GPG/PGP Information

If you know what a PGP public key is, then scroll down to the bottom of the page, grab it, import it, and lets rock and roll.

If you don’t know what a public key is, then read on.

When you send a letter to your friend, you sign the bottom of it so that they know that
it was you who wrote the letter. This system works because it is easy to tell if an envelope
has been tampered with, and its easy to recognize your friend’s signature. But with email, things
are more difficult. Email is easy to intercept. It is easy to forge. My name typed in letters is
not any different whether I typed it, or whether someone else typed it. So how are you to know that
any email you got from me actually came from me? How can you tell if it was intercepted and changed
on the way? The way is through a digital signature.

In the computer world, text being sent over the internet can either be ‘cleartext’ or ‘ciphertext’.
Cleartext means that there is no encryption. Anyone sniffing ports on the internet can read the
contents of the text. Many things are sent cleartext that you may not be aware of. Your email reading
software probably sends a cleartext password. The programs FTP and Telnet both send all information,
including account passwords, in cleartext. This is clearly (no pun intended) a security issue. Ciphertext
on the other hand, is text that has been encrypted. Ciphertext can still be intercepted, but the
person intercepting it will have no way to read the contents, it will just be gibberish! This is our goal.

Using software like GPG (Gnu Privacy Guard) and PGP (Pretty Good Privacy)
we create two special ‘keys’ for ourself. The generation of this key involves gathering lots of
random numbers, and making an encryption key. The key includes a passphrase, similar to a password,
but is usually several words, even an entire passage of text. One key is public, I give it out to
anyone I want to be able to send me encrypted messages, and anyone I want to be able to verify my
email’s are actually from me. That is the key you see below. The other key is private. I keep my
private key secure, and I use it to decrypt mail you send me using my public key, and I use it to
sign mail that you will verify with my public key.

If you have a public key, you should give it to me. Once we have each other’s public keys, you will
use your private key to encrypt your public key, and email it to me. I will encrypt my public key with
my private key, and email it to you. If the keys we exchanged over plaintext email were correct, then
the message will decrypt properly. If the public keys we exchanged earlier were intercepted, faked,
or simply entered incorrectly, then we will not be able to decrypt, and we will know to exchange a new
set of public keys. This is how we verify that we have the correct public key for each other.

Once we have each other’s public keys, then we can send both signed and encrypted mail back and forth.
If you have my public key, but I don’t have yours, then I can still send you signed mail, but not
encrypted mail. The best situation is an exchange of keys. When we have each other’s public key, then
I will compose an email message, encrypt it with your public key (which requires your private key and your passphrase to decrypt)
and I will sign it with my private key (which requires your copy of my public key to verify). Thus,
you know that the email came from me, and that it is unreadable by people of questionable scruples out
on the internet.

There are many mail readers that support PGP and GPG (the two are compatible for the most part). Using
these mail programs, it can be very simple to send and receive encrypted and signed emails. Failing that,
you can always write an email in a text program, and encrypt the text file directly with the GPG or PGP
software, and then paste the resultant gibberish into the email program. But that is a hassle.

On the email end, I use Apple’s Mail program, version 1.2 under Jaguar.
It does not have GPG support natively, but it does through a combination of two programs. First,
install MacGPG, an OS X port of GnuPG. It comes with
a few GUI helper applications for helping you manage your keys, encrypting files, etc. Then, install
GPGMail which is a plugin
for Mail.app that serves as a front-end to the GPG program. Follow the instructions in GPG to generate
a key pair (your public and private keys), and submit the public key to a keyserver. Keyservers maintain large
databases of current public keys. The GPG application will assist you in this. Then make your public
key available to people you communicate with. Put it in your email signature. Put a link in your signature
like I have done, etc. When you get a public key, send it to me, and we’ll exchange keys! Then our communication
will be secure.

There are many other email programs that support this in various ways. Eudora, Outlook, Entourage, Mozilla mail,
and others. I don’t have any personal experience setting it up for these programs, but the internet is
filled with resources on this type of setup. I will be happy to assist over email as well, if you don’t
know how to proceed, or get stuck somewhere along the line.



Below is my public key block. You can copy and paste this into your key managing program
to add me to your keyring.





-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.0.7 (Darwin)

	
mQGiBD2BOtIRBADsFWcH8c9BwFQ1zOv+kssoMlieMb8WypHi/rtjg5uldQ1J4oxw

uiFloxlOIzusNEyGeb46ufdg45LUMpzJUKb5YHfcYzTLxre3TLghuIMHQOkDEVA+

7xdqxy73yD20cCtIbdrDU1tkvKer1+Zs4ivZYKrem2Z+y4qIBjTrEvJtiwCgjkki

oPZiHbCYT5bFqbmeSB7TiGMEAOpzpPZuLhZd7Ly8a93ucGvno+9qN5GmsaYhTpD2

+Pa0NlGOBN/Jlk5kWDKxxNdbGGPnq8veGNY5cOJzAZDwWzh7NrsbOSuf8n1UL15k

ZLjySHeC8dppujHdPsI+bNq+a6yjSymJjK3JCgs5vPJXwv5SOqv8ZLfPs7OmbCh6

OuKoA/wJKjEqPH19S4yp3UVPdUL1Q3Zlrft7DZI2tDz0VCVFPX3KKpIeZxK6vCOe

XLJRPRw2WEd9hmSFrD/euYedDnWdp807+uc9PpS1u51H3jX6AIy55LeHBAkm85P7

6xPsZIQ7vAqmCkUajMWw6QlLUhXyuPclh/or5UBZ/UOdXZYBh7QiU2FtIExleSA8

bGV5QGNvd2JveXNvZmp1c3RpY2UuY29tPohaBBMRAgAaBQI9gTrSBQsHAwIBAxUC

AwMWAgECHgECF4AACgkQD5WlHx6gpx7SngCfdPneaQWyLxBJoGSsD/B5b8ygxR8A

nimCelfyNeiiup1q5NeVY94Q6irfuQENBD2BOukQBAC3WPL1sA77L7UF94xqWvfD

1ZWURRyc13bBd3JEvr1i8+MV72QzdwAlrlIb/C+91E08/nqdREsoVBCouwN0bHT0

5u+e1bM2nKQnUc4v3zz9S34vx9Zxo022hdKJDPGWBeCOkWIWE0RvA9nj3t6o+dWg

YGvoF5cDNJQ5qExmep9MVwAECwP/X82M9teU1V4+EMtdzDlt+e1wkQtPwed3VkBF

crRJ494dhS7ovCy7ruofTRvkRQRxezZNSrc4Q1w3P3AapXoDq1igibLyedVFCu3a

F2Q/FbM/4eeL5S+kKaIAMHspNbfIKWuVfbSoP4L/Mvw1tlGZOnSLCHJclcQjLeTM

ZjMYRN6IRgQYEQIABgUCPYE66QAKCRAPlaUfHqCnHiB4AJ9anfPzr9jPhxjWXuqU

0z3aeHKlSQCeNoUqhvATCvblub42PBYzHmpfPLk=

=JKJ4

-----END PGP PUBLIC KEY BLOCK-----

Wednesday 28 Aug 2002 | Sam | Uncategorized

2 Responses to “GPG/PGP Information”

  1. on 31 May 2003 at 1:28 pm   Sara a hamed

    i want to know ma friends password

  2. on 28 Jun 2003 at 1:52 pm   root

    Test PGP

Feed on comments to this Post

Leave a Reply