CafeID - Your Online Identity Experts

A couple of years after I got my first Internet e-mail account in 1989, a software engineer at MIT named Phil Zimmerman wrote an e-mail encryption program he called PGP -- Pretty Good Privacy. PGP was more than a piece of software, however; it was, as Zimmerman's website (http://www.mit.edu/~prz) puts it, a "human rights tool."

Zimmerman became concerned about 1991 Senate Bill 266, an omnibus anti-crime bill that, fortunately, never passed. The bill included the proposal that all encryption software must have a so-called "back door" that would allow law enforcement personnel to decrypt encrypted messages when authorized to do so. Zimmerman, who has won numerous technical and humanitarian awards for his work, didn't believe in back doors for the government, and he gave PGP to a few friends.

Those friends accepted it as a mission to distribute PGP to bulletin-board systems and eventually, the program spread far and wide. Too wide for the U.S. Government's liking. Zimmerman became the subject of a three-year criminal investigation by the Customs Service, which assumed that laws designed to prevent the export of arms were broken when PGP made its way (nobody really knows how) outside U.S. borders.

Once that investigation came to naught in 1996, and some concurrent patent issues sorted themselves out, Zimmerman set up PGP, Inc. to distribute and develop PGP. That company was bought by Network Associates and more recently by a new PGP Corporation (http://www.pgp.com) where Zimmerman now serves as a special advisor and consultant.

What is PGP?

Briefly, PGP is a public-key cryptography system designed to allow mere mortals to encrypt and digitally sign all sorts of documents, most importantly e-mail. Public-key cryptography works by generating two extraordinarily difficult to break yet mathematically-related keys, one public and one secret. Others can obtain your public key in order to generate a message that can only be decrypted by the holder of the secret key.

Servers have been set up to facilitate the exchange of public keys and the whole system has evolved from a difficult-to-use command-line utility to a system that can be used with most e-mail software and graphical desktop operating systems. The commercial product has expanded to include other utilities designed to secure one's entire hard drive and even one's PalmOS or PocketPC devices.

GPG (GNU Privacy Guard) is the open-source alternative to the commercial PGP products, built to the documented OpenPGP Standard and is stable, production-quality software included with a variety of open-source operating systems like GNU/Linux and the various flavors of BSD. Primarily a command-line program, extensions to popular mail software like Mozilla's Thunderbird and MS Outlook have been made to facilitate the use of GPG by normal people.

Why should you use PGP/GPG?

You should consider the use of PGP or GPG if you wish to ensure that your e-mail communications are private and/or to provide the assurance that messages appearing to come from you really come from you. The encryption aspect of the program is overkill for everyday communication, but PGP Corp. points out that their product is used by commercial banks, 90% of the Fortune 100, 74% of the Forbes International 100 and nine of the Fortune Top 10. It has proved to be a bullet-proof method of encrypting sensitive material for those who need it.

But it is the digital signing capabilities of PGP/GPG that are most interesting to the average end-user in this age of rampant Identity Theft and online organized crime. Signing your messages with these programs is a snap thanks to front-end programs like Enigmail (a Thunderbird extension), GPGMail for Apple's Mail program and GData's GnuPG-Plugin for Outlook. Signing important correspondence with PGP or GPG ensures that nobody else can pretend she is you.

How do you get started?

The first step, of course, is to either purchase PGP from PGP Corp. or download GPG for your operating system from the GnuPG website (http:///www.gnupg.org). At the latter site, there are also numerous links to the GUI front end programs and mail program interfaces mentioned above. Full source code is available for GPG, and pre-built binaries are available for most platforms. You can find direct links to GPG and related resources for your platform in the Recommended Software section under Resources at CafeID's website (http://www.cafeid.com).

The second step is the creation of your public and secret keys. Instructions for doing so and for uploading your public key to the system of interlocking key servers is beyond the scope of this article, but it isn't difficult if you're good at following the directions included with the downloads.

The final, and most important, step in securing your e-mail is to actually USE this technology. With the excellent front-ends available, it has become unobtrusive, and the use of PGP/GPG doesn't depend on your e-mail service provider. Widespread use of PGP/GPG would cut down dramatically on the amount of garbage spreading via e-mail and would make it possible for legitimate businesses to communicate with their customers in a way that's not currently possible.

About the Author

Trevor Zion Bauknight is a web designer and writer with over 15 years of experience on the Internet. He works with Cafe ID and specializes in the creation and maintenance of business and personal Online Identity and can be reached at trevor@cafeid.com.