your key management functions. PGP also installs a menu bar icon with a list of
commands in both the Windows and Macintosh versions, which allows integration
with your e-mail and other programs.
After you have created a key pair, you can begin corresponding with other
PGP users. You will need a copy of their public key and they will need yours.
Your public key is just a block of text, so it is easy to trade keys with someone.
You can include your public key in an e-mail message, copy it to a file or post it
on a public or corporate key server where anyone can get a copy when they need
it. (PGP Guide, p. 20.)
To send a client a private e-mail message, you use a copy of the client’s
public key to encrypt the information, which only the client can decipher by using
his private key. Conversely, when the client wants to send you encrypted mail, the
client uses a copy of your public key to encrypt the data, which only you can
decipher by using your private key. (PGP Guide p. 19.)
Once you have a copy of someone’s public key, you can add it to your
public keyring. You should then check to make sure that the key has not been
tampered with and that it really belongs to the purported owner. You do this by
comparing the unique fingerprint on your copy of someone’s public key to the
fingerprint on that person’s original key. (PGP Guide, p. 20.) The “fingerprint”
generally contains ten groups, each consisting of four letters and numbers. When
you are sure that you have a valid public key, you sign it to indicate that you feel
the key is safe to use. In addition, you can grant the owner of the key a level of
trust indicating how much confidence you have in that person to vouch for the
authenticity of someone else’s public key. (PGP Guide, p. 20.)
All this is easier to do than to describe. PGP easily creates and manages
your keys, allowing you to choose the level of encryption you require. The larger
the key file, the slower the encryption and decryption. A key of 1024 bits should
suffice for all but national security information. (PGP Guide, p. 37.) You may
encrypt and sign as well as decrypt and verify your e-mail messages, files and file
attachments. All you have to do is drag and drop the name of the intended
recipient from your public keyring list within a dialog box on your screen to use
Anyone can use a recipient’s public key to encrypt a message to that person,
and that recipient uses her own corresponding private key to decrypt that message.
No one but the recipient can decrypt it, because no one else has access to that
private key. Not even the person who encrypted the message with the recipient’s
public key can decrypt it. (PGP Guide, p. 97.) Knowing the public key does not
help you deduce the corresponding private key. The public key can be published
and widely disseminated across a communications network. This protocol provides
privacy without the need for the same kind of secure channels that conventional
secret key encryption requires.
Suppose you want to send a private message to Alice. (Note: All examples
referring to PGP keys use the now-famous “Alice.”) You download Alice’s public
key certificate from an Internet Web site. Then you encrypt your letter to Alice
with this public key and send it to her. When Alice receives it, she decrypts it with
her private key. Even the person who encrypted the message to Alice could not
read the message once it was encrypted. He did not have the decryption key.
PGP 5.5 and later versions automatically place your public key on the PGP
public key server and allow you to search this server for public keys of other
potential recipients of secure correspondence. Access their public keys through the
MIT public key server at http://www.pgpkeys.mit.edu. This keyserver is run by
PGP Security and may also be accessed at http://Certserver.pgp.com and
http://keyserver.pgp.com/.
For those with international clients, clones of this public keyserver are also
running at the following Keyserver.Net servers:
http://belgium.keyserver.net(key server developed by Sébastien Lemmens at
Veridis in Belgium)
http://finland.keyserver.net(key server run by Panu Lehti at NIC Data
Networks in Helsinki)
http://germany.keyserver.net(key server run by Andre Dieball and Marc
Packenius at Topnet in Krefeld)
http://thailand.keyserver.net(key server run by Vatha Promlikitchai and Viriya
http://www.service.uit.no/pgp/servruit.eng.html(keyserver run by Børge
Brunes at University of Tromsø)
http://math-www.uni-paderborn.de/pgp/(keyserver run by Juergen Peus,
University of Paderborn, Germany)
http://pgp.uni-mainz.de/keyserver(keyserver run by Christoph Martin at
University of Mainz, Germany).
Zimmermann advises that you protect your own private key and your
passphrase very carefully. (PGP Guide, p. 113.) The passphrase is yet another
level of security provided by the program. To protect your private key, you can
start by always keeping physical control of it, the way you would your house or
car keys. Keeping it on your personal computer at home is OK. Zimmermann
used to recommend keeping your private key on the notebook computer that you
carried with you, but with airport thieves concentrating on such desirable devices,
that is no longer feasible. If you must use an office computer that you don’t
always have physical control of, then keep your public and private keyrings on a
write-protected removable medium such as a floppy disk or a Zip™ disk, and take
it with you when you leave the office. You should only use your private key on a
machine that is under your physical control. (PGP Guide, p. 113.)
The recipient (or anyone else) can verify a digital signature by using the
sender’s public key to decrypt it. This proves that the sender was the true
originator of the message, and that the message has not been subsequently altered
by anyone else, because the sender alone possesses the private key that made that
signature. Forgery of a signed message is not feasible, and the sender cannot later
disavow his signature. You also use your private key to sign the e-mail you send
to others or to sign files to authenticate them. The recipients can then use their
copy of your public key to determine if you really sent the e-mail and whether it
has been altered while in transit. When someone sends you e-mail with his digital
signature, you use a copy of the sender’s public key to check the digital signature
![[made with GoClick]](imgs/goclick.gif)
