When
As needed.
Why
Pretty Good Privacy (PGP) secures e-mails and files against attackers if used on a secure system and configured correctly. (So please don't send me notes or conspiracy theories about how NSA can
crack it.) Like a firewall, PGP is a security tool and like any
security tool, it isn't secure if you don't understand what you're
doing.
Strategy
The PGP User's Guide explains that PGP is a hybrid cryptosystem: When a user encrypts plaintext with PGP, the data is first compressed, which saves transmission time and disk space and,
more importantly, strengthens cryptographic security. Most cryptanalysis techniques exploit patterns found in the plaintext to
crack the cipher. Compression reduces these patterns in the
plaintext, greatly enhancing resistance to cryptanalysis. PGP then
creates a session key, which is a one-time-only secret key generated
by random mouse movements and keystrokes. Once the data is encrypted,
the session key is encrypted to the recipient's public key and
transmitted along with the ciphertext to the recipient. Decryption
works in reverse. The recipient's copy of PGP uses his private key to
recover the temporary session key, which PGP then uses it to decrypt
the conventionally encrypted ciphertext.
Get a current version of PGP that works on your system, unpack and install it. Then make up a secret passphrase and create your public and private keys. Once you validate your public key, you can distribute
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
copies of the public key and upload it to a key server.
Using a good passphrase to protect your private keys and keeping them truly private is key. Rogue software might send your passphrase keystrokes and your PGP key file back to someone who can then use the info to read your messages, another reason to be vigilant about scanning for viruses and spyware.
PGP Corp. publishes its source code so customers and cryptography experts can validate its integrity.
More information
PGP Corp. offers a free limited-capability version of PGP Mail for individual, non-commercial use at
http://www.pgp.com, as well as lots of documentation, including the Introduction to Cryptography from the PGP User's Guide. If you're still not sure how it works and want to experiment more, GnuPG is a complete, free replacement for PGP, learn more about it at http://www.gnupg.org. To read why Philip Zimmermann, the creator of PGP, invented it, go to
http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html.
About the author,,
Shelley Bard, CISSP, CISM, is a senior security network engineer with
Verizon Federal Network Systems (FNS). An information security
professional for 17 years, Bard has briefed and written information
security assessments and technical reports for the White House and
Department of Defense, special interest groups, industry and
academia. Please e-mail any comments to
mailto:securityplanner@infosecuritymag.com.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
Last week: Wireless –Less wires, more issues
Next week: Mid-year review -- what's going right?
This was first published in August 2004