... it may well be doubted whether human ingenuity can construct an enigma of the kind which human ingenuity may not, by proper application, resolve. -- Edgar Allan Poe, The Gold-Bug [William Legrand]
What one man can invent another can discover. -- Sir Arthur Conan Doyle, The Adventure of the Solitary Cyclist [Sherlock Holmes]
The easiest pickings for the ECHELON system are the individuals, organisations, and governments that do not use encryption. -- Nicky Hager, Secret Power
Cyberspace can be a dangerous place, sinister data interlopers waiting to seize your data, viruses infiltrating the system.
PGP, Pretty Good Privacy, can be used to deal with both problems.
PGP, designed by Phil Zimmermann, is a powerful data encryption package. Anything encrypted with PGP is as good as unbreakable.
PGP serves a dual role, it can be used to encrypt, it can also be used to authenticate a package. Many shareware authors, myself included, are now using PGP to enable users to verify the authenticity of their software. I also use my own AntiVirus software to provide integrity checking.
The second edition of my book Virus: A computer malaise will include an appendix on how PGP can be used as an anti-virus aid.
If you are are not using PGP I strongly recommend that you do, or at least give it a try. If you need convincing read what Phil Zimmermann or myself have had to say on why you should use PGP. For a brief overview of PGP read my paper What is Pretty Good Privacy?.
PGP is not an easy package to use, especially for those who are used to the crutch of Windows. There are a number of Windows front ends, but I strongly recommend that you make the effort to use the DOS version unaided as to use Windows is to weaken the security which somewhat defeats the purpose of using PGP.
To get started I recommend reading my guide to the basic commands or for something a little more in-depth the excellent EFH Workshop written by Paul Elliott. Both of these introductions should be read in conjunction with the PGP documentation, especially PGP User's Guide, Volume I: Essential Topics. Once you have started to get to grips with PGP read Jeff Licquia's PGP FAQ file.
Adam Back has writtten a brief history of PGP. For a more detailed account I recommend reading PGP: Pretty Good Privacy by Simson Garfinkel published by O'Reilly & Assoc, or the paper The First Ten Years of Public-Key Cryptography by Whitfield Diffie for a detailed account of developments in public key cryptography.
PGP is the de-facto Internet standard for e-mail encryption and digital signatures.
Action Alert! The FBI and NSA are attempting to force through the US Congress legislation that will ban the use of encryption - it will be a criminal offence to design, sell or use effective encryption. They wish to see similar measures implemented worldwide.
Francis Litterio has unfortunately withdrawn his excellent pages on PGP, access to Ståle Schumacher's site may be blocked.
It is also well worth visiting the home pages of these two guys as both maintain excellent links for security, privacy and other related issues.
Always treat with suspicion any key got off the 'net.
Cookies, compiling data on Internet usage are some of the many ways that personal privacy is being invaded. Anonymous e-mailers, anonymizers are some of the ways to operate behind a smoke-screen. Surfing in a crowd takes anonymous surfing one stage further.
Action Alert! The FBI and NSA are attempting to force through the US Congress legislation that will ban the use of encryption - it will be a criminal offence to design, sell or use effective encryption. They wish to see similar measures implemented worldwide.
PGP 5.0 introduced a number of new features, most obvious of which was the graphical user interface - integration with popular mail packages, integration with on-line key servers, user selection of several different hash and encryption algorithms, a pair of keys, one for encryption, the other for signing (authentication).
PGP 5.0 is only legitimately available in the US due to the harsh regulations in force on the export of hard encryption. In keeping with the openness of earlier version of PGP, the source code has been placed in the public domain for public scrutiny. As an indication of the crass stupidity of US export laws, neither the software nor the source code may be exported, but the printed source code may be freely exported.
Note Recent landmark decisions rule it to be legal to post source code on Internet (free speech under US Constitution First Amendment).
The printed source code almost immediately made its way across the Atlantic and activists were busy with their scanners. Mid-September 1997 Ståle Schumacher made a UNIX command line version available for download. This was reported in New Scientist (6 September 1997) and almost immediately access to the site was blocked. A Windows 95 version of PGP 5.0 is available for download from the Australian Privacy Home Page.
Until PGP 5.0 is in widespread use I recommend that anyone using it selects the options on algorithms for compatibility with earlier versions (RSA and IDEA) and restricts key size to 1024 bits. The exception would be communication exclusively with persons known to be using PGP 5.0 or versions later. Alternatively, produce two sets of keys.
PGP 5.5 has extra fields within the key certificate that enables the encrypted mail to be received by a third party! This option is user selectable at the time the key pair is generated, but be aware of what it is that you are selecting. It can also be coupled with a mail server that prevents the transmission of encrypted mail that does not contain the backdoor key. For many this option came as something of a shock. The rationale for the option is within companies, should it prove necessary to recover encrypted mail - there should be proper procedures in place to cover what should be a rare event and remember it is user selectable.
The reputation of Phil Zimmermann took a further knock in December 1997 when the company he helped found sold out to a company whose speciality was key recovery. For the moment there is nothing to worry about, provided that control of PGP remains under Phil Zimmermann, and the source code continues to be published.
I have discussed this concern with Phil, and he is aware of the public disquiet. He has a number of good ideas for future exploitation, and is as committed as ever to human rights. PGP has become the success it is due entirely to grass root support and word of mouth recommendation - no one but a fool, would turn his back on such support or take it for granted.
PGP 6.00 has added a whole load of new features, included the ability to embed a picture within the key certificate. The Freeware version is available for download from PGPi.
Occasionally you will wish to communicate with people outside of this circle. You have a key, but unless you know any of the people who are signatories you have a problem establishing the key's validity. PathServer goes some way to overcoming this problem - it attempts to draw a path between a known and unknown key based on the signatures.
To try to overcome this problem I am proposing the establishment of a chain of Certifying Authorities. These will for a nominal fee sign a public key. Proof of ownership and three forms of ID, including a valid passport, will be required.
SLED Corporation, who I believe have recently merged with Four11, offer a commercial key signing service. They rely in part on the fact that payment is made by cheque - if the cheque does not bounce, then there must be at least some connection between the name on the cheque and the name on the key!
The UK DTI has produced a policy document on key escrow and trusted third parties that will effectively make it impossible for such certifying authorities to operate and may make it a criminal offence to sign a PGP key unless as a licensed TTP. My response paper details some of the many problems.
Action Alert! A follow up paper has been issued by the DTI. Public comment is invited. Further details from the DTI.
Promulgated by the Free Software Foundation, other software has followed a similar path. GNU (Gnu is Not Unix) is an international cooperative effort. Often incorrectly referred to as Linux (Linux is only the GNU kernel). Apache has become the leading Web server. A parallel, some consider rival path, is that followed by Open Source. The source code is made freely available, but the software is still a commercial product. Netscape is now following the free source route.
These cooperative ventures are the only way to destroy Microsoft, at least that is how Microsoft sees it, as the cooperative effort and the programming talent brought to bear far exceeds anything employed by Microsoft. The advantages to the user community, apart from the fact that the software is outside of the control of Microsoft, is that unlike Microsoft products, these products are stable and reliable.