In two-key systems, one of your keys is public and the other is private. Senders deliver messages coded with your public key, but only you can decode the message with your private key. You send others messages coded with their public keys, but only they can decode these messages with their private keys. Whitfield Diffie and Martin Hellman invented the two-key system in 1975. (Having claimed naming rights, their method is called Diffie-Hellman.) You may have heard of two other popular double-key systems invented since then: RSA and DSA.
In PGP's modified two-key system, the program first compresses the unencrypted message, called plaintext, using a Zip algorithm. This step eliminates many clues used by code busters to reverse-engineer a secret key based upon redundancies in the plaintext. PGP then creates a one-time session key derived from random patterns picked up from mouse movements and keyboard strokes. This session key is used to code the ciphertext from the compressed plaintext using one of five encryption algorithms set as a program option.
The message recipient's public key is used to encrypt the session key. Both the ciphertext and the encrypted session key are sent to the recipient, whose private key is used to recover the session key, which then decrypts the message.
Downloading and installing
The latest PGP versions are 8.0.2 for enterprise, desktop, and personal, 2.0.2 for Palm OS, and 1.6.2 for Windows CE. For our examples in this article, we'll be using the desktop edition. During the install process, be sure to look over the Read Me file before continuing—it has important information about included features and bugs.
If you're a new user, answer No when the installer asks if you already have PGP keyrings. PGP preselects components needed on your machine. The Select Components dialog box (Figure A) lets you choose any additional components you want to install.
| Figure A |
 |
| During installation, you can add or remove PGP components. |
Check the summary of installation information, and use the Back button to make changes. Otherwise, click Next to begin installation. Reboot your computer after program files have been copied.
PGP installs three suites of applications: PGPmail, PGPdisk, and PGPkeys (for key creation and maintenance). Click the PGP Tray icon to access these apps, or launch them through Start | Programs | PGP. (If you want, you can disable the Tray icon via Options.)
Configuring PGP
After rebooting, open PGPkeys and insert your licence information, name, and organisation, exactly as provided by PGP Corp., and then click Authorize. PGP will connect with its Web site and verify your licence. If, for some reason, you're not prompted to add your licence, click the PGP Tray icon and select License. After verification, an information box will display how many seats your licence is valid for and the licence's expiration date.
Creating and backing up a keypair
Next, you'll want to create public and private keys, called a keypair, and publish your public key to the world. Keys are created so that the public key can't be used to crack a private key. Launch PGPkeys through the Start menu or by clicking the PGP Tray icon and selecting PGPkeys. If you've never used PGP before, the Keys list will be empty.
From the menu, select Keys | New Key. A wizard will walk you through the process. As you type, a useful Passphrase Quality bar, shown in Figure B, will indicate your passphrase's quality. In PGP, passphrases are case-sensitive. Although the program lets you create a passphrase with as few as eight characters, this approach is not secure. Passphrases should use multiple words with a mixture of uppercase and lowercase letters, numbers, and special characters. The passphrase should be unique and easily remembered without your having to write it down. It shouldn't be a phrase—such as an entry from Bartlett's Familiar Quotations—that can be cracked from a hacker dictionary.
| Figure B |
 |
| Create a passphrase that's easy to remember but lengthy and complex enough to give a high level of security. |
A passphrase about 30 characters long should suffice. When you complete the wizard, PGP generates a keypair. Each key of the pair consists of a key (used for signing) and a subkey (used for encryption). When the program finishes this operation, click Next and then Finish. Your key will appear in the list, as shown in Figure C.
| Figure C |
 |
| Your new key appears in PGPkeys. |
Before moving on to other PGP features, back up your key to a different drive or media. If your private key were ever lost, all messages and data encrypted with that key would be irrecoverable. Though you'll be prompted to back up when you first exit PGPkey, don't wait. Right-click on your key and choose Export. Choose a destination, make sure to check Include Private Keys, and click Save.
Publishing your public key
Your public key will be used for all secure messages sent to you. Therefore, the practical next step is to publish it on an Internet keyserver, where interested parties can look it up. Click your key to highlight it, and choose Server | Send To | idap:// keyserver.pgp.com (and idap://europe.keys.pgp.com, if you want). The program notifies you when the key has been successfully uploaded.
Using PGPmail
Start PGPmail through the Tray icon or the Start menu. A free-floating menu bar will appear with seven buttons (Figure D):
- PGPkeys
- Encrypt
- Sign
- Encrypt And Sign
- Decrypt/Verify
- Wipe
- Freespace Wipe
| Figure D |
 |
| The PGPmail menu bar suite of apps |
PGP's desktop version also attaches to your e-mail program. For example, Outlook's menu bar adds a PGP item from which you can encrypt/decrypt messages, launch PGPkeys, and set options. Two icons appear in the Standard toolbar to let you quickly encrypt/decrypt and launch PGPkeys.
Before you can send someone an encrypted e-mail message, you'll need to obtain that person's public key. Open PGPkeys and choose Server | Search. By default, the search is called User Id Contains. Type a name or portion of a name in the text box, and the server will return a list of keys, as shown in Figure E.
| Figure E |
 |
| A search for the last name "Wallen" brings up these public key hits. |
If you don't find the key you're looking for, use the drop-down lists to try other search criteria, such as Creation Date or Expiration Date. Or if you get too many hits, click the More Choices button to refine the search criteria. Add the key to your desktop's keyring (where the keys you use will be stored) by right-clicking and choosing Import To Local Keyring.
Encrypting e-mail
When you compose an e-mail, you'll note that PGP icons are now part of the message screen menu in compatible applications such as Outlook, Outlook Express, Lotus Notes, and Eudora. When you're finished composing, encrypt the message or set PGP to Encrypt On Send by clicking the Encrypt On Send button or selecting PGP | Encrypt On Send from the menu bar.
To encrypt before sending, press [Ctrl][Shift]E. If nothing happens, you may need to enable that hot-key sequence in PGP | Options first. From the Key Selection Dialog, drag a key from the Recipients List to the Recipients window, as shown in Figure F.
| Figure F |
 |
| Drag keys stored on your keyring to the Recipients window for all people receiving the encrypted message. |
The message is encrypted and appears in a format similar to that in Figure G.
| Figure G |
 |
| The encrypted message appears as a block of nonsense text between a PGP header and footer. |
To guarantee a message's authenticity, you may want to digitally sign the message. You can do this for any message—you don't have to encrypt it first. Press [Ctrl][Shift]S, and a digital signature will be appended below the message. To decrypt an e-mail, open the message and click the Decrypt button. You'll be asked for your passphrase. Enter it and click OK. The procedure is the same to verify a signature.
Microsoft Outlook can edit received messages. After decrypting, Outlook will ask if you want to save your changes. To keep the message copy encrypted, select No. Otherwise, click Yes.
Encrypting/decrypting files
Through PGPmail, you can also secure your files and decode them for reading. To do so, launch PGPmail and click the Encrypt or Encrypt And Sign button. Select a file from the browser window and click Open. You can also right-click on any filename from Windows Explorer and choose Encrypt from the PGP context menu.
.
4%
2%
