OpenOffice How To, Configuration, and Installation

Show Sponsor:

Show #75:

• Date: 2008-03-03
• Subject: PGP Encryption Configuration and How To
• Duration: 37:32
• Format: MP3
• Size: 15,436 kb

Topics Discussed:

• My Comments
• PGP Background
• Encryption Safety Concerns
• Encryption Software

Additional Information:

~~ PGP Background

PGP (Pretty Good Privacy) encryption uses public-key cryptography and a system to bind an encryption key to a user name. PGP creates a hash from the plaintext and then creates a digital signature from it using the senders private key. The digital signature is used to encrypt something and it is sent to someone who uses the senders public key to decrypt and confirm that it originated from the correct person and has not been tampered with.

Phil Zimmermann created the first version of PGP in 1991. The name Pretty Good Privacy was inspired from a grocery store that goes by the name of Ralphs Pretty Good Grocery in a fictional town called Lake Wobegon that radio host Garrison Keillor came up with. PGP was created though to be a very secure encryption scheme and was pretty good. The name was just created for some fun and irony. The first version that Zimmermann created himself was a symmetric-key algorithm name BassOmatic after a Saturday Night Live skit. PGP was created by Zimmermann with no license required for non-commercial use so that people might securely use BBSs and securely store messages and files. Additionally the complete source code was included with all copies. Ultimately PGP found its way onto the Usenet and from there onto the Internet.

Unfortunately shortly after its release the encryption software found its way outside the United States and in February 1993 Zimmermann was put under criminal investigation by the US Government for "munitions export without a license". Cryptography solutions that used keys larger than 40 bits were considered munitions within the definition of the US export regulations and since PGP used nothing smaller than 128 bits it was suspect. Luckily after several years the case against Zimmermann was closed without filing criminal charges against him or anyone else.

During all this PGP 3 was released and had many security improvements including a new certificate structure. Due to their issues around patents and export problems it led them to use solutions that were unencumbered by patents. After the Federal case Zimmermann and his team started a company to produce new versions of PGP and were ultimately merged with Viacrypt. In December 1997 this company was acquired by Network Associates and the PGP team became NAI employees. Unfortunately in February 2002 NAI cancelled all support for PGP minus a commandline product. So in August 2002 several ex-PGP team members formed a new company, PGP Corporation, and purchased the PGP assets from NAI. PGP Corporate is now supporting existing PGP users and legacy NAI support contracts.

~~ Encryption Safety Concerns

PGP is an encryption scheme that used public-key cryptography. You have two components (public & private key) that are needed to both encrypt and decrypt something along with a password. Whenever dealing with encryption or cryptography you need to be very careful. You are talking about a technology that will encrypt data with a code that is not breakable. This is not like pig latin where you can easily break the code. Encryption must be treated with respect and steps taken to protect yourself and make sure you have everything you need. The most important thing to note is that you need to keep a copy of your encrpytion keys in a safe place and you cannot forget your passphrase. I cannot stress how important it is that you keep that information safe and protected. Additionally when dealing with the PGP software or anything that is used to encrypt Emails it will link to your Email address. That means you need to make sure you use an Email address that will not go away. Usually there are ways to make sure you can revoke the Email address you use but if you fail to follow those steps you can get stuck.

Why? Without all three of these components you cannot undo the encryption. There are no back doors or anything. The data encrypted is lost without those three components. End of story. Sorry for the morbid reference but it is like death. Once you are dead you are dead, end of story. If you lost the components needed to decrypt - you lost the data.

Obviously you cannot keep the passphrase in a location where it can be read so do not write it down. If you must write it down to remember it then put it in a completely safe area away from the encryption keys. This way at least if someone finds one of these components they do not have access to the others. This will keep your encrypted data safe.

Here is an example of how dangerous encryption can be. I use to have an earthlink account but when I created the encryption keys I did not follow the process to undo it. This means that when I attempted to reregister my account with a new Email address I could not because it would send the approval to the earthlink account which was no longer valid. This was back in 1995 or so that I did this. So I actually stopped using PGP because of this. Then back in 2000 I was playing around with some VPN software that required a PGP encryption solution. Because I was just playing around I did not follow all the safety steps needed. But this time I used an Email address I knew would not go away and I even used a password that I thought I would never forget. What did I not do? Well I did not read all the documentation around the PGP software and did not export out a recovery file that would let you revoke or change the password if you happen to forget it. But I used a password I knew I would never forget. Well, so I thought. Here I am in 2008 trying to do a podcast on encryption and I copied the keys I had kept in a safe place all these years and went to encrypt a file so I could show you all how to do it. Well I type in the password and it fails. I try another password and it fails. I tried all my old passwords and it failed. Then after thinking real hard about it and remembering when I created the keys I kind of remember that I was only playing around when I set the encryption up and likely did not use a password I knew I would never forget. Or it was because it was such a secure password that I did not use it enough and it finally slipped from my mind after 8 years of not using it. So now I find myself with 2 different encryption key sets that I cannot use because I do not have all the correct information.

In this case I was lucky in that I never used it to encrypt files or other critcal data even though in both cases I was close to actually doing that. Had I done that the data would be lost. So learn from my mistakes and always make sure you have everything you need. Both the public and private key, access to the Email account, a password you will never ever forget, and the files needed to revoke the account or change the password or basically whatever is needed to get around the encryption if you lose one of the components. Not all solutions provide this much functionality but I do know that some do. So read up before you decide on a solution.

~~ Encryption Software

Here is some helpful software that can be used for encryption and PGP solutions.

• PGP Corporation - This is the original PGP software. They have a full suite of applications that will help use encryption to protect email, files, disks, etc. PGP Corporation has released a freeware version of their Desktop and Personal versions if you follow correct steps.
  ~~ Website: http://www.pgp.com/
  ~~ Downloads: http://www.pgp.com/products/freeware.html
  ~~ How to install PGP as permanent freeware: http://www.spywarewarrior.com/uiuc/ss/pgp8fw/pgp8fw.htm
• The GNU Privacy Guard - GnuPG is the GNU projects complete and free implementation of the OpenPGP standard.
  ~~ Website: http://www.gnupg.org/
• The Enigmail Project - Enigmail is a security extension to Mozilla Thunderbird and Seamonkey. It integrates the renowned OpenPGP standard provided by GnuPG. Perfect for sending encrypted Emails.
  ~~ Website: http://enigmail.mozdev.org/home/index.php
• FireGPG - FireGPG is a Firefox extension (Perfect for Gmail) under GPL which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG.
  ~~ Website: http://firegpg.tuxfamily.org/

....Back to Podcasts Archive....