The use of strong encryption to exchange private messages is now commonplace. One of the most popular working tools to enable private exchange of messages is PGP (Pretty Good Privacy). The following may be helpful to people wanting or needing to exchange private email messages. (PGP implementations also enable computer files to be encrypted/decrypted.
 

How PGP Works

Learning to use PGP encryption is easier than learning to use a word processor. There are two encryption keys: public and private (secret). If you use the email plugins under Windows encrypting and "signing" a message may be done simply by clicking an Icon and choosing a public or private key respectively. A typical scenario follows:

1. You give your public key to correspondents. You can email it to them for example. or post your public key on a remote keyserver, then anyone who visits that keyserver can be your secure correspondent; that's the purpose of a keyserver. Two remote keyservers are made available during the installation of PGP.

The Windows PGP install process automatically offers to put your public key on a keyserver. Also this install process will allow you to easily install PGPemail plugin(s) for: Eudora, Netscape, and/or Exchange/Outlook Express.
 
2. A correspondent writes a message with their email client and then uses your public key to encrypt that message before sending it to you. Or you use their public key to encrypt a message to them.

 
3. You then use your private (secret) key maintained on your local computer system to decrypt a message sent to you. Email plugins do this automatically, prompting you for your private key pass-phrase. Since t he message was encrypted with your public key, only your private key, and no one else’s keys, can decrypt this message. So only you can decrypt such messages.

 
4. A sender’s private key may also be used to "sign" messages. You then use the sender’s public key to decrypt the signature. No one else’s public or private key can decrypt this signature. Thus the signature is unique and if it decrypts using the sender’s public key, this is proof that electronic signature is the sender’s and no one else’s. Also as stated in the PGP manual, "a signed message verifies that the information within it has not been tampered with in any way." Such secure electronic signing assumes of course, that private keys are in fact known only to their owners; that is, it is assumed that keylogger spyware has not invaded the system using PGP.
   

How Safe is PGP

Private keys and companion private key pass-phrase are assumed to be known only by their owner. The number theory behind PGP creates keys that are in effect a product of very large prime numbers. To date there is no known algorithm for factoring such a product in a practical amount of time. That is, assuming longer keys (4096 bits), cryptographers, mathematicians and computer experts have tried unsuccessfully for years to break PGP.  As HPC parallel computing  grows in sophistication and speed,  especially shorter keys could be in danger of being compromised in the future.

There is an integrity exposure when using PGP. That is, it is crucial to back up in a secure place your private and public keys - in such a way that only you have access to them. Since these "key rings" are created in a unique fashion, even you cannot recreate them. Thus your encrypted messages or files would be useless if you lost these keys. Or privacy would be compromised if anyone but you had access to them. For more information on this, please see: Integrity of PGP Encrypted Files:

http://ftp.aset.psu.edu/pub/ger/documents/DataIntegrity.htm (click on the link: Encrypted )
 

Where to Get PGP

We recommend two versions of PGP here; 1) Free version PGP 6.58 and 2) commercial version ($39):  http://www.pgpi.org/products/pgp/versions/freeware/win32

PGP Versions 6.58 and 7.03 do support email plug-ins. PGP Version 7.03 requires that two hot fixes be installed also. Both of these are available for free download at:  http://www.pgpi.org/products/pgp/versions/freeware/win32

Commercial Version 8.0:  http://www.pgpi.org/products/pgp/versions/freeware/win32/
(Note that email plug-ins are installed but not functional with PGP 8.0 unless it is licensed ($39). PGP Commercial Versions are also available via: http://www.pgpi.org/products/pgp/versions/commercial/  )

Email Plug-ins for platforms other than Windows:  http://www.pgpi.org/products/tools/search/
(Note: set the "Category" for search to "Email Plugin …" ). The Eudora  (Windows) plugin works for Eudora 6.1.x  as well.

PGP for Linux (free command line only) is available at:  http://www.pgpi.org/products/gnupg/
This free command line version is also available for Macintosh OS X and Windows DOS Prompt.

PGP Personal, Commercial Version 8 for the Macintosh OS X is available at:  http://www.pgpi.org/products/pgp/versions/freeware/mac/8.0/

PGP Lists of Keyservers:      http://www.keyserver.net/en/
                                                  http://www.wowarea.com/english/help/keyserv.htm
 

References

An AIS/ASET Security Page (See the PGP section):  http://ftp.aset.psu.edu/pub/ger/documents/security.html

A few good short PGP tutorials that BRIEFLY tell HOW it works are:  PGP FAQ:  http://www.cam.ac.uk.pgp.net/pgpnet/pgp-faq/
                        CREN PGP Tutorial:  http://www.cren.net/crenca/onepagers/pgp2.html

Latest News about PGP:  http://www.pgpi.org/news
 

Acknowledgment

Thanks to Pete Weiss (retired), Penn State Administrative Information Services, for reviewing this document and for useful suggestions for improving it.