Electronic mail is a wonderful communications medium that I use and rely on for important communications. Unfortunately, electronic mail has two properties that make it difficult to trust for important communications. First, it is trivially easy to forge email that appears to be from anybody. Hundreds of forged email messages from spammers and viruses assault my electronic in box every day. Second, email is not private. Indeed, it is much less private than most people think it is. Many people have the ability to read and store your email. One partial solution to both of these problems is in the use of Gnu Privacy Guard (GPG), or its predecessor, Pretty Good Privacy (PGP). These programs allow people to digitally sign messages in a way that is difficult to forge. They also allow people to encrypt messages so that only authorized people may read the message. At least, that is the theory. (More about how effective this is follows, below.)
If you already know how to use GPG and/or PGP, then all you need is to get a public key of mine here and send me one of yours, and we can verify each other's digital signatures and encrypt private email to each other. I have multiple keys for multiple email addresses & applications, but every key I currently use is in the following list and signed by previous keys I have used. It is wise to ensure that the key fingerprint of the key you have matches the one I generated, so that you know that some other person didn’t generate a fake key using my name and/or email address. The following list does not contain the actual keys, which are here, but only the IDs and fingerprints of those keys. As an anti-spam measure to confuse web-crawling email-gathering robots for spammers, the email addresses below have been altered to replace @ with # and . with *. Undo those changes to get a real address matching the ID of the key. The best one to use for sending new messages to me is the one I most recently generated, at the bottom of the list.
pub dsa1024/5F62009D93505F26 2002-08-04 [SCA] 54D714D76956DA6673DC1EEA5F62009D93505F26 uid World English Bible editors <editors@eBible.org> sub elg4096/D31CB64A8881AF66 2002-08-04 [E] pub rsa4096/D5F12367498FC00C 2017-04-10 [SC] 364E3220FEA4C51C79E8A743D5F12367498FC00C uid Kahunapule Michael Paul Johnson (mljohnson.org) <Michael@eBible.org> sub rsa4096/CD74EDC7F711F060 2017-04-10 [E]
Conventional cryptography uses a single key or password to encrypt and decrypt a message. The exact same key is used in both operations. The same key has to be shared by both the sender and a receiver of a message. Public key cryptography is different. Keys are generated in pairs in such a way that it is effectively impossible to compute one of the keys in the pair from the other one. One is used to encrypt a message, and the other one is used to decrypt. Only the key that is used to decrypt has to be kept secret, and only the person receiving the encrypted message has to have that key. The key used to encrypt can be made public without compromising the security of the system. For example, any one of the three keys linked to in the table above allow you to send me a message that only I can read. They don't allow you to read anything that anyone else has encrypted to send to me using any of those keys, even if you intercept their message after it is encrypted, and even if you have the public key they used. This makes it much easier to manage keys and to establish private communications than with conventional cryptography.
Legally, a digital signature is any technical means that provides a high degree of confidence that a given person intentionally took an action to signify authenticity of and/or agreement to a document. Cryptographic digital signatures using public key cryptography establish that the person making a digital signature had access to a given private key. Anyone who has access to the signer’s public key can verify signatures made using the signer’s private key. You should be able to verify the signatures that I have made using the private keys corresponding to the public keys listed above, because you can download the corresponding public keys from this web page.
You can get a freeware version of PGP restricted for noncommercial, personal use from the International PGP Home Page, or you can buy a copy of PGP from Symantec, complete with support. If you want a free email encryption and digital signature program that you can use both for business and personal use, you can download Gnu Privacy Guard. Gnu Privacy Guard is also available in the major Linux package distribution systems. Because I use Thunderbird for my email, I like to use GPG with the Enigmail plugin. It makes using encryption for digital signatures and privacy with email much easier.
When Phil Zimmermann originally wrote Pretty Good Privacy, he did so under the Gnu Public License as copyrighted freeware. However, because of patent royalty issues and legal defense costs related to USA export laws, he made upgrades to it into a proprietary program, the rights to which have been traded around. Symantec now owns PGP. Although the RSA algorithm patent has now expired, most versions of PGP still use the IDEA encryption algorithm, as well, which is still patented in several countries. Gnu Privacy Guard is a re-write of PGP with code released under the Gnu Public License, and not using the Idea encryption algorithm, so that it can be truly free. The algorithms and data formats used in PGP, GPG, and compatible programs are publicly documented by the OpenPGP Alliance. Current versions of PGP can use the new NIST Advanced Encryption Standard (AES) in place of IDEA, and therefore can interoperate with GPG. AES is more secure than IDEA. It costs less, as it is not patented and is therefore royalty-free. It turns out that Gnu Privacy Guard is more compatible with the OpenPGP standard than the original Pretty Good Privacy is. PGP has a more polished windows interface, but the command line version is no longer sold. GPG is command line-based, but windows front-ends are available for it, too.
A key fingerprint is a unique set of hexadecimal numbers (or other representation of data) that is derived from the key. By checking that the key fingerprint you have on my public keys matches what I have on the same keys, you can have some level of assurance that someone didn't send you a fake key that claims to be mine, but is really the key of a spy or forgery artist.
They are actually VERY secure when properly used on
computers that are themselves secure. The cryptography used is beyond
the ability of even major governments to crack. However, the weak link
in the chain is not the strength of the cryptographic algorithms used.
It is the fact that your computer can easily be infected with spyware
that could be used to report your key back to someone else. If your
computer is not physically secure 100% of the time, or if you ever run
questionable software on it, or if a computer virus with a spyware
payload attacks it, then someone could monitor your keystrokes, making
encryption nothing but a source of a false sense of security.
Nevertheless, it is still much harder to forge a digital signature made
with one of these programs than to forge headers in an email message.
It is also still harder to forge a digital signature than a handwritten
one, provided that you properly verify that the correct keys are used
and provided that you take reasonable precautions to keep your secret
For more information on how these programs operate, I recommend that you get a current copy and read the instructions that come with it. for an overview of how it works, Comparitech has a good nontechnical article. There are also books that have been written on PGP.
Michael & Lori Johnson family World English Bible Gnu Privacy Guard Pretty Good Privacy