Introduction to PGP

What on earth is that mess of letters and numbers at the end of some folks’ email and usenet messages? In many cases1, it’s a PGP signature. As an example, here’s a plain text message I wrote:

This is a PGP-signed message. The signature will be longer for longer
messages.
Cyn

After I signed it with PGP, it looks like this:

-----BEGIN PGP SIGNED MESSAGE-----

This is a PGP-signed message. The signature will be longer for longer
messages.

Cyn

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: See http://www.technomom.com/pgp.html for further info

iQCVAwUBOfNHEB1LUpdZB1XtAQGcvAQAxr9NOOQYovebGwv28aheAnUIAJjsRYXP
IbU+0QeUBwf3MRFUxPo6X26donmHmoofLalabjaIFEvnEmAWfrQkKZ+xvNSCvRWB
t9s8EHSTm/5ARzL89xV4QUUkimgj2cG9xe9b7IiPyNCTW6Rg4cbPDmnpEbu2FT4q
vzjxoZMAseU=
=Tbam
-----END PGP SIGNATURE-----

PGP is the best known public key encryption method in use on the internet. If I sign a message I post to a particular newsgroup using my private key, anyone who wishes to verify that it is from me and unaltered can check the signature on the message using my public key. If the message has been altered in any way, the signature will not be valid. If someone else forged a message in my name and tried to copy the signature from one of my real posts, the signature wouldn’t check as valid on the forged message. That’s the reason I use it.

Some people use PGP for actual encryption. If I wanted to send my friend Doug an email that contained very sensitive information, I’d write my message and sign it with my private key. I would then encrypt it with Doug’s public key, and email the encrypted version to him. Upon receipt he would decrypt the message using his private key, then check my signature using my public key. We’d know that the message had not been read by anyone but us, and had not been altered in any way. I find very little need for encryption, but some people use it frequently.

For a far more thorough explanation of PGP, please check the comp.security.pgp FAQ.

If you’re an individual user in the US or Canada, you may download a free copy of PGP from MIT. Folks in other countries can get it here or check the FAQ for other locations. If you wish to use PGP for commercial purposes, you’ll need to purchase it from Network Associates.

The current freeware version of PGP includes a nice little Windows shell. Many Windows users found it awkward to use the original command-line version of PGP, so a multitude of programs were created to make it easier. Some are standalone products, and some are written to work with programs like Eudora Pro and Agent. I had good luck with PGP Click, but it isn’t the most automated of the programs by any means. Just play around until you find one you like (or use the newer Windows version of PGP).

Some other links you may find useful as you explore PGP:

Last updated October 25, 2001


1 Sometimes a list of weird characters at the end of a message is the sender’s geek code, or similar code specific to a particular interest group.