PGP offers a reliable but easy way to securely exchange emails and documents. All it requires is a PGP software and an email client that supports this method. Modern email clients, such as, Thunderbird (setup instructions for Windows), support it very well.
The PGP offers a complete security, and it consists of two parts:
1. Digitally signing an email
A matching digital signature of an email confirms that the origin of the email is genuinely what the email claims to have originated from. In other words, if a malicious, third party (e.g. Chinese government) is trying to deceive you by sending fake emails on the name of your friend, the PGP-signature can detect it. Besides, it also guarantees that the contents of the email (along with the attachment) are not altered by the third party, in the process of the email exchange between you and your friend.
2. Encrypting an email
It hides the email-content by encrypting it. Therefore, in the worst case, even if an email is intercepted by any third party, in-between, it will be unreadable to them.
OK, how does it work?
The PGP software that you install, generates an unique pair of keys: a public-key and a private-key. You keep the private-key with you and distribute the public-key among your friends, by means of, say, email, websites, Facebook etc. Similarly, your friends keep their private-keys with themselves and give you their public-keys. In the end, everyone has their private-keys saved safely with themselves and the public-keys distributed among others.
When you send an email (or any other secret document) to your friend, you first use his public-key to encrypt it, and then your private-key to sign the encrypted email (or document). When this email reaches to your friend, he can verify the origin and completeness of this email message by using your public key that you already have publicly distributed. If the signature is verified, he can be sure that the email that he is reading is indeed from you and the content is not altered by a third party, in-between. Then, he can use his private-key to decrypt the encrypted email and read the content.
It is always possible to only encrypt or only sign the emails (or documents). However, for a complete security, both the encryption and signing are recommended.
Further remarks
1. To ensure that your friends’ public-keys that you possess, is truly from your friends, please verify that these keys are self-signed (using the private-key of the pair). If a public-key is tempered by a malicious third party, its signature would be altered and you can detect it. NEVER ever trust a public-key that is not self-signed. It also implies that you also must self-sign your public-key (by using your private-key) before you distribute it among your friends.
2. A private-public key pair is very unique and its structure is based on prime-number theories in mathematics. It uses large prime numbers to generate the pair, and current mathematical advances and computer resources are far from breaking the algorithm. Therefore, you are quite safe (well, until now :-)) that any key of the key-pair can be duplicated.
3. There is an universal place to get your friends’ public keys and distribute that of your own. These are called key-servers. Here is a popular key-server at MIT, and here is a global-one that claims to be a global directory for pgp-keys.
4. The original PGP is not free (either as in FREEdom or in FREE-beer). MIT holds its license and it costs money to obtain it. However, thanks to the GPL folks that its open-source implementation, called GNUPG or GPG (in short), also exists. It is available even for Windows. So, if you are interested, please follow the GNUPG website for more. It also describes the concept as well as its usage in a great detail. You may also like to check this PGP for Beginners website to understand the concept.
5. Finally, I have put a test PGP public-key here. You can send me a private, encrypted email using this. However, please verify its self-signature first. Also, note that if you use your private-key to sign your email, I can't verify it, because I don't have your public-key. But I would surely be able to read the encrypted email. Please give it a try.
That’s all for an introduction. I hope this document provided you enough information to begin with. To know its nuts and bolts, please embrace your best friend, Google. In the end, please always keep in mind that to truly secure the privacy of your communication, there is no other way but to take measures by yourselves. Therefore, I actively appreciate the usage of signed and encrypted emails.
If you have any further questions or comments, please leave them below, send me a private message here.
skip to main |
skip to sidebar
It behaves according to you, not the vice-versa!
