP.

PGP 5.0

During 1997 PGP 5.0 was released in the US, copies can be downloaded from the PGP Inc site. Also try the PGPi site.

PGP 5.0 introduced a number of new features, most obvious of which was the graphical user interface - integration with popular mail packages, integration with on-line key servers, user selection of several different hash and encryption algorithms, a pair of keys, one for encryption, the other for signing (authentication).

PGP 5.0 is only legitimately available in the US due to the harsh regulations in force on the export of hard encryption. In keeping with the openness of earlier version of PGP, the source code has been placed in the public domain for public scrutiny. As an indication of the crass stupidity of US export laws, neither the software nor the source code may be exported, but the printed source code may be freely exported.

Note Recent landmark decisions rule it to be legal to post source code on Internet (free speech under US Constitution First Amendment).

The printed source code almost immediately made its way across the Atlantic and activists were busy with their scanners. Mid-September 1997 Ståle Schumacher made a UNIX command line version available for download. This was reported in New Scientist (6 September 1997) and almost immediately access to the site was blocked. A Windows 95 version of PGP 5.0 is available for download from the Australian Privacy Home Page.

Until PGP 5.0 is in widespread use I recommend that anyone using it selects the options on algorithms for compatibility with earlier versions (RSA and IDEA) and restricts key size to 1024 bits. The exception would be communication exclusively with persons known to be using PGP 5.0 or versions later. Alternatively, produce two sets of keys.

PGP 5.5 has extra fields within the key certificate that enables the encrypted mail to be received by a third party! This option is user selectable at the time the key pair is generated, but be aware of what it is that you are selecting. It can also be coupled with a mail server that prevents the transmission of encrypted mail that does not contain the backdoor key. For many this option came as something of a shock. The rationale for the option is within companies, should it prove necessary to recover encrypted mail - there should be proper procedures in place to cover what should be a rare event and remember it is user selectable.

The reputation of Phil Zimmermann took a further knock in December 1997 when the company he helped found sold out to a company whose speciality was key recovery. For the moment there is nothing to worry about, provided that control of PGP remains under Phil Zimmermann, and the source code continues to be published.

I have discussed this concern with Phil, and he is aware of the public disquiet. He has a number of good ideas for future exploitation, and is as committed as ever to human rights. PGP has become the success it is due entirely to grass root support and word of mouth recommendation - no one but a fool, would turn his back on such support or take it for granted.

PGP 6.0

PGP 6.0 was available for download in the UK before it was officially released in the US by Network Associates making a mockery of the US administration's Draconian rules on export.

PGP 6.00 has added a whole load of new features, included the ability to embed a picture within the key certificate. The Freeware version is available for download from PGPi.

Certifying Authorities

You will normally communicate with people you know - friends, relatives, colleagues. Identification is not usually a problem. Key exchange and key signing may be a problem, especially with colleagues who you only meet at conferences or other plausible excuses for a good binge. The opportunity should be taken on these occasions to organise a key signing session.

Occasionally you will wish to communicate with people outside of this circle. You have a key, but unless you know any of the people who are signatories you have a problem establishing the key's validity. PathServer goes some way to overcoming this problem - it attempts to draw a path between a known and unknown key based on the signatures.

To try to overcome this problem I am proposing the establishment of a chain of Certifying Authorities. These will for a nominal fee sign a public key. Proof of ownership and three forms of ID, including a valid passport, will be required.

SLED Corporation, who I believe have recently merged with Four11, offer a commercial key signing service. They rely in part on the fact that payment is made by cheque - if the cheque does not bounce, then there must be at least some connection between the name on the cheque and the name on the key!

The UK DTI has produced a policy document on key escrow and trusted third parties that will effectively make it impossible for such certifying authorities to operate and may make it a criminal offence to sign a PGP key unless as a licensed TTP. My response paper details some of the many problems.

Action Alert! A follow up paper has been issued by the DTI. Public comment is invited. Further details from the DTI.

Yet more PGP pages

I have covered a fair amount of information, if that does not suffice try one of the many search engines. Either perform a keyword search or go to the relevant index page.

Free Software

When PGP was first developed by Phil Zimmermann he gave away free both the program and the source code, though still retaining the copyright to prevent inappropriate development. PGPi became an international collaborative effort. It was this international cooperation and openness that made PGPi the powerful and widely accepted standard that it is today.

Promulgated by the Free Software Foundation, other software has followed a similar path. GNU (Gnu is Not Unix) is an international cooperative effort. Often incorrectly referred to as Linux (Linux is only the GNU kernel). Apache has become the leading Web server. A parallel, some consider rival path, is that followed by Open Source. The source code is made freely available, but the software is still a commercial product. Netscape is now following the free source route.

These cooperative ventures are the only way to destroy Microsoft, at least that is how Microsoft sees it, as the cooperative effort and the programming talent brought to bear far exceeds anything employed by Microsoft. The advantages to the user community, apart from the fact that the software is outside of the control of Microsoft, is that unlike Microsoft products, these products are stable and reliable.

Phil on PGP

As he started it all off it would seem only reasonable to allow Phil Zimmermann a stab at the last word. Also try PGP Inc for latest news on PGP, privacy issues and related privacy products.

Human Rights

Last but not least, it should never be forgotten why PGP was developed in the first place - human rights - a point very eloquently put across by Phil Zimmermann at InfoSec98 (London, Olympia). Those who live in the so-called 'free world' tend to forget that the liberties we take for granted are not universal, and it is incumbent upon all of us to do our bit to help protect our fellow inhabitants of the planet and the environment in which we live. Democracy, civil liberties and human rights do not occur as automatic rights, they occur because people are prepared to fight for them, often at great personal cost and suffering and with huge loss of blood.

Index ~ What is PGP ~ Why use PGP ~ Web of Trust ~ Quick Reference ~ My Key ~ Human Rights
(c) Keith Parkins 1996-2000 -- March 2000 rev 73