| PC Security | |
| August 2001• Vol.9 Issue 8 | |
Pretty Good Privacy Use This Encryption Program To Protect Against Prying Eyes |
Jump to first occurrence of:
[
PGP
] 
How secure is your e-mail? Consider this: With every e-mail you send,
you may be leaving a copy on your computer, with your ISP (Internet
service provider), on the recipient’s computer, and with her ISP.
If either of you are on a network, a copy might rest on the network
servers, as well. Every computer that the message passes through as
it bounces around the world to its destination may have a copy of the
message, and it doesn’t stop there. All it takes is a simple piece of
software to monitor and intercept e-mails (either generally or based
on specific keywords), and government initiatives such as Carnivore
have been intermittently filtering massive amounts of messages much
as a whale filters plankton.No, your e-mail is not secure, but PGP (Pretty Good Privacy), an encryption program from Network Associates, is working overtime to try to correct this. With PGP, you can encrypt e-mail, files, and other communication methods such as ICQ. Anyone receiving an encrypted message will only see a collection of random figures unless they have the means to “decode” the message. You can also use PGP to create digital signatures, which verify that messages and files actually came from you and not someone pretending to be you. By using both encryption and digital signatures, you can ensure that messages and files exchanged between users are authentic and unaltered, not to mention private.
Installation. After you download
PGP from the Network Associates site, you’ll need to install it on
your computer. Start by closing all applications on your computer
(especially e-mail applications). Unzip the PGP installer and save
it to your hard drive. (PGP is zipped, or compressed, to make it smaller.
If you don’t have a zip program, you can download WinZip at
http://www.winzip.com/
). Double-click the PGP EXE (executable) file to begin the installation
process.
The Key Generation Wizard asks you to assign a name and e-mail address to this key pair, followed by a passphrase (password) that’s at least eight characters long. (See the “How Secure is Secure?” sidebar for more information on creating effective passphrases.) The Key Generation Wizard will then create your keys and assign them to the appropriate files on your hard drive. We’ll talk about this more in a minute. Reboot your system; when it finishes loading, PGP should be set to go.
Manage Keys. As we mentioned,
the concept of the key is central to PGP. These keys are basically
really large numbers that you generate when you first load PGP. (You
can create new keys any time so you can have multiple keys for a variety
of uses.) The bigger the key, the more secure the ciphertext
(encrypted or encoded data); PGP allows public key
sizes up to 4,096 bits, which roughly translates to very, very
secure.When you make keys, PGP stores them in one of two files, known as keyrings, on your hard drive (usually in the PGP folder): Secring.skr for private rings, and Pubring.pkr for public rings. You should try to back up these files regularly. You can set up PGP to back them up automatically upon closing by clicking the PGP icon in the System Tray, choosing Options from pop-up menu, clicking the Advanced tab, and checking the Automatic Keyring Backup When PGPkeys Closes checkbox. Key servers. In addition to putting your own public keys on the public keyring, you’ll also want to add the public keys of those users who will be sending you encrypted or signed messages. You can search for public keys in databases called key servers, and you can place your own public keys here so others can find them. (This is a good reason to use your real name and e-mail address when first creating a key pair on installation; others will be able to identify your public keys easily.) To search for the public keys of other users from key servers, click Start, Programs, PGP, PGPkeys. Choose Search from the Server menu and select a server to search. Specify search criteria and click the Search button. You can easily import keys to your local keyring by right-clicking the key and selecting the Import choice.
PGP Components. A
number of different components and tasks make up PGP, and as you might
expect, there are a number of different ways to access them. The first
thing to do is check the application with which you want to use PGP.
Many applications, such as e-mail programs, have built-in support or
plug-ins for PGP that put menus or icons right in the program itself.
This makes it easy to access PGP tasks such as encrypt, sign, decrypt,
or verify.Alternately, you can access many of the PGP utilities (such as PGPkeys, PGPtools, PGPtray, PGPnet, and documentation) by clicking Start, Programs, PGP and then making your choice from the submenu. Additionally, a PGP icon in the System Tray gives you easy access to many of these utilities and more (such as PGP Options). If a PGP icon doesn’t appear in the System Tray, click Start, Programs, PGP, PGPtray. Now that you know where to find them, here are some of the primary components that make up PGP. PGPtools. PGPtools gives you access to a number of different tasks you can accomplish in PGP, including encrypt, sign, decrypt/verify, and wipe. It also gives you quick access to PGPkeys. Opening PGPtools puts a floating menu on your Desktop. To use one of the tasks on the bar, just drag a file over it or click the icon and select a file to work with. It’s handy to have PGPtools open if you’re working with an e-mail program that does not provide support for PGP. The last two icons on this floating menu are Wipe and Freespace Wipe. Wipe lets you overwrite files, and Freespace Wipe lets you overwrite sections of your hard drive so that any lingering data is completely destroyed. This is important because most of the time when you delete something from your computer, it is set aside to be overwritten as necessary. This can leave sensitive data open to recovery, but these two utilities can completely remove them from your computer. You can also set Wipe up so that it automatically wipes files when you delete them. Current Window. This feature lets you perform cryptographic tasks such as encrypt or decrypt automatically in the window you’re currently working in. When you choose an option from the Current Window submenu, PGP copies text in the active window to the clipboard and performs the task you selected. PGPnet. This module makes it possible to securely communicate with other PGPnet users. Users can create a Virtual Private Network to share data or just communicate through a secure tunnel. PGPkeys. You can use this feature to create, view, and work with your own keys and the public keys of others. With PGPkeys, you can search for public keys, work with groups (to share encrypted mail with more than one user at a time), and more. PGPdisk. Available only in the retail version of PGP, PGPdisk lets you set up a file that can be “mounted” on your hard drive, letting you create a secure “drive” on your computer.
Use PGP For E-mail.
One of PGP’s primary functions is to let you send and receive secure
and digitally signed e-mail. PGP makes this task easy by coming bundled
with a number of plug-ins that let it work automatically from within
programs such as Outlook and Eudora. To send e-mail using PGP to another
user who has a PGP-capable e-mail program such as Outlook, click the
PGP icon in the System Tray and choose Options. Click the E-mail tab
and click the Use PGP/MIME When Sending E-mail checkbox. If your recipient
does not have an e-mail program that supports PGP, leave this box
unchecked.
PGP will automatically select the appropriate public keys from the keyring when you send the message. If PGP doesn’t recognize the recipient, the PGP Recipient Selection dialog box will appear. You can automatically open this dialog box by pressing the SHIFT key while clicking the Send button. Drag the correct public key into the recipient list box (or search a key server for the recipient) and click OK to send, then enter your passphrase when prompted. When you receive an encrypted message, you can decrypt and verify it in several ways. One way is to select the Decrypt/Verify icon from the PGPtools toolbar. Another way is to click the appropriate icon from your e-mail program button bar. You can also make your selection from the PGP icon in the System Tray. You can save messages either in their encrypted or decrypted state. Of course, it’s safer to save them as encrypted files.
Use PGP For Files. In addition
to e-mail, you can use PGP to secure files on you hard drive either
for storage or to send as enclosures or distribute on disks. As with
e-mail programs not supported by PGP, you can use PGP tasks such as
encrypt and sign by choosing them from the PGPtools toolbar (or by
dragging the files to one of the PGPtools menu icons) or the PGP System
Tray icon.
Legal Issues. PGP
is a great way to encrypt and digitally sign documents and files,
and you can’t beat the price. Depending on the country you live in,
though, it may be illegal or subject to restrictions. To find out about
the legal status of cryptography in countries around the world, check
out the Crypto Law Survey at
http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
. 
by Rich Gray
|
