Using PGP

The instructions in this page apply to Version 9.0 for Windows 2000, XP or Server 2003. Version 9.0 of PGP no longer supports Windows NT, 98, or ME.
And to Version 9.0 for Mac OS X 10.3.9 and higher. There isn't a separate PGP Freeware anymore. The price you pay for using PGP Desktop in its free mode is everytime you open it, it will tell you that it isn't licensed and you'll have to say OK.

Two important PDF documents come with PGP Desktop: The PGP Desktop User's Guide and Intro to Cryptography.

Windows:

Start -> Programs -> PGP -> Documentation; the items you want are PGP Desktop User's Guide.pdf and Intro to Crypto.pdf.

Macs:

You'll have to copy them when you install it. Click on the file you downloaded, then click to open the PGP Desktop volume. Open the Documentation folder and copy out: User's Guide.pdf and Intro To Cryptography.pdf.

Unless you're the type of person who never reads software documentation, preferring to blunder about on your own (which I suppose you could do, once you have PGP Desktop installed -- it is that easy to use), print and use the PGP Desktop User's Guide instead. The User's Guide has lots of useful pictures and is very well written. I recommend it highly.

The Intro to Crypto is just that, and introduction to cryptography. The first chapter has the basics of cryptography. The third chapter was written by the guy who wrote PGP; it's very interesting.

1. Go to PGP Corporation's download site.
2. Read and click that you accept the PGP Software Licence agreement.
3. On the PGP Desktop Trial Download page, fill out the form. You must enter your name, address, email address, and country. There are a couple of dropdown list usage questions to answer also.
4. Click to download the Windows 2000/XP or Mac OS X version.
5. Confirm your email address by typing it again and clicking on the download your version icon again.
6. Then it will tell you that you will get an email message with further instructions.
7. The email message that you recieve comes with a download link; click on it to download the installer.
8. It also comes with a 6-part License number that you need when you're installing. Print this email message to make it easier to install and in case you ever want to install it again.
9. Install PGP Desktop as described in the User's Guide (below).

The PGP Desktop User's Guide comes with the software, in PDF form. FAQs and a lot of additional PGP documentation is available on the International PGP Home Page: http://www.pgpi.org/

Both User Guides are organized like this:

Ch. 1 PGP Basics
Ch. 2 Installation
Ch. 3 User Interface
Ch. 4-6 Securing Email, Instant Messages, and Disks
...
Ch. 9 PGP Keys
Ch. 10 Managing PGP Keys
Ch. 11 (Mac) 12 (Win) Shredding

Plus appendices on options and a list of the words that are used in the keys (and how they're selected; also interesting).

The User's Guide is very well written, with clear, step-by-step instructions on how to use PGP. I don't recommend starting out by reading it from cover to cover; you'll get lost in the details of key management. (It's is a very easy subject to get lost in.)

Print the User's Guide, 170 pages for Macs and 252 pages for Windows and follow the instructions in it to install and use PGP Desktop. You can skip the chapters on IM, Virtual Disks (Windows), PGP Disk Volumes (Macs), Shredding, Smart Cards (Windows), and the Appendixes if you want.

Then follow the basic steps in Chapter 2, jumping to the appropriate pages as it directs. (If you read it in Acrobat, the references are links; just click and you're there.)

Before you can use PGP in your correspondence with someone else, you'll have to exchange public keys with them. Here's how.

Giving Your Key to Others

The first step giving your public key to other people is to export it to a file:

1. Open PGP Desktop:
   Windows: Start -> Programs -> PGP -> PGPkeys or click the key icon in the PGPtools.
   Macs: Applications -> PGP.app -> Keys
2. Click on your key.
3. From the File menu, select Export...
4. This opens the Export Key to File dialog box.
   • The default name for the key file is Your Full Name.asc, which isn't a particularly good name. I changed mine to my netid: judygs.asc.
   • Don't check Include Private Key(s) (unless you're preparing a file to send to yourself on another computer, say at home).
   • By default, the key file is saved in the directory that PGP Freeware installed into; either take note of the directory's name or save it into another directory where you'll be sure to find it.
5. Click Save.

The second step is sending the file you just created to other people who'll use it. The key is plain text, so you can attach the file you've created to a note or put a link to it or the key itself on your Web page.

You can also send your key to one or both of the two public PGP key servers: In PGP Desktop, highlight your public key, then from the Server menu, select Send to, and then select either the PGP or MIT server. PGPkeys will upload the key to the server you select. What's to prevent someone else from uploading another key and saying it's yours? Absolutely nothing.

For more information about exchanging public keys, see Chapter 9 of the PGP Desktop User's Guide.

If you normally use more than one email address, you'll want to associate those email addresses with your public key as well. For instructions, see Chapter 9 of the PGP Desktop User's Guide.

You might also consider adding a designated revoker -- someone who can cancel you public key if something drastic happens to your private key. See "Working with Revokers " in Chapter 10 of the PGP Desktop User's Guide.

Adding Others' Keys to Your Keyring

When someone sends you their key, save it into a file on your hard drive. Use the file extension .asc.

There are many ways to import someone's public key and add it to your keyring. These methods include:

• Double-click on the file name. If PGP Desktop recognizes the file format, it will open the file and ask if you want to import the key(s) in the file.
• Drag the file containing the public key onto the PGP Keys window, enter the passphrase protecting the key (if applicable) and click Open, then click Import.
• When importing an X.509 certificate, the certificate can only be imported from a file with a PEM, PFX, or P12 extension.

PGP will automatically search your entire keyring whenever you decrypt a message or file or verify a signature.

Searching for Others' Keys on the Public Key Servers

1. Open PGPkeys: Start -> Programs -> PGP -> PGPkeys or click the key icon in the PGPtools.
2. From the Server menu, select Search.
3. Select a keyserver; either PGP Global Directory or keyserv.pgp.com are used by PGP Desktop.
4. On the PGPkeys Search Window, use the email criteria: Email and contains, and type the email address you are searching for in the next box. Email addresses make good search criteria because they're pretty much unique and are therefore usually included in the a public key's User ID. If that doesn't work try searching on Name. But that might be wierd; for example for names. For example, I have a two part last name. Neither part of my name returned me; only the full name did.
5. The server will return a list of keys matching your criteria; right-click on a key you want to keep, then choose Import from the right-click menu.

By default, all keys you import to your keyring are "untrusted" until you tell PGP otherwise. If you're sure the key is valid and you don't mind getting an error message every time you use it, you can just ignore the invalid key error message.

But you'll probably want to assign some level of trust to the keys you'll use most often. The best way to do this is to sign the key with a non-exportable signature:

1. Open PGP Desktop.
2. Click to highlight the key you want to sign.
3. From the Keys menu, select Sign....
4. Select a keyserver; ldap://certserver.pgp.com is PGP Freeware's default server; so try that first.
5. On the PGPkeys Sign Key window, leave the "Allow signature to be exported." box unchecked. Click OK.
6. Enter the passphrase for your private key in the PGP Enter Passphrase for Selected Key window.

You should never sign a key with an exportable signature unless you have met the person face to face, seen their identification, and have their personal assurance that the key you're signing is really theirs. Public PGP key distribution can't work unless people take key signing very seriously.

What's to keep someone from coming in your office or breaking into your computer from the 'Net and stealing your private key?

Your private key must be kept private. It's also rather big; too long, certainly, for you to remember and type every time you need it. So you have to keep it in a file on your personal computer. What's to keep someone from stealing it? Nothing, really. Which is why PKC software like PGP Freeware associate private keys with password -- PGP Freeware calls it a passphrase -- and won't do anything with your private key until you enter that passphrase.

This is a good thing. It means that physical access to your personal computer and/or to your private key isn't enough to decrypt PGP-encrypted files/email, even those stored on your personal computer.

But it's a bad thing too. There is absolutely nothing that can be done if you forget your passphrase. Forget your passphrase, and you lose access everything that that's encrypted for you with PGP. Period.

What if someone does manage to steal your private key?

They've stolen your signature. Worse, actually; handwriting analysis should be able to give you plausible denial for a forgery of your handwritten signature. No such luck with digital signatures. What do you do if your private key is compromised? Your only option is to cancel your current key pair -- as of a certain date if you don't want to invalidate your previous digital signatures. After you create a new key pair, how do you tell everyone who has your old public key what's happened? You don't want anyone else to be allowed to cancel your keys, but if you've forgotten your password, how can you prove you're really you? (PGP's answer to this question is to allow you to specify a designated revoker -- someone who can cancel you public key if something drastic happens to your private key. See "Adding a designated revoker" in Chapter 3 of the PGP User's Guide.)

What about encryption and digital signatures in your professional life?

What if a colleague encrypts important work-related files and then quits without leaving the key? What if he just forgets his password? One answer to work-related encryption is to have key escrows that allow supervisors to obtain copies subordinate's keys. That, of course, brings up even more questions! The simple answer to this question, at least at UIC, is don't use your own private PGP key to encrypt departmental files. (It's not legal, anyway.). But your department could purchase a copy of the commercial version of PGP or some other similar software package, select a departmental key, and use that to encrypt sensitive files.

Windows:

1. Write a note as usual.
2. Copy the entire text of the note to be encrypted or to be decrypted to the clipboard (with File -> Select All and then File -> Copy or whatever you normally use).
3. Open PGP Desktop.
4. Click whichever of the Encrypt, Sign, Encrypt & Sign, or Decrypt & Verify buttons is appropriate for your task.
5. Don't select a file; instead click the Clipboard button.
6. If you're encrypting a note to be sent, paste the encrypted text back in your note. (Replacing the unencrypted text in the process, of course!)

This is pretty easy, yes?

Macs:

1. Write a note as usual.
2. From the menu beside the Apple menu (the one with the application's name), select Services -> PGP and then select whichever of the Encrypt, Sign, Encrypt & Sign, or Decrypt & Verify buttons is appropriate for your task.
3. Send the message.