Introduction to PGP

What on earth is that mess of let­ters and num­bers at the end of some folks’ email and usenet mes­sages? In many cas­es1, it’s a PGP sig­na­ture. As an exam­ple, here’s a plain text mes­sage I wrote:

This is a PGP-signed message. The signature will be longer for longer
messages.
Cyn

After I signed it with PGP, it looks like this:

-----BEGIN PGP SIGNED MESSAGE-----

This is a PGP-signed message. The signature will be longer for longer
messages.

Cyn

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: See http://www.technomom.com/pgp.html for further info

iQCVAwUBOfNHEB1LUpdZB1XtAQGcvAQAxr9NOOQYovebGwv28aheAnUIAJjsRYXP
IbU+0QeUBwf3MRFUxPo6X26donmHmoofLalabjaIFEvnEmAWfrQkKZ+xvNSCvRWB
t9s8EHSTm/5ARzL89xV4QUUkimgj2cG9xe9b7IiPyNCTW6Rg4cbPDmnpEbu2FT4q
vzjxoZMAseU=
=Tbam
-----END PGP SIGNATURE-----

PGP is the best known pub­lic key encryp­tion method in use on the inter­net. If I sign a mes­sage I post to a par­tic­u­lar news­group using my pri­vate key, any­one who wish­es to ver­i­fy that it is from me and unal­tered can check the sig­na­ture on the mes­sage using my pub­lic key. If the mes­sage has been altered in any way, the sig­na­ture will not be valid. If some­one else forged a mes­sage in my name and tried to copy the sig­na­ture from one of my real posts, the sig­na­ture wouldn’t check as valid on the forged mes­sage. That’s the rea­son I use it.

Some peo­ple use PGP for actu­al encryp­tion. If I want­ed to send my friend Doug an email that con­tained very sen­si­tive infor­ma­tion, I’d write my mes­sage and sign it with my pri­vate key. I would then encrypt it with Doug’s pub­lic key, and email the encrypt­ed ver­sion to him. Upon receipt he would decrypt the mes­sage using his pri­vate key, then check my sig­na­ture using my pub­lic key. We’d know that the mes­sage had not been read by any­one but us, and had not been altered in any way. I find very lit­tle need for encryp­tion, but some peo­ple use it fre­quent­ly.

For a far more thor­ough expla­na­tion of PGP, please check the comp.security.pgp FAQ.

If you’re an indi­vid­ual user in the US or Cana­da, you may down­load a free copy of PGP from MIT. Folks in oth­er coun­tries can get it here or check the FAQ for oth­er loca­tions. If you wish to use PGP for com­mer­cial pur­pos­es, you’ll need to pur­chase it from Net­work Asso­ciates.

The cur­rent free­ware ver­sion of PGP includes a nice lit­tle Win­dows shell. Many Win­dows users found it awk­ward to use the orig­i­nal com­mand-line ver­sion of PGP, so a mul­ti­tude of pro­grams were cre­at­ed to make it eas­i­er. Some are stand­alone prod­ucts, and some are writ­ten to work with pro­grams like Eudo­ra Pro and Agent. I had good luck with PGP Click, but it isn’t the most auto­mat­ed of the pro­grams by any means. Just play around until you find one you like (or use the new­er Win­dows ver­sion of PGP).

Some oth­er links you may find use­ful as you explore PGP:

Last updat­ed Octo­ber 25, 2001


1 Some­times a list of weird char­ac­ters at the end of a mes­sage is the sender’s geek code, or sim­i­lar code spe­cif­ic to a par­tic­u­lar inter­est group.