Secure E-Mail Security and privacy have always been important issues, but never more than today with the advent of computers and the extensive use of electronic communication. One of the biggest areas of potential violation of security and privacy is also the most commonly used: e-mail. E-mail provides us with fast and easy communication with much greater options than traditional communication, but the risks are greater as well. E-mailed file attachments are the biggest spreader of viruses, Trojans and worms. In addition, there is always the privacy issue of not knowing who has seen your e-mail, or even whom it really came from. E-mail can be easily intercepted by almost anyone who so desires by using packet sniffers and other tools readily obtainable on the Internet. So how do you protect your e-mail and keep it private? Pretty Good Privacy (PGP) A free (for non-commercial users) and easy solution is an encryption program called Pretty Good Privacy (PGP). PGP has many uses, but this article will focus on using it to secure e-mail in Windows based systems. First, it is important to understand how encryption works. There are two basic forms of encryption: Conventional and Public Key. Conventional encryption is also called secret key or symmetric key. To use it, the document is encrypted using a secret key and then sent to the recipient who decrypts it using the same secret key. The sender and recipient must have the same key and a suitably secure way to transfer the key from one to another. "One Time Pads", an extremely secure encryption system that is still used in a limited way by governments are an example of a Conventional encryption system. Public key encryption works by encrypting the document with the public key of the recipient. The document is then sent to the recipient who decrypts it with their private key. Only the recipient has the private key which is necessary to decrypt the document, while anyone has access to the public key, but it can only be used to encrypt documents for that recipient. Thus anyone who has access to your public key can send you secure documents, even people you have never met. But nobody can use your public key to read encrypted documents sent to you because you and you alone hold the private key which is needed to decrypt the document. PGP allows users to use public key encryption to easily encrypt and decrypt e-mail. PGP was first released as a DOS program and it was not very user friendly, but times change and now PGP is available in a user friendly environment, that with just a little time and effort will let you send and receive secure e-mail. Using PGP First you must install your copy of PGP. After installation you will need to set up your PGP Key pair (your public and private keys). You do this by going to Start/Programs/PGP/PGPkeys. This will launch the PGPkeys program. You will see a list of public keys that are included in the program, these are keys from people on the PGP and Network Associates team as well as the public key for Phil Zimmerman. To create our key set, click on the first icon on the task bar (it has a key in it). This will open the Key Generation Wizard which will walk you through the steps needed to create your key pair. You will need to enter your name and e-mail address so that people will know whom the key belongs to. Click Next, and you will come to the screen where you will need to choose the type of key you are going to make: either RSA or Diffie-Hellman/DSS. RSA was the old style, but most users now use the Diffie-Hellman/DSS style. I recommend using the Diffie- Hellman/DSS keys, as that is now the de facto default. Next you will need to choose the key size from 1024 to 4096 bits. The larger the key the safer is but the more time it takes to decrypt; an issue on some slower machines. I recommend choosing 2048, which is safe and doesn't take too much time to process. Click Next again and you will have to decide if you want your key pair to expire on a certain date in the future or if you don't want them to expire. Choosing a time for the key to expire is safer but for now I recommend just sticking with one that doesn't expire. After you have decided, click Next and you will choose your password. PGP has a little bar underneath that gives you an idea of how effective the password you choose is. After you decide on your password and enter it, click Next. Now PGP will generate your key pair (this could take a little time on older machines). When it is done click Next and it will give you the option to send your public key to a PGP Public Key Server (making the key available to anyone who might want to send you secure e-mail). Let's hold off on doing that for now. Click Next and you are done and will be back to PGPkeys. With your key pair generated, you will see a your keys listed under the key section of the program. Remember to keep your Private key to yourself and do not share it with anyoneŕit is the key to your secure communications. But feel free to distribute your public key to anyone you like, it will allow them to send you secured e-mail that only you can read. Encrypting For users of Outlook, Outlook Express, and Eudora this is very simple. First compose your e-mail and after it is done click on PGP on your e-mail program's toolbar and choose Encrypt Now. This will bring up the PGPkeys program and it will list the public keys you have on your system. Select the public key of the person you are sending the e-mail to and PGP will encrypt your message. You will now see your message as a bunch of unintelligible text and numbers; this is what an encrypted PGP message looks like: -----BEGIN PGP MESSAGE----- Version: PGPfreeware 6.5.2 for non-commercial use qANQR1DBwU4DbVQooTf+ROgQB/wJJ9CzlSD6RgX0/hAXOq5gjtD5Os0awaM9AsHc rAc3xNA0bN01KLNmisNiQOymwIRXc0yz1/k12rr01TpSIVqkKene6D/5nrR8wnMq aDpeiFilW472R3VtxzvX2Q77ySRSy36OZF1oPFCHoBfQgHiaBTLJ6sjtwtWXhfqK lniqLHy/JSOBM1rumQ05w8AHh/1Luo5Weq4Rs+XBTE/U/fCR0JQn70ND9z8Gl7V2 aIeGg2jC27dPV7UXmbsH4Ud+ouR3Y3vvvtJ7tUkpnPgPC0O7V6WufVyTpw+pQ0fW RlYg1xBLMnLxtW/zd4U++VPLxbE2igJxMcIOn6od/HkZ/jg5B/9DxKCTCWHN719w iiY9awbeWP9V7S2vpO2wU7NuV2TZvktrp1If4beVcSARNQVmxaML7KwVJ/JXqFxy RaoKQuryFKCq1ifig6TPjMgcGEzDJKvgv9FNMLZBgUUmE5m+vRFQ/mfhsQQ73GWU aa1QnhToFIbQw0NYvX9JlgpJrLdJjRDPtZ0UznC2jPILzxHesTsJNbdWjDtd9Drz sQ3US9ZOK+Y9ky5TPxnQ+o2JiP2aY8R1/MpHdBmBaclYgxpTZ78a1BiEr+SKNIO1 XVNxJjxstavvbFS1iK/scGS7sDrYGVQ7sUQ1OwxOHnEiCjr9IUPeWHzOOZNLEea0 CXzq5xjoyTl1t2lMoO+6dtr37v830TvOhWNN9lpxo5jbWDEIO2sIF0j3j1eoXW3V zKqRPjMfz9iSpNsM8yViXEY= =Mpks -----END PGP MESSAGE----- Can you read that? Now you can safely send your encrypted e-mail without fear that someone other than the recipient will be able to read it. Decrypting How about decrypting and reading e-mail sent via PGP? When you open the e- mail you will see some unintelligible text, just like the example in the previous paragraph. If you are using Outlook, Outlook Express, or Eudora, decrypting is very easy. Click on PGP on your tool bar, then choose Decrypt/Verify. This will bring up a box that shows you which Public key this message was encrypted by, and will ask you to enter your password to your private key to decrypt the e-mail. Enter your password and then click OK and that unintelligible junk you just received is now a readable e-mail! This is what that encrypted message above says: >This is a test of the PGP program.> Use with unsupported e-mail programs What if you don't use one of the major e-mail programs that have plug-in support for PGP? There is an easy workaround. You must make sure that you have PGPtray loaded to do this; go to Start/Run/PGP/PGPtray. This will load the program and display a small Lock icon in your System tray. In order to use PGP to encrypt and decrypt e-mail, you must use both PGPtray and the clipboard. Actually it is very simple to do once you understand how it works. To encrypt a message that you want to send to someone, you must do the following: Compose the message you want and when you are finished, copy the text to the clipboard. Then click on the PGPtray icon and select Clipboard and choose Encrypt, which will bring up your list of Public keys that you can use to encrypt the message. Select one and the program will encrypt the text. To send this message, simply copy the now encrypted message and paste it into your e-mail message text window and send it to the recipient in the normal manner. To decrypt an encrypted e-mail you do the opposite. Copy the encrypted text to the clipboard, and then click on the PGPtray icon. Choose Clipboard and select Decrypt & Verify. PGP will ask you for the password needed to use your Private key to decrypt the e-mail then it will decrypt the e-mail and allow you to read it. You may save the unencrypted contents to a file as needed. Signing your message In addition to its encryption capabilities, PGP allows you to sign your e- mail message so that the recipient knows that it is from you. To sign the message, follow the steps listed above with one exception. Instead of choosing Encrypt, select Encrypt and Sign. Then follow the same steps to choose the public key with which you wish to encrypt the message. PGP will prompt you to use your Private key as a signing key. Enter the password for your private key. PGP will encrypt the message with the Public key and sign it with your Private key. A signed message, when decrypted, will look like this: *** PGP Signature Status: good *** Signer: Zenwolf *** Signed: 3/13/2000 1:42:11 PM *** Verified: 3/13/2000 1:46:21 PM *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE *** This is a test of PGP using a signed message. *** END PGP DECRYPTED/VERIFIED MESSAGE *** Exchanging Public Keys Now we know how to encrypt and decrypt e-mails sent with PGP, but how do you send and receive Public keys so you can communicate with other people using PGP? There are several ways to do this. When you installed PGP there was mention of sending your Public key to a PGP Public Key Server. A PGP Public Key Server is an Internet depository of Public PGP Keys. Many experienced PGP users use PGP Public Key Servers to make it very simple for others to obtain their public keys as well as to avoid having to manually send out their Public keys to everyone who asks. Another way and perhaps the most popular way to exchange PGP Public keys is via e-mail. To send someone your Public PGP key, open PGPkeys, highlight your key and select Keys, then choose Export and save this file. When you need to send someone your Public Key, simply send this as a file attachment to that person and then they can add your key to their key ring. Now how do you add someone's Public key to your key ring? Once you have received their Public key open PGPkeys and select Keys, then Import. Choose the key from where you saved it and it will be entered into your key ring. You can then use it to send encrypted messages to that person. Now you can use PGP to encrypt and decrypt your e-mail messages. It is not that hard to do and once you have done it a few times it becomes second nature. Encryption not only insures the privacy of your e-mail, it also serves to positively identify the sender of correspondence you receive. You can pick up your free copy (for private non-commercial use) of PGP from MIT here: http://web.mit.edu/network/pgp.html. http://www.PCNineOneOne.com