PGP: Teach us please
Posted 22 April 2005 - 12:14 PM
Still have yet to learn much myself on my road of web design.
Posted 22 April 2005 - 12:24 PM
*** Frequently Asked Questions about PGP ***
Andre Bacard, Author of>
THE COMPUTER PRIVACY HANDBOOK
[Version February 25, 1995]
This article offers a nontechnical overview of PGP to
help you decide whether or not to use this globally
popular computer software to safeguard your computer
files and e-mail. I have written this especially for
persons with a sense of humor. You may distribute this
(unaltered) FAQ for non-commercial purposes.
What is PGP?
PGP (also called "Pretty Good Privacy") is a computer
program that encrypts (scrambles) and decrypts
(unscrambles) data. For example, PGP can encrypt "Andre"
so that it reads "457mRT&%$354." Your computer can
decrypt this garble back into "Andre" if you have PGP.
Who created PGP?
Philip Zimmermann <[email protected]> wrote the initial
program. Phil, a a hero to many pro-privacy activists,
works as a computer security consultant in Boulder,
Colorado. Phil Zimmermann, Peter Gutmann, Hal Finney,
Branko Lankester and other programmers around the globe
have created subsequent PGP versions and shells.
PGP uses the RSA public-key encryption system. RSA was
announced in 1977 by its inventors: Ronald Rivest of MIT,
Adi Shamir of the Weizmann Institute in Israel, and
Leonard Adelman of USC. It is called "RSA" after the
initials of these men. PGP also employs an encryption
system called IDEA which surfaced in 1990 due to Xuejia
Lai and James Massey's inventiveness.
Who uses PGP encryption [or other RSA-based systems]?
People who value privacy use PGP. Politicians running
election campaigns, taxpayers storing IRS records,
therapists protecting clients' files, entrepreneurs
guarding trade secrets, journalists protecting their
sources, and people seeking romance are a few of the law
abiding citizens who use PGP to keep their computer files
and their e-mail confidential.
Businesses also use PGP. Suppose you're a corporate
manager and you need to e-mail an employee about his job
performance. You may be required by law to keep this e-
mail confidential. Suppose you're a saleswoman, and you
must communicate over public computer networks with a
branch office about your customer list. You may be
compelled by your company and the law to keep this list
confidential. These are a few reasons why businesses use
encryption to protect their customers, their employees,
PGP also helps secure financial transactions. For
example, the Electronic Frontier Foundations uses PGP to
encrypt members' charge account numbers, so that members
can pay dues via e-mail.
Thomas G. Donlan, an editor at BARRON'S [a financial
publication related to THE WALL STREET JOURNAL], wrote a
full-page editorial in the April 25, 1994 BARRON'S
entitled "Privacy and Security: Computer Technology Opens
Secrets, And Closes Them."
Mr. Donlan wrote, in part:
RSA Data Security, the company founded by the
three inventors, has hundreds of satisfied
customers, including Microsoft, Apple, Novell,
Sun, AT&T and Lotus. Versions of RSA are
available for almost any personal computer or
workstation, many of them built into the
operating systems. Lotus Notes, the network
communications system, automatically encrypts
all it messages using RSA. Other companies
have similar products designed around the same
basic concept, and some versions are available
for free on computer bulletin boards.
Without security, the Internet is little more
than the world's biggest bulletin board. With
security, it could become the information
supermarket of the world. RSA lets people and
banks feels secure putting their credit-card
numbers on the public network. Although it
still seems that computers created an age of
snoopery, the age of privacy is at hand.
Aren't computers and e-mail already safe?
Your computer files (unless encrypted) can be read by
anyone with access to your machine. E-mail is notoriously
unsafe. Typical e-mail travels through many computers.
The persons who run these computers can read, copy, and
store your mail. Many competitors and voyeurs are highly
motivated to intercept e-mail. Sending your business,
legal, and personal mail through computers is even less
confidential than sending the same material on a
postcard. PGP is one secure "envelope" that keeps
busybodies, competitors, and criminals from victimizing
Posted 22 April 2005 - 12:25 PM
I have nothing to hide. Why do I need privacy?
Show me a human being who has no secrets from her family,
her neighbors, or her colleagues, and I'll show you
someone who is either an extraordinary exhibitionist or
an incredible dullard.
Show me a business that has no trade secrets or
confidential records, and I'll show you a business that
is not very successful.
On a lighter note, a college student wrote me the following:
"I had a part-time job at a dry cleaner. One day I
returned a diamond ring that I'd found in a man's coat
pocket to his wife. Unfortunately, it was NOT her ring!
It belonged to her husband's girlfriend. His wife was
furious and divorced her husband over this incident. My
boss told me: 'Return jewelry ONLY to the person whose
clothes you found it in, and NEVER return underwear that
you find in pockets!' Until that moment, I thought my
boss was a finicky woman. But she taught me the need for
Privacy, discretion, confidentiality, and prudence are
hallmarks of civilization.
I've heard police say that encryption should be outlawed because
criminals use it to avoid detection. Is this true?
The next time you hear someone say this, ask him if he
wants to outlaw the likes of Thomas Jefferson, the
"Father of American Cryptography."
Many governments, corporations, and law enforcement
agencies use encryption to hide their operations. Yes, a
few criminals also use encryption. Criminals are more
likely to use cars, gloves, and ski-masks to evade
PGP is "encryption for the masses." It gives average law
abiding citizens a few of the privacy rights which
governments and corporations insist that they need for
How does PGP work?
PGP is a type of "public key cryptography." When you
start using PGP, the program generates two "keys" that
belong uniquely to you. Think of these keys as computer
counterparts of the keys in your pocket. One PGP key is
SECRET and stays in your computer. The other key is
PUBLIC. You give this second key to your correspondents.
Here is a sample PUBLIC KEY:
- - - -----BEGIN PGP PUBLIC KEY BLOCK-----
- - - -----END PGP PUBLIC KEY BLOCK-----
Suppose the PUBLIC KEY listed above belongs to you and
that you e-mail it to me. I can store your PUBLIC KEY in
my PGP program and use your PUBLIC KEY to encrypt a
message that only you can read. One beauty of PGP is that
you can advertise your PUBLIC KEY the same way that you
can give out your telephone number. If I have your
telephone nber, I can call your telephone; however, I
cannot answer your telephone. Similarly, if I have your
PUBLIC KEY, I can send you mail; however, I cannot read
This PUBLIC KEY concept might sound a bit mysterious at
first. However, it bcomes very clear when you play with
PGP for awhile.
How safe is PGP? Will it really protect my privacy?
Perhaps your government or your mother-in-law can "break"
PGP messages by using supercomputers and\or pure
brilliance. I have no way of knowing. Three facts are
certain. First, top-rate civilian cryptographers and
computer experts have tried unsuccessfully to break PGP.
Second, whoever proves that he or she can unravel PGP
will earn quick fame in crypto circles. He or she will be
applauded at banquets and attract grant money. Third,
PGP's programmers will broadcast this news at once.
Almost daily, someone posts a notice such as "PGP Broken
by Omaha Teenager." Take these claims with a grain of
salt. The crypto world attracts its share of paranoids,
provocateurs, and UFO aliens.
To date, nobody has publicly demonstrated the skill to
outsmart or outmuscle PGP.
Is PGP available for my machine?
Versions are available for DOS and Windows, as well as
various Unixes, Macintosh, Amiga, Atari ST, OS/2, and
CompuServe's WinCIM & CSNav. Many persons are working to
expand PGP's usability. Read the Usenet alt.security.pgp
news group for the latest developments.
Are these versions of PGP mutually compatible?
Yes. For example, a document encrypted with PGP on a PC
can be decrypted with someone using PGP on a Unix
As of September 1, 1994, Versions 2.6 and higher can read
previous versions. However, pre-2.6 versions can no
longer read the newer versions. I strongly recommend that
everyone upgrade to Versions 2.6.2 or 2.7.
Where do I get PGP?
For computer non-experts, the easiest way to get PGP is to
telephone ViaCrypt (a software company) in Phoenix, Arizona at
PGP is available from countless BBSs (Bulletin Board
Systems) and ftp ("File Transfer Protocol") sites around
the world. These sites, like video stores, come and go.
To find PGP, here are two options: 1) Learn how to use
ARCHIE to search for files on the Internet. 2) Read
BOARDWATCH magazine to find the BBSs in your area.
How expensive is PGP?
The PGP versions that you will find at BBSs and ftp sites
are "freeware." This means that they are free. People
from New Zealand to Mexico use these versions every day.
Depending on where you live, this "freeware" may or may
not violate local laws.
I use PGP Version 2.7 which is distributed by ViaCrypt in
the United States [see below].
Is PGP legal in the United States?
Yes. MIT's PGP Version is licensed for non-commercial use. You
can it from ftp sites or BBSs. ViaCrypt's PGP Version is
licensed for commercial use. You can get it from ViaCrypt.
+++ Important Note +++. It is illegal to export PGP out of the
United States. Do not even think of doing so! To communicate
with friends in, say, England, have your friends get PGP from
sources outside the United States.
What is a PGP digital signature?
At the end of this document, you will see a PGP
signature. This "digital signature" allows persons who
have PGP and my PUBLIC KEY to verify that 1) I, Andre
Bacard, (not a SPORTS ILLUSTRATED superstar pretending to
be me!) wrote this document, and 2) Nobody has altered
this text since I signed it.
PGP signatures might be helpful for signing contracts,
transferring money, and verifying a person's identity.
How difficult is it to learn PGP?
PGP has around two dozen commands. It is a relatively
easy program to learn.
Where can I learn more about the PGP and related subjects?
The following News Groups are a good place to start:
[to hear about electronic privacy issues]
[to learn everything known about PGP]
[to keep abreast of legal & political changes]
Anything else I should know?
YOUR privacy and safety are in danger! The black market
price for your IRS records is $500. YOUR medical records
are even cheaper. Prolific bank, credit and medical
databases, the Clipper Chip Initiative, computer matching
programs, cordless & cellular phone scanners, Digital
Telephony legislation, and (hidden) video surveillance
are just a few factors that threaten every law abiding
citizen. Our anti-privacy society gives criminals and
snoops computer data about YOU on a silver platter.
If you want to protect your privacy, I urge you to join
organizations such as the Electronic Frontier Foundation
Posted 22 April 2005 - 12:25 PM
I've had pgp for years but never used it for email correspondence,
tend to use encrypted IM instead when I need to talk to a friend online
about paranoid shit.
Posted 22 April 2005 - 12:28 PM
I am sure there would be interest for a thread about that, I know I would.
What IM are you using ?
Posted 22 April 2005 - 12:41 PM
Posted 22 April 2005 - 12:42 PM
Posted 22 April 2005 - 12:43 PM
You need to download the GAIM encryption plugin,
and the person you talk too must also be using GAIM with encryption plug-in.
But, set up like that, you can converse in 4096bit encryption.
Here's some websites to get started:
Here is the Wikipedia entry on GAIM: http://en.wikipedia.org/wiki/Gaim
The official gaim homepage: http://gaim.sourceforge.net/
The encryption plug-in for gaim: http://gaim-encrypti...ourceforge.net/
Edit: Like ridder mentioned above, Trillian is another popular client for encrypted IMing, I however am not to familiar with trillian
Posted 22 April 2005 - 12:50 PM
the govt. wants it banned.
even the NSA can't crack it.
but i need someone to walk me
thru the process.
Posted 22 April 2005 - 12:58 PM
Off the record: http://www.cypherpunks.ca/otr/
It still needs work but it is actively being developed and the more interest the more it gets worked on!
Also PGP= commercial GPG = open source and freely available
http://wolfram.org/w.../howto/gpg.html <--info for Windows and a link for mac at the bottom.
Then for email clients thunderbird has a enigmail plugin that I use that works with GPG/PGP
Hope that helps
Posted 22 April 2005 - 03:01 PM
"pgp is so good
the govt. wants it banned.
even the NSA can't crack it.
but i need someone to walk me
thru the process. "
I remember about 10 years ago when the creator was arrested on munition charges. They held him for quite awhile claiming this was a threat because they couldnt crack his security. If I remember correctly he did eventually plea a deal but my memory is not so good.
That walk though will be specific to the operating system and programs you use to read/send mail.
Posted 22 April 2005 - 03:01 PM
Posted 22 April 2005 - 03:06 PM
Is this anything like Kremlin? assuming anyone's even heard of it.
Is "pretty good" good enough.
Posted 22 April 2005 - 03:16 PM
PB I beleive yes, yes and not sure if its any better it came from the linux world so I am more confident ;)
"Is "pretty good" good enough."
Just a marketing name is was so good the feds arested him because they couldnt crack it.
Nerve are you a linux user ?
Posted 22 April 2005 - 03:23 PM
They'd still need your passphrase. As long as the only place that that exists is in your head (don't write it down anywhere even once) you're still OK.
So if the law comes and takes your computer with your secret encryption key, they could probably read all your mail anyway, correct?
(and beware of key-logging software)
Posted 22 April 2005 - 08:15 PM
To use PGP, you must have PGP encryption software installed on your PC. You can pay for it or get it free. The free versions are straight-up PGP without all the whistles and bells. I think the top 3 free PGP software downloads now are PGP Corp, PGPi, and GPG (Gnu Privacy Guard).
Here are some links for PGP freeware-
WHERE TO GET PGP and GPG
Personally, I went with PGP Corp's 8.1 freeware version, available for Windows or Macs (http://www.pgp.com/d...e/freeware.html). They used to only offer a commercial version, but now they have it available as freeware, also:
"While PGP 8.1 Freeware can be easily downloaded and installed, it often causes confusion and frustration on the part of potential new PGP users for several reasons:
*the PGP 8.1 Freeware & PGP 8.1 Personal download packages
are the same (previously, there were separate download files
for PGP Personal and PGP Freeware);
*the PGP 8.1 Freeware/Personal setup routine allows users to install
PGPdisk and email plug-ins, even if they don't have a PGP 8.1 Personal
license (which is required to use those components);
*the PGP 8.1 Freeware/Personal setup routine presents a PGP License
Authorization box at the end of installation, leading users to believe
that they must pay for a license or go through an Online License Authoriz-
ation process in order to use PGP Freeware;
*PGP 8.1 Freeware does not include email plug-ins for popular email
clients such as Outlook, Outlook Express, and Eudora, leading some
users to believe that they can no longer use PGP to encrypt and sign
email, and that PGP 8.1 Freeware is thus "broken" and "useless."
The Reality of PGP 8.1 Freeware...
In fact, PGP 8.1 Freeware is truly "free for personal use" * (just as previous PGP Freeware versions were) and does not require users to pay or go through the Online License Authorization process in order to use the software. Moreover, although PGP 8.1 Freeware does not include email plug-ins, it can still be used to encrypt and sign email, and the process for doing so is trivially easy."
*perfect instructions for download and setup - https://netfiles.uiu...p8fw/pgp8fw.htm
Really, the trick is just to make sure to un-check/de-select all the boxes (bells and whistles) in the PGP Setup window that says Select Components and when it asks you to register - just click 'Later'. Then you have the FREE version. The link above has an illustration. You want to skip anything (even the instructions) that has to do with 'licensing registration'. Pretty simple, don't complicate it and you'll be alright.
If you go with another PGP software, your on your own - can't help ya there.
Either way, however, you will need to:
1.) Create a private and public keypair. Before you can begin using PGP, you need to generate a keypair. If you go with PGP 8.1, you have the option of creating a new keypair during the PGP installation procedure, or you can do so at any time by opening the PGPkeys application. You need a keypair to:
-decrypt information that has been encrypted to your key
2.) Exchange public keys with others. After you have created a keypair, you can begin corresponding with other PGP users. You will need a copy of their public key and they will need yours. Your public key is just a block of text, so it’s quite easy to trade keys with someone. You can include your public key in an email message, copy it to a file, or post it on a public or corporate key server where anyone can get a copy when he or she needs it.
3.) Validate users' public keys. Once you have a copy of someone’s public key, you can add it to your public keyring. You should then check to make sure that the key has not been tampered with and that it really belongs to the purported owner. You do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s original key. When you are sure that you have a valid public key, you sign it to indicate that you feel the key is safe to use. In addition, you can grant the owner of the key a level of trust indicating how much confidence you have in that person to vouch for the authenticity of someone else’s public key.
You can also start securing your data with PGP. Depending on the PGP components you installed, you can start securing your email and files and/or stored data. See the individual help systems or user's guides for detailed instructions.
I almost forgot to mention a very nice aspect of PGP Corp 8.1. There is a nifty little 'Wiping Wizard' feature that wipes your files and/or free space on drives, when desired.
"PGP Corp uses heavily researched techniques and patterns designed specifically for overwriting data on magnetic and optical media"
You can make as many passes as you'd like, but they say just 3 times will do a nice job!