Last updated 2004-06-28 by Roedy
Green ©1996-2004 Canadian Mind Products
Last updated 2004-06-28 by Roedy
Green ©1996-2004 Canadian Mind Products
Java definitions: 0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
You are here : home : Java Glossary : P words : PGP.
PGP (plus related systems like GNU privacy Guard, CTC, and the more distant systems like Pegwit) uses public key encryption as a way of exchanging the private keys you need for the faster conventional encryption (like Triple-DES). PGP does not require both communicating parties to know a shared private key agreed on in advance the way DES does.
PGP is different from other digital signing/encryption techniques in that there are no central certificate issuing authorities. You make your own certificates (containing just your name, email address and public key but not your private one), and get other ordinary people to digitally sign them as accurate. This creates a web of trust. You know if a certificate is valid by how much you trust the people who signed the certificate. You tell PGP how much you trust various certificates and how much you trust various people to accurately sign other's certificates and it computes a trustworthiness of each certificate on your keyring.
The PGP people don't use the term certificate like everyone else does. They call them public keys even though the public key files contain more information than just the public key. They use a single key icon to represent a public key, and a double key icon to represent a public/private pair. Be careful you don't accidentally give your private key to anyone by accidentally exporting both keys.
You learn of other's public keys by picking them off websites. For example, you can download/see my PGP public key at http://mindprod.com/RoedyGreenPGPkey.asc. It just looks like gibberish, but when you import it into your PGP keyring it contains my public key, name and email address hidden in there.
After you import someone's public key you must sign it with your private key, to indicate you consider it valid. You can then adjust the trust level you feel about public keys that person has validated. There is no central authentication agency. It all works by a peer to peer web of trust. There is a central registry like a phone book of email addresses and public keys, but there is no guarantee that any of its information is valid.
You can receive PGP certificates via unsecured email. You can discover them in Newsgroup postings. PGP 7.0 contains a feature to lookup a public key or register yours in any one of a number of central registries. [Make many backups of all your private keys and their passphrases and put them where you are sure you will be able to find them again. You may never be able to correct these public registries without them.] People will continue to send you email encrypted with your old lost key and you won't be able to make any sense of it.
Once you declare my public key as trustworthy, then you can send me encrypted email, and you can verify if any digitally signed mail from me really came from me. It won't let me send you encrypted email. (I need your public key for that.) It won't let me verify that email from you really came from you. (I need your public key for that.) Of course we both need the PGP software installed on our machines. There is also a feature you can register a third party with the right to revoke your key in case you lose your private key or forget your passphrase. However, it is too late to do that once you lose you key or passphrase.
You can download a simple PGP 8.0 suite free from PGPI.org.
All that is left of the original Network Associates PGP website are products with prices so high they won't even post them. You have to request a formal price quotation. These are clearly not aimed at personal users.
The freeware products are for non-commercial use. There are now a suite of reasonably priced commercial products at the PGP Store. For example a PC PGP 1 year licence is The freeware editions don't have integration into email. The freeware version asks you to fill in a licence key. If you don't, it turns off some features. If you do, it upgrades to the commercial version.
The patent recently expired on PGP and, in recent years, the patentholder, Network Associates, seems to have lost all interest in supporting its former PGP products. They are attempting to sell off their PGP product line. Presumably soon third parties will take up the slack. In recent years, we saw signing authorities like Thawte dropping PGP support. Perhaps they will start re-instating it.
Signed formatted messages arrive as mysterious enclosures ending in .ems. You must double click them to view them and verify the signature. Eudora encrypts the body and your tagline, but not the subject.
When you click encrypt nothing happen until you hit send. Then it automatically looks up the public key of the recipient in the keyserver.pgp.com database. Encrypted messages come in looking like gibberish with nothing telling you what they are. It is up to you to recognize what them as encrypted messages and right click plugins, decrypt and verify.
Sometimes the encrypted message arrives as a *.ems attachment. You must double click it and give your passphrase to decrypt it and verify the signature. Eudora wisely gives you the option of leaving the message in encrypted or unencrypted form in your mail folder. You may be trying to protect it from prying eyes at your end as well as en route.
You can also digitally sign and/or encrypt your messages with PGP by having it sign the clipboard then paste the text back into pretty well any newsreader/mailreader. That way your mailreader/newsreader need not support PGP directly. Unfortunately, only the message body then is signed. The header including the message subject:, to: and from: are unprotected.
The PGP message format is described in RFC-2440.
PGP also has a wipe feature for securely erasing files and also erasing the free space including the space at the tail end of each file in its allocated cluster.
When you install it, make sure you choose a directory for your public and secret keyrings that won't be lost or erased and that will be backed up.
e.g. My 160-bit public PGP key is rendered either in hex:
9AA3 43B6 324D F154 4098 F58F EF62 A55F 92CB 3EDD
or as a grid of words: 9A=pupil A3=pandemic
etc.
| pupil | pandemic | crucial | potato |
| checkup | disruptive | unwind | equation |
| crackdown | narrative | vapor | midsummer |
| uncut | gadgetry | reindeer | forever |
| physique | revival | concert | tabourine |
Americans have a silly law that code written in the USA that does strong encryption cannot be exported outside the USA and Canada, even though the algorithms are published. This has had the effect of stimulating European and Australians to provide such software which is immune to the restriction, taking business away from American companies. In particular, BouncyCastle.org is located in Australia. You can use Sun's weak or strong JCE, but if you use the strong JCE, you can't export your product. The solution is to plug-replace Sun's JCE with one written outside the USA.
home |
Canadian Mind Products | 
 |
||
| mindprod.com IP:[24.87.56.253] | ||||
| Your IP:[80.134.30.163] | ||||
| You are visitor number 2881. | ||||
| Please send errors, omissions and suggestions | ||||
| to improve this page to Roedy Green. | ||||
| You can get a fresh copy of this page from: | or possibly from your local J: drive mirror: | |||
| http://mindprod.com/jgloss/pgp.html | J:\mindprod\jgloss\pgp.html | |||
