DCF Banner

PGP and Internet Security and Privacy

The very nature of the internet means that email is both insecure (easily forged by the unscrupulous) and public (easily read by anyone). We have all learned from the spammers and virus authors how easy it is to forge or fake an email. As to privacy, the rule I normally follow is to assume that all your emails will end up indexed and available on Google. There is an alternative that will keep your email both secure and private, a program called PGP which stands for Pretty Good Privacy. I sign all my e-mail with a PGP signature. Here is an excellent discussion of email security, encryption and digital signitures..

PGP is a secure public key encryption system that was created by Phil Zimmerman in 1991. It is the same software system that the US Computer Emergency Readiness Team (US-CERT) uses to sign their email alerts. Wikipedia has a nice article on how it works and its history. The primary US comercial source for the software is the PGP Corporation which follows Zimmerman's original open source model for the source code. They sell commercial versions of PGP. They used to offer a freeware version for individual use but it is now only a 30 day trial.. I used to use their PGP Personal Desktop. For individual users, the OpenPGP standard offers the best option. A GNU version that follows the OpenPGP standard is available as the GNU Privacy Guard (GnuPG). GNU software is all open source and is aimed primarily at the Unix/Linux world. In this case there are Windows implementations available. The PGP community has formed The OpenPGP Alliance to support international (RFC 2440) PGP standards. I am using the Enigmail plugin for Thunderbird, a Mozilla email client. It is a front-end to GnuPG. A Windows version of GnuPG is available from GPG4Win. It supports Outlook.

PGP can be used in two distinct ways, signatures and encryption. I normally use PGP to sign my email using my private key. If the recipient has PGP software and my public key they can verify that I was the sender and that the content is exactly what I sent including the time-date stamp. The signature cannot be forged. PGP can also be used to encrypt emails. This requires the recipient to have created and published their own public key. The sender encrypts the email using the recipient's public key. When the email is received the recipient uses their own private key to decrypt the messageb. Of course, once they have decrypted it they can save it and send it to the world. But that’s similar to the risk of having a letter you send Xeroxed by its recipient and distributed. At the moment PGP encryption cannot be broken, even by the NSA (which is why there was a ten-year battle by the Feds to prevent the software from being exported}. There is consensus within the international cryptographic community on the security of PGP: it is very good.

My public key is available here or from a PGP Public Key Server such as the one at Massachusetts Institute of Technology. The properties of my key are:

  Key ID:   0x3AE58BA6
  Key Type: DH/DSS
  Created:  Jan 7, 2010
  Expires:  Jan 5, 2020
  Key Size: 2048/2048
  Cypher:   RSA
  Key fingerprint: 90BA 7D0D ACC2 2822 3018 4F45 E334 A5C9 3AE5 8BA6
  UserID:   David Flory <David.Flory@theflorys.org>

You should verify that the key properties match these after you have downloaded the key. In particular, you should always verify the key's fingerprint.

©2008-2014 David Flory.   Last modified on Jul 23, 2016, 1:26 am.