Gnu Privacy Guard and Pretty Good Privacy

Electronic mail is a wonderful communications medium that I use and rely on for important communications. Unfortunately, electronic mail has two properties that make it difficult to trust for important communications. First, it is trivially easy to forge email that appears to be from anybody. Hundreds of forged email messages from spammers and viruses assault my electronic in box every day. Second, email is not private. Indeed, it is much less private than most people think it is. Many people have the ability to read and store your email. One partial solution to both of these problems is in the use of Gnu Privacy Guard (GPG), or its predecessor, Pretty Good Privacy (PGP). These programs allow people to digitally sign messages in a way that is difficult to forge. They also allow people to encrypt messages so that only authorized people may read the message. At least, that is the theory. (More about how effective this is follows, below.)

My Public Keys

If you already know how to use GPG and/or PGP, then all you need is to get a public key of mine here and send me one of yours, and we can verify each other's digital signatures and encrypt private email to each other. I have multiple keys for multiple email addresses & applications, but every key I currently use is signed using the first key in the following list. It is wise to ensure that the key fingerprint of the key you have matches the one I generated, so that you know that some other person didn’t generate a fake key using my name and/or email address. The following list does not contain the actual keys, which are here, but only the IDs and fingerprints of those keys. As an anti-spam measure to confuse web-crawling email-gathering robots for spammers, the email addresses below have been altered to replace @ with # and . with *. Undo those changes to get a real address matching the ID of the key.

pub   1024D/93505F26 2002-08-04
      Key fingerprint = 54D7 14D7 6956 DA66 73DC  1EEA 5F62 009D 9350 5F26
uid                  World English Bible editors <editors#eBible*org>
sub   4096g/8881AF66 2002-08-04

pub   1024D/17D747BB 1997-07-14
      Key fingerprint = 28AE B775 DD65 62C7 0717  ECDA 448F E0C7 17D7 47BB
uid                  Michael Paul Johnson <mpj#ebible*org>
sub   4096g/EA4E5F2D 1997-07-14

pub   2048R/CEE049D9 1996-01-30
      Key fingerprint = 3E 67 A5 80 0D FB D1 6A  6D 52 D3 A9 1C 07 4E 41
uid                  Michael Paul Johnson <mpj#csn*net> mpjA

pub   1024D/73F2577E 2004-11-19
      Key fingerprint = 248B 792D AA78 9DE8 46CA  1752 C86A D005 73F2 577E
uid                  Michael Paul Johnson <mpj#eBible*org>
uid                  Kahunapule Michael Paul Johnson (http://kahunapule.org)
uid                  Kahunapule Michael Paul Johnson <kahunapule#mpj*cx>
uid                  Kahunapule Michael Johnson <kahunapule#eBible*org>
uid                  Kahunapule Johnson <kahunapule#cryptography*org>
uid                  Michael Paul Johnson <kahunapule#bibledit*org>
uid                  Kahunapule Johnson <Kahunapule_Johnson#sil*org>
uid                  Kahunapule Michael Paul Johnson <Michael_Paul_Johnson#sil*org>
sub   2048g/88324647 2004-11-19

pub   1024D/C21DAA52 2006-04-14
      Key fingerprint = 4AC4 4B55 F4AA C741 73CA  8223 9A7C C5FF C21D AA52
uid                  Kahunapule Michael Johnson <Michael_Paul_Johnson#sil*org>
sub   4096g/9A39BBEB 2006-04-14

pub   1024D/C4C45B39 2006-10-25 [expires: 2016-10-22]
      Key fingerprint = C5CB D72E 877B 932B B604  54B5 E91A CF9C C4C4 5B39
uid                  Kahunapule Michael Johnson (kahunapule.org) <Kahunapule#eBible*org>
sub   2400g/667B6914 2006-10-25 [expires: 2016-10-22]

pub   2048R/6AF3BBEA 2011-03-07
      Key fingerprint = 1C73 7FCC 7F5D 0974 27EA  7505 F3A2 7B31 6AF3 BBEA
uid                  PNG Scriptures webmaster <contact#pngscriptures*org>
sub   2048R/40B93C86 2011-03-07

What is Public Key Cryptography?

Conventional cryptography uses a single key or password to encrypt and decrypt a message. The exact same key is used in both operations. The same key has to be shared by both the sender and a receiver of a message. Public key cryptography is different. Keys are generated in pairs in such a way that it is effectively impossible to compute one of the keys in the pair from the other one. One is used to encrypt a message, and the other one is used to decrypt. Only the key that is used to decrypt has to be kept secret, and only the person receiving the encrypted message has to have that key. The key used to encrypt can be made public without compromising the security of the system. For example, any one of the three keys linked to in the table above allow you to send me a message that only I can read. They don't allow you to read anything that anyone else has encrypted to send to me using any of those keys, even if you intercept their message after it is encrypted, and even if you have the public key they used. This makes it much easier to manage keys and to establish private communications than with conventional cryptography.

What is a Digital Signature?

Legally, a digital signature is any technical means that provides a high degree of confidence that a given person intentionally took an action to signify authenticity of and/or agreement to a document. Cryptographic digital signatures using public key cryptography establish that the person making a digital signature had access to a given private key. Anyone who has access to the signer’s public key can verify signatures made using the signer’s private key. You should be able to verify the signatures that I have made using the private keys corresponding to the public keys listed above, because you can download the corresponding public keys from this web page.

Where Can I Get PGP & GPG?

You can get a freeware version of PGP restricted for noncommercial, personal use from the International PGP Home Page, or you can buy a copy of PGP from Symantec, complete with support. If you want a free email encryption and digital signature program that you can use both for business and personal use, you can download Gnu Privacy Guard. Because I use Thunderbird for my email, I like to use GPG with the Enigmail plugin. It makes using encryption for digital signatures and privacy with email much easier.

How do I use GPG or PGP?

Please download a copy and read the instructions that come with it.

What is the Difference Between PGP & GPG?

When Phil Zimmermann originally wrote Pretty Good Privacy, he did so under the Gnu Public License as copyrighted freeware. However, because of patent royalty issues and legal defense costs related to USA export laws, he made upgrades to it into a proprietary program, the rights to which have been traded around. Symantec now owns PGP. Although the RSA algorithm patent has now expired, most versions of PGP still use the IDEA encryption algorithm, as well, which is still patented in several countries. Gnu Privacy Guard is a re-write of PGP with code released under the Gnu Public License, and not using the Idea encryption algorithm, so that it can be truly free. The algorithms and data formats used in PGP, GPG, and compatible programs are publicly documented by the OpenPGP Alliance. Current versions of PGP can use the new NIST Advanced Encryption Standard (AES) in place of IDEA, and therefore can interoperate with GPG. AES is more secure than IDEA, but it costs less, as it is not patented and is therefore royalty-free. It turns out that Gnu Privacy Guard is more compatible with the OpenPGP standard than the original Pretty Good Privacy is. PGP has a more polished windows interface, but the command line version is no longer sold. GPG is command line-based, but windows front-ends are available for it, too.

What is a Key Fingerprint?

A key fingerprint is a unique set of hexadecimal numbers (or other representation of data) that is derived from the key. By checking that the key fingerprint you have on my public keys matches what I have on the same keys, you can have some level of assurance that someone didn't send you a fake key that claims to be mine, but is really the key of a spy or forgery artist.

How Secure are GPG and PGP?

They are actually VERY secure when properly used on computers that are themselves secure. The cryptography used is beyond the ability of even major governments to crack. However, the weak link in the chain is not the strength of the cryptographic algorithms used. It is the fact that your computer can easily be infected with spyware that could be used to report your key back to someone else. If your computer is not physically secure 100% of the time, or if you ever run questionable software on it, or if a computer virus with a spyware payload attacks it, then someone could monitor your keystrokes, making encryption nothing but a source of a false sense of security. Nevertheless, it is still much harder to forge a digital signature made with one of these programs than to forge headers in an email message. It is also still harder to forge a digital signature than a handwritten one, provided that you properly verify that the correct keys are used and provided that you take reasonable precautions to keep your secret keys secret.

For More Information...

For more information on how these programs operate, I recommend that you get a current copy and read the instructions that come with it. There are also books that have been written on PGP.


World English Bible   Gnu Privacy Guard   Pretty Good Privacy