If you have been following the latest in the news, you’ve probably heard a lot of stories talking about privacy, information leakage, espionage and such. Given that most of our communications nowadays take place online, or at the very least, via an electronic device, we should all be aware of how to protect our valuable information. This is not only applicable to large organisations, but to everyone using a computer on a regular basis. We all have information we want to keep private and protected and we all need to communicate online. With PGP, you can add a very strong yet easy-to-use layer of security to your online communications.
Pretty Good Privacy (PGP), created by Phil Zimmermann, is a computer program that can be used to protect your privacy, add security to your communications and ensure authenticity in electronic messages. You can encrypt any personal or private information (whether it’s an email, a file or your entire hard disk drive) making it very difficult for third parties to eavesdrop or intercept the original contents of your sources. It can also offer something called “digital signing”, which allows you to send messages that can be verified by the recipient, providing the peace of mind of knowing the message wasn’t modified in transit and that it came from you and only you. Imagine a world where everyone signs their messages (it’s easy if you try) – it would make phishing attempts a lot harder to perform and the many hoaxes and forged emails we receive every day would simply disappear because it wouldn’t be cost effective for cyber criminals to invest that much effort into them.
More than 20 years have passed since the creation of PGP and substantial progress has been made since those days. In the beginning, Zimmermann was investigated by the US government for “munitions export without a license” since encryption products stronger than 40bits (PGP was a 128bit product) were considered a munition. Even though the case was closed without criminal charges being filed against him, it shows how powerful a tool encryption can be and why some key stakeholders have such a large interest in keeping it under strict supervision.
Eventually, the full-featured version of PGP with strong encryption became available to the general audience worldwide. The Free Software Foundation developed its own OpenPGP-compliant program called GNU Privacy Guard (abbreviated GnuPG or GPG), which is freely available and provides a library used for encryption, decryption and signing functions. It can be used along many graphical user interfaces (GUI) available for a wide range of operating systems ensuring that PGP is available to everyone and is easy to use.
Given that the source code for PGP is available for download, you can review it, look for bugs, check for backdoors or just learn from it. Even if you are not personally able to do these checks, you can trust there’s a security conscious community that is not related to any government or particular company that does this continually in order to make sure that PGP is free from third-party intervention. This is increasingly important after recent revelations about three-letter agencies trying to circumvent encryption in modern communications’ protocols.
By this moment you probably want to at least try PGP/GPG and see what it can do for you. In asymmetric cryptography we need two separate keys, one of which is private (used for decryption or digital signing) and one that is public (used to encrypt plaintext or verify a digital signature). It’s not necessary to understand everything right away, just remember that you’ll understand it better as you get more experience with your everyday usage. However, we’ll review some basic concepts of public key cryptography so you can feel more comfortable when starting to use all the tools available for your OS of choice.
When we talk about a key we are referring to a block or string of alphanumeric text. This key can be exported to a file or uploaded to a key server so you can share it with the rest of the world (your public key that is). This particular key is generated by PGP using a wide range of encryption algorithms. You need to remember that both of your keys (private and public) are mathematically linked by this algorithm and this is what makes it possible for you to share the public portion of it without compromising the security of the system.
There’s no excuse for not trying PGP since tools are available for every major operating system. As mentioned previously, we have GNU PGP available, but there are also specific tools that work best for the OS they were built for. For Mac OS X, we have GPG Suite, which includes a plugin for Apple Mail, a keychain to manage all your keys, GPG services to encrypt/decrypt/sign/verify text, files and more, and MacGPG which is the command line version equivalent of GnuPG. If you are using Windows, a similar tool is available named GPG4Win, which includes a port of GnuPG, a keychain, plugins for major mail clients and everything you need to get started.
It’s very important to remember that the security of your key depends not only on the passphrase you use when creating it, but also on the confidentiality of the private key itself. Should someone have access to your key file and passphrase (for example if your computer was compromised with a keylogger) the whole security scheme would be severely affected. Never distribute your private key and choose a passphrase that only you can remember, but is not easily guessable.
When you create a new key pair with PGP, you will have to choose a key length and a passphrase which will protect your private key. The longer the length of your key the more time consuming the key generation process will be, but since this is going to be done only once I recommend that you choose a key length of no less than 4,096 bits. For maximal security long-term, 8192 bits would be great if you are patient enough for the process to finish – we have a separate walk-through on PGP/GPG key generation.
Why is choosing the optimal key length and passphrase so important? Well, let’s suppose someone has access to your keychain and gets a copy of your private key file. If that person doesn’t know your passphrase one possible way to crack the key would be to attack the cryptographic system directly, which given the recommended key length used (4096 or 8192 bits), would be too time consuming and improbable to solve given the current state of computing technology. The other option is to use a dictionary or brute force attack and find a match for the passphrase you have chosen to protect your key. This last option is the most common one and is a more direct way to gain access to your encrypted data. By making your private key long enough, you can discourage this type of attack.
When you have your very own pair of PGP keys, you can start using it like this: distribute your public key to everyone, include it in your mail signature, give it to your friends who write to you the most. They have to use similar install of PGP/GPG to encrypt their messages using your public key. Any third party would not be able to decrypt this message, because it’s impossible to do this using a public key. Only you, having your private key ready, are able to decrypt this message. If you want to send your reply in encrypted form, you have to use your friends’ public key. Digital signatures work exactly the opposite way: when you send your message, you “sign” it with your private key. Any person can use your public key to verify the letter and make sure it was signed by you and came unmodified. It may sound a little bit complicated, but properly configured e-mails could include the signing/encryptions components in just two mouse clicks:
In conclusion, we have seen the difficult beginnings of PGP, a brief historical view on the reason why it was invented, basic security concepts and some noteworthy recommendations. I hope this serves as the motivation you need to try PGP and use it for encrypting/signing your files and information. Privacy is something each one of us needs to take care of when being a part of this always-connected world: with the tools available it’s easy and you’ll thank yourself sooner rather than later for having taken that first step in this direction.
Governments and intelligence agencies have based their programs on privacy, and even outlaws have done so too. What about the common everyday user? Previously, only those with money could afford military-grade encryption, but that was until PGP appeared on the scene. The common user didn’t have a way to keep his communications and information private, nor was this something that other parties wanted to happen. There was a need for this hole to be filled and fortunately, after 20 years, PGP has shown that it is more than capable of protecting that inherent right for freedom and privacy.