Info about PGP messaging

An important warning

My keys and signatures must match what you find on my website and receive from my messages.  Do not ignore warnings about mismatches and invalid keys or signatures.  This probably means that some other person is interfering, and privacy or identity is not assured.

Getting my PGP key

You can get my PGP key from this website, for use with personal mail to me.  But not, currently, from public keyservers (I've found submitting keys to them to be a trigger for receiving spam).

My key covers several different e-mail addresses that I use, including some that I use for specific purposes, and some that I will eventually abandon.  Be advised that:

What it is, what it's for, and why you'd use it

“Pretty Good Privacy” (PGP) is a scheme used to encrypt or sign messages.  There are other schemes for the same thing, but this one is freely available for various different types of computer systems.  It works by using secret and public key pairs, you pass out your public key and keep your secret key, and so does anyone else that you communicate with (they pass out their public keys, and keep their private keys).  All the keys, in combination, are used to encrypt messages (your own private keys, and each other's public keys), and all of them are required to decrypt them (you send a message encrypted with your private key and their public key, and they decrypt it with your public key and their private key).  This way, no outsider can decrypt the material (because they don't have anybody's private keys).

Obviously encryption is to keep private material private, so that only the authorised people can view the information.  We really should encrypt all private data as a matter of course (just like we seal most of our traditional mail inside envelopes so it can't easily be snooped on), but it's often a major nuisance to do.  While most of us don't consider that our e-mail contains anything particularly valuable to neccessitate encryption, consider the ramifications of sending an uncrypted e-mail to a friend saying that you'll meet them at a certain time at a certain restaurant, but the e-mail was intercepted or accidentally sent to the wrong address:  You've just informed someone that your house is empty at a certain time, and free to be burgled.  But if the message had been encrypted, they wouldn't have had any idea what the message said.

Signing is a way to indicate that you are the person the message claims to be, or at least the same person that signed another message with the same signature—as it's possible to sign messages without ever having being checked out to see if you are who you say you are.  Proper identity “authentication” is possible, either through having various people that you trust counter-signing each other's signature keys, or using a certificate issued from some body which has validated their identity using some other method.  Properly signing messages means that you should be able to truly believe that a message (or other file) really does come from the person you think that it does.  It's child's play for someone to claim to be someone else in a message, but if the message is digitally signed with a signature that you can verify, you can tell apart genuine messages from fraudulent ones.

NB:  I'm only using PGP so private messages can stay private while in transit.  Don't bother me with dodgy messages because you think nobody else can tell what you're doing.  If anything, sending something dodgy using PGP will provide concrete proof that you were the one that did it (it contains your unique key, proving its origins; and the recipient can decode what you sent them to show it to anyone that they want to).

How the keys are made

When you generate a key, a random number is used to seed a computation.  The random number means that each key should be unique.  And the computation is one that cannot be reverse engineered from the resultant output (it's a logarithm equation), so someone shouldn't be able to crack your keys (nobody's found a way to work out the numbers that were put into such an equation from its answer).

Two keys are created; your private and public keys.  You keep the private one private, and distribute the public key.  They're used in combination, and one's no good without the other.  They're also used in combination with the keys belonging to other people that you exchange files or messages with.

So that nobody could simply use your private key if they managed to get their hands on it (e.g. someone steals your computer or files from it), you have a “pass phrase” associated with your secret key.  You're required to know it to make use of your secret key.

Once a key is generated, there's a number of things it includes:

Long pass phrases are used, instead of just a single pass word, so that they can't be very easily cracked by simple dictionary attacks (trying word after word from a dictionary until the right one is found).  They're also harder for someone to memorise if they watch you typing them in, and can be much easier for you to remember if you pick a good one.

Don't pick a famous saying, like a line from a movie.  Make a nonsensical phrase that no other person could ever guess at but is sufficiently strange that you're going to remember it for it's novelty value (e.g. “green pyjamas mixed with pineapples taken internally upsets the eagles”).  Or use a descriptive phrase about something that you'll remember, that nobody else could guess or accidentally generate by putting likely words together; like an opinion you've formed of something, but never told anybody (e.g. “my boss looks like a gorilla with acne and a beer gut”).

Finding the right key

There's an old problem I've come across with PGP:  Never being able to find someone's key—they just say to get their key (in some program's documentation) without saying where from, nor the key id, their website or e-mail address.  So here you go, mine's on my website, there's information about using it and PGP, and you can read my biography to help determine if you've got the right person.

But for other people, you're stuck with the following sorts of options:

How to use it

Firstly you need to get your hands on some PGP software (some mail client programs have the feature already built in, this makes it easy for you, otherwise search the internet to find some PGP software that you're comfortable with).

Then you distribute your public key (you can publish it on the net, hand it out to friends, etc.).  And you really should also validate your keys in some manner (e.g. have your friends sign each others), so you can be sure that you're trusting keys sensibly, rather than just believing a key is genuine without any real evidence to substantiate it.

You can obtain other people's keys in various ways (from public key servers, from their webpages, in person, have them e-mail it to you, etc.).  Once you've got their key you can import it into your PGP program in a variety of ways, depending on its abilities (“import” the key file into it, copy and paste the information in the keyfile, etc.).

Remember that it's their public “key” that you want to import, not their “signature”.  Each signature is generated specifically for the particular message or file it came with.  Their public key is the thing you check their signatures against, and use to decrypt their messages.

Be wary about adding/importing keys from e-mail.  It's easy for someone to fake a message using someone else's address, and include a faked signature for that address.  You really need some way of verifying them before you do that (e.g. telephone them, get them to confirm their public key's “id” and read out the “fingerprint” for their key—though this presumes that you know them and can recognise their voice).  Personally exchanging disks with keyfiles on is probably the best method.  If you can't do that, then other methods which are a bit harder to fake than e-mail can be used, like getting their keyfile from their website (which presumes that nobody else will be able to put a faked signature file on their website), or trusting a key that has been countersigned by people that you do trust (e.g. you've previously personally exchanged keys with person X, and person X has personally checked out person Y and signed their keys, so you'll trust a key from Y because X has signed it).

Never give out your private key or passphrase!  They are for you, alone.  It's the public keys that people distribute.

Once you're set up, you use a mail program that can encrypt, sign, & check messages for you, if you want a simple life (get it to do the work for you).  If you can't find one that does that, you'll have to run a separate PGP program, and figure out how to use it with your other programs, yourself.  But once you're set up, you sign and/or encrypt the messages you send, and check the messages you receive.  You should be suspicious about anything that's unsigned (although realising that some people just won't bother to do so), and completely distrust anything with invalid signatures (trust your security software when it warns you about such things, don't ignore it).

With the ever-increasing amount of falsely addressed spam, always signing messages would be one step towards automatically managing spam:  You could be sure that unsigned mail allegedly coming from a friend's address didn't really come from them, likewise for messages with forged signatures, and your software could automatically delete it.  There are some secure mail services which will refuse unsigned mail for you, taking the burden of sorting out the signed from unsigned messages off you.  Using one of them would force all your friends to sign their mail if they wanted to be able to contact you (the system would take care of lazy friends for you).  And since most spammers don't sign mail, and can't validly sign mail with your friend's signature, unsigned spam could be automatically deleted without accidentally deleting non-spam messages (as some anti-spam systems unfortunately do).

What I've tried out

Stand-alone PGP software listed at The International PGP website, which includes software that can integrate with other programs on your system (like Microsoft's “Outlook Express” mail client and “Windows Explorer”), such as:

The GnuPG program is a command line tool (so you need to be comfortable with that sort of thing), although there are some add-on tools to give you a GUI for them.  Windows has command line and GUI tools, so you can pick what you want in one package.

Whatever you pick, be aware that only the open source programs are able to be checked by the public for flaws.  With the closed source software you're relying on its own programmers to do the right thing, with no independent verification of their work.

And I've tested out software that integrates with one or the other of them:

Although these mail programs make it easy enough to sign, encrypt, decrypt, and check the signatures of messages, none of them gave me a way to send someone my public key, nor a way to add a received one to the keyring, you have to manually export and import them (though it's ages since I tried it on Outlook Express, so I can't recall very clearly how it all worked on it).  And there's compatibility issues between the types of keys generated on some systems (which cyphers are used).  I was, however, able to configure GnuPG on Linux to automatically fetch new keys to work with messages from new people with Evolution, but couldn't get GnuPG to do the same trick on Windows.

I've tried some other mail client programs, like Mozilla and Thunderbird, but they don't directly support PGP.  You'd have to use your PGP software, by itself, to manage encrypted or signed mail (e.g. cut and paste text, import and export files, etc.).  Or, find something to interface them together, like Enigmail (which allows you to use GnuPG with Mozilla and Thunderbird, though I haven't tried it).

There are other encryption/secure mail schemes, such as “S/MIME” that use certificates issued by organisations who verify your identity (by comparison, PGP uses self-generated keys, and you authenticate them by trusting some people).  I haven't tried these other schemes, some cost money, some are proprietary (potentially very incompatible with other systems, though apparently supported by all the mail client programs I've mentioned), and require organising some things I can't be bothered with, or mightn't be able to do.

Don't ask me to help you set up your PGP or e-mail software, or recommend what to use.  They all work in different and annoying ways, I'm not familiar with all of them, people have different needs, and I've already said just about everything I want to on the subject on this page.  Some of the ones that I've used have been quite convoluted to get going, and some will not be compatible with others (the way they generate the keyfiles has changed over time, and older ones mayn't work with newer ones).  I'll see if encrypted or signed messages work, but I won't offer time and advice about configuring software.  All of this should be explained in your software's guides, this page is just an introduction to what it's all about before you start downloading software to try it out.


Contents
Main sections:
homepage
contact details
business info
personal info
eBay & trading
“sales” ads
“wanted” ads
electronics
video production
photography
computing
reviews
misc info
website info/help
links
index
search
Misc info pages
Introduction
Internet related
acronyms
clients & servers
cookies
e-mail issues
privacy policies
sending documents
technical terminology
PGP messaging
webpage wierdies
Video related
colour video
interlaced video
telecine
persistance of vision
VHS versus Beta
S-VHS isn't VHS
video tapes
video editing
DVD formats
Macrovision
Miscellaneous
Hertz
standards