-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ever send a first-class letter through the post office and expect the clerks there to read it?
Usually not because one, trust in the postal system; two, the envelope protects the letter against prying eyes; and three, it usually is against the law. Not so with email, it is fair game. E-mail is like an open envelope inviting invitation from anyone either with sufficient reason (in cases of company property), or unscrupulous enough (like a teenage mom, or a jealous spouse) to do so. The only way to secure email is to encrypt it from prying eyes.

Privacy is important, not just between friends and family, but between the citizen and the government. It is a key component of our fundamental rights as US citizens. Encryption helps ensure that right, and the role encryption plays today will only increase tomorrow as the need to safeguard our data and identities (from theft and other threats) continues to grow.

Developed by Phil Zimmerman, PGP (for Pretty Good Privacy) is the easiest, and best way of encrypting messages and digitally signing documents. It was developed with privacy and convenience in mind. Leading security advocates, computer programmers, and businesses stand by PGP as their encryption standard. And best of all, PGP is FREE (for non-commercial use).

PGP is based on the concept of public key cryptography. Public key cryptography uses key pairs, one a public key to encrypt information, the other a private key to decrypt it. Messages can be encrypted with the public key, but only the private key can be used to decrypt it. To assure trust, public keys can be signed and verified by trustworthy persons associated the key issuer. If a key is compromised, it can be revoked and a new key issued. The convenience of the system is the ability to widely distribute your public keys to anyone.

PGP is perhaps the strongest and best encryption standard for commercial use because it is difficult to break, even by the US government. The US government usually frowns upon strong encryption, and relies on the ole "national security/terrorism" argument that terrorists can use encryption tools like it to pass information, so they advocate requiring backdoors (key escrows) installed into any encryption standard so "their jobs will be easier" in conducting wiretap investigations. Privacy advocates warn that backdoors and weak encryption are subject to abuse by the government. Fortunately, there is no backdoor into PGP, and encryption standards proposed by the government (those that do include backdoors such as the Clipper chip) have failed politically. [Footnote 1]

Footnote 1: The government also has a cryptographic algorithm called DES, and recommends it for public commercial use, but as for the government using it for its own classified information, that, it doesn't recommend. Partly because standard DES uses a small 56-bit key that can be broken quite easily, speedily, and routinely.


However, PGP can still be vulnerable through brute-force hacking. Brute force hacking is exactly what it means; you try and guess the encryption key by trying many combinations hopefully stumbling unto the right one. With patience, you can break the password, but this takes time and much effort. However, the encryption behind PGP is difficult to crack. But there are those rare cases that demonstrate it can be done.

The one government agency that does have the computing power to possibly decode PGP might be the super secret NSA (whenever you mention the NSA, you must also mention super secret, it's the law!) The NSA is the largest employer of cryptologists and mathematicians in the world. They use Cray supercomputers [Footnote 2] to help in its mission to decode electronic intercepts around the world, and theoretically, can be used to break PGP when the need arises. Whether or not the NSA can break PGP on a regular basis, and the size of the keys broken are not known.

Footnote 2: check out the November 2001 Top500 list for the top 500 supercomputers in the world. http://www.top500.org/list/2001/11/


Anyway, on to Reviewing the Software

PGP Freeware and the commercial version are both made by Network Associates. The freeware version is identical to the commercial version except that it does not come with a few optional utilities like the ability to encrypt your entire hard drive, or X.509 certificate options (like those issued by Verisign).

PGP Freeware supports a minimal 1024-bit key, up to a maximum 4096-bits, and includes plug-ins for Eudora, Outlook, and Outlook Express, and an option to use PGPNet to secure communication between computers over a local network.

Installation and setting up a PGP key is simple and effortless in the Windows and Mac version. After installing PGP freeware onto your hard drive, you create your own private key determined by your preference of key length, and password.

To guard against compromise, always choose a good password, preferably a phrase you can remember, and to choose a sufficient sized encryption key. For maximum security, one could always use a large key size, and choose an extremely lengthy password, but messages created this way may take longer to encode/decode, and usually is not recommended unless you have a lot of time encrypting and decrypting messages, or just plain paranoid. Usually a smaller key size of 2048 minimum, and a reasonable length password or sentence, are recommended.

The main interface of PGP simulates a key ring. On it are various keys from people each with the name and email address of the person who issued it. Key management is easy. You can examine the keys, and all those who signed them through a push of a button. Keys can be added and deleted, and their internal properties examined. Important in the PGP trust system is the use of signatures and certificates. A key from someone is as trustworthy as the people who certify and sign their keys; and the signatures, and photos of the people who signed the keys are available for view, as well as a button to revoke them.

The second interface of PGP is located in the tools utility that comes with the package. The tools interface is very simple, with seven buttons that allow you to sign, verify, encrypt, decrypt and wipe files. Pressing the "Encrypt" button encrypts a file, and optionally formats it into a format (ciphertext) suitable for email. Optionally, you can employ conventional non-PGP encryption on files for personal use.

The "Sign" button allows you to use your private key to digitally sign a document without encrypting the information contained inside. Digital signatures take in account the file size and contents. If the file is altered in any way, the signature is broken, and the verification of the document fails.

The "Wipe" button allows you to wipe a file completely off a hard drive. In Windows systems, a file is not actually deleted when you trash it; the file is merely turned invisible, and renamed somewhat. To ensure deletion, it can be wiped through PGP.

If you are not familiar with PGP, it is recommended to read through the manuals and learn how it all works. PGP freeware comes with help files and a manual both integrated into the PGP interface, as well as packaged into PDF files for offline browsing as ebooks. One can read essays into the history of PGP, Phil Zimmerman, the man behind PGP, privacy, cryptography, and the history of why PGP was created.

Cryptography is not just for computer geeks, or the paranoid. Using cryptography won't turn you into a terrorist suspect to be detained indefinitely by the FBI and INS (like the 1100+ already in limbo since sept11). Businesses and government rely on digital signatures, and encryption for secure communications; and for the ordinary person, there may come a point in our future when it is absolutely required in our daily lives to help combat identity theft, and hackers.


Getting The Goods
The latest version of PGP Freeware for Windows/Mac is 6.5.8. It is a 7.9Mb download, and only US or Canadian residents can download the US version from http://web.mit.edu/network/pgp.html International users must use www.pgpi.com to download a suitable non-US version. There are also executable versions for DOS, Unix, and others, as well as PGP source code. Commercial users must purchase a commercial version of PGP from Network Associates (McAfee).


Note on the PGP signature
The text of this review was digitally signed using my PGP key. The contents can be verified by copying the entire message body (view the html source of this page to get the tags and formatting) into PGP. Soothsayer's public key is listed in the comments section.


-----BEGIN PGP SIGNATURE-----

iQA/AwUBO/DvRVXZ3JzZ3O//EQKaXACeNsnGjU4OY5gsnRJKmeDGEL6erqIAoP4k
hAgXNeiXa6smCvOg7u46V7m5
=7iZC
-----END PGP SIGNATURE-----


Recommended: Yes