Even before the modern electronic age, militaries and individuals encoded sensitive messages. For example, in World War II, the Nazis used an encryption machine called Enigma that manipulated text through a series of alphabetic transformations to make the encoded text, called ciphertext, unreadable to the casual observer (Sale). Decoder rings are a popular item to put into a box of cereal, and they allow children to send and receive secret messages and pretend they are an international spy like James Bond or Ethan Hunt.
Intro
Introduction to Encryption
The benefits of this technology are many and varied, ranging from E-commerce to personal privacy issues. However, as with most good things, this technology can be used for evil purposes as well. Just as a person interested in maintaining their personal privacy could use this technology to protect their credit card information for example, a terrorist could encrypt messages sent to worldwide operatives and prevent law enforcement from understanding their movements. The American people have already decided that the benefits of encryption outweigh the potential risks and policy intended to limit this technology is doomed to failure.
E-mail
In the electronic world, however, everything is different. Your email message travels in the clear through numerous computers between you and its destination, and at any one of those points the message could be read without your knowledge.
.
.
Use Encryption
Everyone seals the envelope when they send a first class letter. It therefore doesn't draw any attention. In the electronic world, though, it is still a minority of people who use encryption. This is unfortunate, because it draws attention to yourself. People think to themselves "I wonder what this person has to hide" when in fact the encrypter is simply exercising his or her rights to privacy. Thats why its imperative to get many people using encryption. Once "all of your friends are doing it" it will no longer be considered unusual to be exercising your right to privacy.
Conventional Cryptography
With conventional cryptography, you encrypt your message with a key. This key is needed to both encrypt and decrypt. You and your recipient both have that key, and only those with that key can decrypt the message. Problem: How do you get that key to your recipient? If you're a rich government, you can send couriers around with deciphering pads. It was this problem that kept good cryptography from ordinary folks for a long time.
PGP Intro
With public key cryptography, there are two keys involved. One key is needed to encrypt (the recipient's public key) and another key is needed to decrypt (the recipient's private key). Both keys are needed: once you've encrypted your message with one of these keys, you can only decrypt it with the other. So when you use PGP, you create a keypair. One of those, the public key, you publicize as widely as possible. The other one, the private key, you keep safe. Anyone who wants to send you private email encrypts the message with your public key. Once that message is encrypted, only you -- the owner of the corresponding private key -- can decypher the message.
PGP Intro
Public key cryptography is computationally very expensive. It takes a lot of computing power to decrypt and encrypt a message. Therefore, PGP can be done by encrypting your message with a conventional algorithm (the IDEA algorithm), and then use the recipient's public key to encrypt just the IDEA key needed to decrypt the message.
Example
John then takes a copy of his key with her signature and makes that version of his public key available. Now anyone who gets his public key will find Sue's signature attached to it. So if Bill gets the key and doesn't know John but does know Sue, he can use the key confidently because he can verify Sue's signature. Sue is guaranteeing John's key.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQB9Ai5SBjIAAAEDgMEH/SL1oVXTCojeQFs+LtIbMKTyDOakGe6PVNofoIYBzJOC efPBJuPjAhsy1wdN+drKTzUmc5jttQjAOz/8GdTyDd/Dn2KbdK1nUkhL0uVjQcQK t0I1SwLTNRglqUIk2vgxEn9yusgRKueJy+Gcla0ABRG0KENocmlzdG9waGVyIEwu IEJhcm5hcmQgPGNiYXI0NEBjYm90LmNvbT60MUNocmlzdG9waGVyIEwuIEJhcm5h cmQgPGNiYXJuYXJkQGNzLnVjaGljYWdvLmVkdT6JARUDBRAw9wFk6Ua5BDQ4WtEB AWc/CACKDihbhCb3hxNGDGnphk6wC43v/iX3xsIherTivzpPFzNhbJn7GdWy36Zi H21sS927QvxurE3C8TLPqTIH3vLP6z+5kgHnXKw6uxJQIRvhKfawlIqBssELozyB SjaMxqt16694cdyx9F6D/XgZPwGT0ndQjD1wjrLCuhGk8rvTHiOA5kIzp2k2+0JH pcXuQ5Hm+pIAdUkDOTBG3DX9xrRxz7TayLEWODJ0XRw6xRn0v/Vyu3bmNAUyUf6V qwAnXqS40mkEXyh8ZlH70XPXhK2zNHgplld/ogwh/RSLUnr+Z/aIwb/Suj9vRMmP z3ojbk8yYJOOXiy88OtkO6aiyCgmiQCVAwUQL7qaL+WsBFE8FmB5AQH/9wP+NKQB Eh0IeQm10KTdL95+ZSKioGzqCpG591KXbPTHyRpbuYgteDoDoAGCiZ7taE7dU2Pl 3vuzk5NRyl0yq1VTL6/3crT5CYTgbzBf9BoxIwlLP5kKHShjiYAqrpKMFF/aDNjg PouUcRa27nDDBDC8XK8CydqjV69HFJTouyFQEHmJAJUDBRAv3hJO+0dzfX9RB5kB AV7uA/9h622/Ko0Vz8WsB0EkT/kT5MQvZggqJ5AdaFNhv7u8201wWUrSWc+jNiR4 kVPWu4GqiCbtVcynj7EnzUouJ1r1XQm7qFIM9JC/mkZRjsw6UU/h2AxmVcU2XO4N QKcplHEjEX3KzBqgpdHy2zl0uQKCUGjOKz96xfx8P3HieFAlFIkAlQMFEC/l0hlz 4iuXPmYitQEBCdgD/iJn1C+t34sCk5HWfHG7EYZRaJUn/prXUJFiR7LvOXGLWJni EMa4xalYHqQxnyiOOpoGxwOAUzUhiltLVKPfQvW7X3psaH4P30z3ynT73EKU4aOE prjz7JhkERbiEqQmO0oQTs42FUgdHQkAmDgXr8uu7R770rso5WgqL7ShKPFfiQCV AwUQLylvCa80BYcJwzvpAQF2mwP9FshepD176YuNiBttZuWUv9S++Z7Nj/T9b4sF P4RMUKh7lh7hCAXMujJU+Gyu8zt28lfVf59IlLrQ+zHcLLISlcS0KrO92FZBi/Ys EPlvjKIFCdO92vqKyPssrl4gHoQ7HdqgqUfjHSxcGDD72L3qeQXncIpG80v2k5fH 4ZNYGueJAJUDBRAvOkOg1H1Y19E3Ei0BASAwBADlJ96kDH9e0KTEWioWJwvx2q9K n3hLzFGakxhsDWu69SbS6c24wX5SiW94gZSVIa3+Y2c5JJzMN/TWUeIfNZ/k2lpv xxmARlT4Y42UWANgdJzeG2CEn8Ckxd/deNuTuwPImhy9EwgBNDkPiAGUV/3grUw0 pI81CcZv9MruJM6fpYkAVQIFEC5T2iM62cajbWLdNQEBlKgCALQ8UqtOdapPPZso Uqrb59W5iNWU0HWm2CCRpsea1IriqFN1v2Cgod4AFuuXHxdxjl4+75uPqrb/4Rza +3+vNH+JAIUDBRAuh0MtKueJy+Gcla0BATfTA3wKlwaR5cxNEJjbhWsUPEiynd5G FRAKkGs2PhOj/83WgTbNBV88xOjok0Dm6voBdeFJd9xRMKd41J63hI8PRVIciyK+ EJJK3vf1SbW+AwwQMi38I+R/49q1KR1OaLbvHGnq81Z4OjojS9LV9DTxM6tF =4uim -----END PGP PUBLIC KEY BLOCK-----
Too Long
Fingerprints
A fingerprint is an MD5 checksum of the public key, and is much easier to read. The MD5 (Message Digest number 5) value for a file is a 128-bit value similar to a checksum. Its additional length (conventional checksums are usually either 16 or 32 bits) means that the possibility of a different or corrupted file having the same MD5 value as the file of interest is drastically reduced. Because every different file has an effectively unique MD5 value, these values can also be used to track different versions of a file.
Generating Fingerprints
You should generate the fingerprint of your public key as soon as you create it, and write it down somewhere.
Getting PGP
ITAR regulations restrict access to PGP to United States and Canadian citizens. So if you are a citizen of the US or Canada, you should get the latest version of PGP (currently 2.6.2) from the official MIT distribution site at http://bs.mit.edu:8001/pgp-form.html If you are outside of the United States or Canada, you should get the program from a European or Asian mirror site. This site in England has a fairly complete list of sites around the world where you can obtain PGP for Unix, Mac, or PC platforms. If you are a commercial company, you should get version 2.7, the commercial version, from ViaCrypt. If you have problems compiling PGP, a FAQ is available from the same site that distributes PGP.
If electronic mail systems are to replace the existing paper mail system for business transactions, "signing" an electronic message must be possible. The recipient of a signed message has proof that the message originated from the sender. This quality is stronger than mere authentication (where the recipient can verify that the message came from the sender); the recipient can convince a "judge" that the signer sent the message. To do so, he must convince the judge that he did not forge the signed message himself! In an authentication problem the recipient does not worry about this possibility, since he only wants to satisfy himself that the message came from the sender.
Signatures
Electronic Signatures
An electronic signature must be messagedependent, as well as signer-dependent. Otherwise the recipient could modify the message before showing the messagesignature pair to a judge. Or he could attach the signature to any message whatsoever, since it is impossible to detect electronic "cutting and pasting."
An electronic checking system could be based on a signature system. It is easy to imagine an encryption device in your home computer terminal allowing you to sign checks that get sent by electronic mail to the payee. It would only be necessary to include a unique check number in each check so that even if the payee copies the check the bank will only honor the first version it sees.
Signatures
Another possibility arises if encryption devices can be made fast enough: it will be possible to have a telephone conversation in which every word spoken is signed by the encryption device before transmission. When encryption is used for signatures as above, it is important that the encryption device not be "wired in" between the terminal (or computer) and the communications channel, since a message may have to be successively enciphered with several keys. It is perhaps more natural to view the encryption device as a "hardware subroutine" that can be executed as needed.
The bank first decrypts the cyphertext with DA to obtain S. The bank knows who is the presumed sender of the signature. The bank then extracts the message with the encryption procedure of the sender, in this case EB available on the public file: M = EB (S) The bank now posses a message-signature pair (M,S) with properties similar to those of a signed document. Bob cannot later deny having sent to the bank this message since no one else could have created S = DB (M). The bank can convince a judge that EB (S) = M, so the bank has proof that Bob signed the document
The Bank