Pretty Good Privacy: Encrypted, Sealed, and Signed E-mail
A bumper sticker out there says, “My child reads your honor student's e-mail.” What a message! It seems true today that the majority of people using their computers do not realize in the least just how easy it is for someone else to read their e-mail. If the password can't be guessed, other means can be taken to read the message. Encryption is the strongest defense in keeping e-mail private. If you think it is an invasion of your privacy that the people in your office, at your house, and even your government can all read your e-mail, we want you to realize that there is something you can do about it. Pretty Good Privacy (PGP) software is free. It was created and has been actively developed since 1991. PGP Freeware is the best publicly available and free program for securing e-mail. Commercial and corporate versions of PGP are available from Network Associates at www.pgp.com. Network Associates recently put the PGP product line up for sale; it's uncertain who the next owner will be.
If you have a reason to keep your e-mail private or secure, you need software to encrypt it. Encryption is the process of taking a readable message and turning it into unreadable gibberish. If someone else gets the encrypted message, he will not be able to read it unless he decrypts it first. It seems easy enough to click a button to have your e-mail encrypted, but how is the e-mail supposed to be decrypted and read? Asking someone to just click a button to decrypt wouldn't be very secure. After all, the purpose of encryption is to make it difficult for some unintended recipient to read the message. Public key cryptography is the answer. It provides a system of secure communications and secure exchange of keys.
Public key cryptography is the model on which PGP operates. Whitfield Diffie and Martin Hellman introduced the concept of public key cryptography in 1975. We discuss the concepts of encryption and cryptography more in Chapter 12. The next few paragraphs will rely on some of those concepts.
Cryptography is the process of communicating in secret codes or writings. For secret codes to be useful between two people, one person must know the code to encrypt and the other must know the code to decrypt. With PGP and public key cryptography, a public key is used to encrypt a message, whereas a corresponding private key is used to decrypt it. To use PGP, Bob generates a private/public key pair. Bob keeps the private key, and the public key is distributed to Alice and anybody else who wants to send Bob a secure e-mail message.
The keys (both private and public) are really just very large numbers. To Bob, they appear as two separate files: secring.skr for the private key and pubring.pkr for the public key. The public key is used to encrypt a message, and no other key but its corresponding private key can be used to decrypt that message.
PGP works through what is known as a Web of Trust. Because Alice relies on the validity of Bob's public key to send him an encrypted message, she wants to be sure that the public key is up-to-date and authentic. Determining the authenticity and validity of a public key is important because it is possible for a man-in-the-middle to create a public key in Bob's name. Therefore, Alice uses a trusted source to find Bob's public key. One place to find Bob's public key is to query a public key server. These are machines on the Internet whose purpose is to serve as a repository or database of public keys. People can submit their public key to the server so that other people can find and use it. Although the public key servers are great ways to find public keys for people, they are not always considered to be trusted sources. Try visiting each of the following sites in your Web browser to see how they differ:
Notice that two of the servers use Lightweight Directory Access Protocol (LDAP) instead of HTTP (note the preceding ldap://). LDAP is a standard that provides for database access across the Internet. PGP Freeware comes with a search facility that searches these servers for any e-mail address or name you type in. To search for public keys of anyone you know, just select Server, Search from the PGPKeys window.
Alice might also find Bob's key by getting it from a friend who has it, or directly from Bob. A valid and authentic key will be signed by someone that Alice trusts and by Bob. By having a valid digital signature from someone that Alice knows and trusts, Bob's public key can be considered legitimate.
The PGP Web of Trust is distributed among the user community. It's up to the users to decide how trustworthy the public keys are. This is unlike many popular Public Key Infrastructure (PKI) systems, where public keys are maintained and secured by a Central Authority (CA). In a PKI system, users can rely on a trusted CA to store and manage many people's public keys. Although PGP has traditionally operated on a distributed Web of Trust, PKI systems are also being used for PGP public keys. As we will see later in this chapter, online Web-based e-mail services such as HushMail represent a trusted CA that manages multiple PGP keys.
The PGP Web of Trust is based on a social structure that assumes that chains of trust can be made through anyone—friends, family, employers, anyone. PGP is basically a distributed way of doing things, as opposed to a tree-like or hierarchical way of doing things that PKI provides. In both cases, a certificate is associated with each person's key. The certificate contains information such as the person's name, e-mail address, and public key. To be considered valid, the certificate is digitally signed with the public key of a trusted person. When the public key is passed along, the next person considers it valid when it is signed by someone whose public key is already trusted. This process continues on and on, so that public keys are exchanged between people who trust them as valid.
The traditional distributed nature of PGP is different from the hierarchical structure of PKI. The PKI systems were originally developed to provide the industry with a secure method of doing e-commerce and other electronic exchanges. In a PKI system, many people trust a few root systems that have central authority to manage and distribute keys. Certificates can be distributed to individuals, to Web sites, and even to other smaller authorities underneath the root authorities. Whereas PGP operates using private and public key pairs, traditional PKI systems use something similar, but termed Digital Certificate. Under the hood of these two systems, you will find different methods of key exchange and encryption.
As PGP has developed into the OpenPGP standard over the years, more PKI systems are actually being built to support the PGP infrastructure. In fact, many companies are investing in OpenPGP-based PKI solutions for secure communications across the enterprise. Because OpenPGP is based on open-source industry-standard protocols, it can be freely developed by different people whose products all interact with each other.
PGP Past, Present, and Future
PGP was first developed and released by Phil Zimmermann in 1991. Its impetus was the 1991 Senate Bill 266, an anti-crime bill stating that all encryption software must have a backdoor that allows the government to decrypt any message. This is the ultimate portrayal of the Orwellian Big Brother watching and listening to the public's every word. The believers felt that privacy was the glue that held society together. Without privacy, people are not themselves.
In the pgpguide.lst file of the original PGP version 1.0, Phil R. Zimmermann (PRZ) says:
“The 17 Apr 1991 New York Times reports on an unsettling U.S. Senate proposal that is part of a counterterrorism bill. If this nonbinding resolution became real law, it would force manufacturers of secure communications equipment to insert special 'trap doors' in their products, so that the Government can read anyone's encrypted messages. It reads: 'It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law.'”
Ten years later, following the September 11 terrorist attacks, the same proposal was made in Congress. This time the motion was made for a globally supported ban on encryption products that do not include backdoors for government access. This motion was separate from the bill that gave the FBI more wiretapping rights.
PGP was spawned by PRZ as an effort to protect private e-mail communications in the increasingly watched electronic medium of wires and computers. When PRZ was first developed, it spread PGP 1.0 to a few friends. Some people uploaded it to bulletin board systems (BBSs), where it could be accessible to more people. The goal was to get PGP to the public and in use before the government's draconian cryptography laws would jeopardize personal communications altogether. Luckily for us, it worked. Shortly after its first release, PGP had leaked out of the U.S. and into the computers of people across the world. PGP was in global use.
With its popularity came some of the first threats from government organizations that accused PGP of breaking patent laws. Although noting that no valid laws were broken, PRZ eventually stopped development and distribution of PGP at version 2.6, to prevent getting sued by a company called Public Key Partners. Other people quickly got involved in the active development of PGP. More controversy arose from the U.S. Government actions, which seemed to take aim at stopping more spread of PGP, accusing PRZ of violating export and other laws. The PGP buzz spread with all of the controversies, and newbies around the world started installing PGP to see what it was all about.
From about 1993 to 1996, PRZ was the target of criminal investigation by the FBI for the accusations that PGP was illegally exported from the U.S., and it broke several patent laws. Contrary to these criminal charges, PGP spread to become the most widely used e-mail encryption software in the world. When the charges against PRZ were dropped in 1996, he founded his own company PGP, Inc., where he could continue development of this monumental privacy-protecting software. Shortly after, at the end of 1997, Network Associates (NAI), a large security software company, acquired PGP, Inc. and rights to the PGP software.
PGP software became the cornerstone of NAI's product line. Although part of the deal with PRZ was that NAI must continue offering a freeware version of PGP, NAI expanded the original software to create a commercial version of PGP. Over the years, NAI has grown the PGP suite of products to include a line of privacy and security-related products such as PGP Corporate Desktop, which comprises the PGP e-mail plug-ins; PGP encrypted disk; Firewall; Intrusion Detection System; and PGP VPN. The NAI product line has also been expanded to included PGP-enabled programs for security of wireless devices.
PRZ worked directly with NAI until February of 2001, at which point he decided to leave and pursue goals he felt were not been achieved at NAI. (His official letter to the public can be found at http://www.pgpi.org/files/PRZquitsNAI.txt.) Releases of PGP freeware up through version 6.5.8 had included the full, open source code, so that anybody could see that the software operated as expected, without backdoors which would allow government or others to gain secret access. After this release, NAI decided to only release portions of the source code for PGP Freeware, an action that drew troubled reaction among the user community. Never before had the PGP Freeware source code been kept hidden from public view.
By leaving NAI's PGP development team, PRZ has been able to focus on the future of PGP. With that said, the future of PGP is both active and bright. Notably, several movements are ongoing to keep an open source version of PGP and to develop new products using the nearly finalized OpenPGP standard as it is defined in the IETF RFC 2440. An RFC (Request for Comments) is a longstanding document that describes the technical and high-level details for a technology. The RFC is intended to serve as a reference document. If different vendors or software developers base their products off of the guidelines in the RFC, their products will operate and play nicely with each other. If different products play nicely with each other, the consumers will get more use out of them, being able to share and communicate with people from all around the Internet. These products range from entire corporate enterprise PGP solutions to end user programs similar to PGP Freeware. Although NAI holds the trademark and source code to PGP, PRZ is dedicated to furthering the use of PGP solutions among companies and the public. Some of the activities that PRZ is directly involved in include the following:
The OpenPGP Consortium (http://openpgp.org)— This working group is dedicated to defining the non-proprietary OpenPGP standard, educating the public, and promoting its public use by product developers and consumers.
HushMail (http://www.hush.com)— This Web-based e-mail service is operating on the OpenPGP standard. HushMail is available free for personal use. It also offers paid corporate services.
Veridis (http://www.veridis.com)— This company is dedicated to making e-mail security available to everyone on the Internet through its OpenPGP-compliant products.
June 2001 marked the 10-year anniversary of PGP software. Its use has continued to grow worldwide, respected and appreciated by many consumers, businesspeople, and even government employees. Over the years, PRZ has received numerous technical and humanitarian awards for his work on PGP. Check out http://www.philzimmermann.com/ for more details.
Legal Use of PGP
Currently, PGP is legal to use inside the U.S. as well as many other countries. Millions of people are legally using PGP inside the U.S. and around the world. Many U.S. laws surround cryptography, primarily related to the export of strong encryption. In general, PGP software should not be exported from the U.S. If you live in a country other than the U.S., check for laws related to restrictions on cryptography and the use of PGP inside your country. Notably, countries including France, Russia, Iran, Iraq, and China have more restricted laws relating to the personal and commercial use of cryptography within their countries. To get started finding out the laws related to your country or other countries, visit Bert-Jaap Koops's home page on “Crypto Law Survey” at http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm.
Installing PGP
This section walks you through getting PGP installed and working on a Windows computer. The version you choose depends on the country in which you live. Different distribution sites are available for different countries. In addition, commercial versions of PGP are available, but not as freeware. Although the commercial versions do have their advantages, such as professional technical support, we will be discussing the PGP freeware version here, specifically version 7.0.3. Table 8.1 lists some of the main distribution sites for PGP Freeware and commercial versions.
| Site URL | Description |
|---|---|
| http://www.pgp.com | This is the official Network Associates site for commercial versions of PGP inside of the U.S. As the main point of PGP freeware distribution, this site has the latest version before anyone else does. |
| http://web.mit.edu/network/pgp.html | This is the Massachusetts Institute of Technology (MIT) site for information and distribution of PGP Freeware versions inside of the U.S. The distributions here are typically a version or so behind the official NAI release. |
| http://www.pgpinternational.com | This is the Network Associates European site for commercial versions of PGP. |
| http://www.pgpi.org | This is the International PGP home page. This is the main site for PGP FAQs, documentation, source code, and freeware versions for distribution outside of the U.S. Many foreign language translations of the software and documentation are available. |
Note
 | Refer to the documentation and FAQs on these distribution sites for the latest installation instructions and answers to questions or problems you might be having with the installation and use of PGP freeware. |
Download the PGP Freeware version of your choice. The latest version is PGP Freeware 7.0.3 available from http://www.pgp.com/products/freeware/default.asp. The MIT distribution site has version 6.5.8. After downloading the PGP freeware version of your choice, follow the steps in the next sections to get PGP installed and running on your Windows computer.
Before beginning the setup of PGP, you need to decide which e-mail address you will use with it. Although you can have PGP keys for multiple e-mail addresses, the following tutorial will only use one. Decide on an e-mail address, and decide on a good passphrase to use with PGP. Your passphrase is just like a password, but it is used to sign and decrypt e-mail messages. The passphrase can be as strong or as weak as you want. If you want a strong passphrase, plan on using a sentence that you will not forget.
PGP Setup: Step 1
The first step involves file installation:
1. |
Unzip the PGP distribution to a folder on your computer. (C:TMP is a good place.) |
2. |
The setup files are extracted to a subfolder that is probably named PGPfw703. Launch the executable file that has been extracted, probably named PGPFreeware 7.0.3.exe. |
3. |
The PGP setup begins. If you have any other programs open, such as Windows Explorer, you are asked to close them before continuing with the install. After you agree to the end-user license agreement, you have a chance to view the Readme file. This file contains the most current information and installation instructions for the version of PGP freeware that you downloaded. Please read it. |
4. |
Setup asks you if you already have keyrings or if you are a new user, as shown in Figure 8.7. These instructions assume that you are a new user, so select the option No, I'm a New User. Figure 8.7. Setting up new PGP keys.
|
5. |
Setup then asks you the location to install the files. Unless you are running low on disk space or have a preference in mind, you should just stick with the default installation location. |
6. |
Setup then asks which components you want to install, as shown in Figure 8.8. Select at a minimum PGP Key Management, PGP Documentation, and the PGP Plug-in for the e-mail client you use. Figure 8.8. PGP installer components.
|
7. |
Setup continues and installs the files onto your computer. |
PGP Setup: Step 2
With the file installation process over, it is time to set up your PGP private and public keys. Remember that your private key is the one you want to keep to yourself. Nobody else should ever get it. Your public key is the one you want to give to everybody else. Using your public key, people can send you encrypted e-mail:
The PGP Key Generation Wizard appears. Click Next after you read the dialogue.
You are asked to enter your name and an e-mail address for the private/public key pair. The name and e-mail address you enter here are viewable by everybody, and are used to identify the private and public keys. Be sure to enter them exactly as you want them to appear. See Figure 8.9 for an example of how your name and e-mail address appear to other users. These are my keys for when I set up [email protected] and specified my name as Chris Weber.
Figure 8.9. Your name and e-mail address appear to others exactly as you have entered them.
Referring to Figure 8.9, you can see my name highlighted in bold letters. Directly under my name in bold is my name again with an icon of an envelope beside it, indicating my public key. Directly below that is my digital signature, indicated by the icon of a pencil and my name and e-mail address yet again. In the next column over, titled Validity, you see two circles, one with the icon of a person on it. The green indicates that this key is valid because it is signed by someone I trust (myself), and the icon represents that this is a private/public key pair, as opposed to just a public key. The size of this key is 2048 for the Diffie-Hellman portion (the key used to encrypt), and 1024 for the DSS portion (the key used for signing). The Key ID represents a unique identifying number for this key. Key IDs are useful for distinguishing between keys that have the same username and e-mail address. Yes, I can have multiple public keys for the same e-mail address.
After you have entered your name and e-mail address for this key pair, click Next to be prompted to enter a passphrase.
Enter your passphrase to be used for your private/public key pair. You will use this passphrase each time you decrypt messages sent to you, and sign messages you send to others.
Your passphrase and a randomly generated number are used to create your private/public key pair, as shown in Figure 8.10. Depending on the speed of your computer, this can take anywhere from one minute to several minutes to complete.
Figure 8.10. Passphrase is used with a randomly generated number to create your key pair.
That's it! You are asked to reboot your computer for the installation phase to complete.
PGP freeware is now installed on your computer and ready for use. The following section describes some of the basics of using PGP freeware to send secure e-mail.