Lurking with PGP

Phil Zimmermann's PGP program was written primarily to allow people to be quite sure their private communications remain private. The messages are encrypted so that only the intended recipient is able to read them—as long as users have read the manual and paid heed to its security warnings. Pretty Good Privacy.

Lurking is a time-honored practice. If you don't want to seem foolish when you join a newsgroup, you lurk there, reading articles without posting any, learning what is expected of participants in that newsgroup. The same goes for mailing lists. Some people never quit lurking—and on the Internet, and on Usenet, that's all right.

While reading Usenet news or a mailing list, you have probably seen a PGP-signed message. It looks something like this (the signature has been slightly modified to fit in the magazine):

-----BEGIN PGP SIGNED MESSAGE-----
This is an example PGP-signed message.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCUAwUBMYlOKyd5aW9FNqjdAQHVpAP4vrpL2MoIm3MFk
95e7mRaYwRoKSL4lpCDR8WvDo13ICvaa/IbYxZwH/5IFM
vve7a+HnFPFd7pKegsJxSc8MgFnnBCxTJAEeimLCmZ+DA
VHPwqnEjxdeTWvwoysg2hm89CUOxvn4ArbG3yntlRlL+k
0HPjV+D0Uvi+LN0sNroi5A==
=G3yB
-----END PGP SIGNATURE-----

You can read the message just fine by ignoring all the PGP-specific stuff. But you can also make use of it by learning a few simple commands—and learning how to use them.

Simple Security?

Are you intimidated by PGP's manual? Perhaps you should be. Unlike other software products, with which it is Okay to fool around in order to learn it piece by piece as you need it, cryptographic software needs to be well-understood to be truly secure. Using it incorrectly can give you a feeling of security—but that's worse than not using it at all, because with that false sense of security, you will use it to send sensitive information that you would never have dreamed of sending via e-mail otherwise. The manual section on key management isn't that long, but you do have to understand it, and to do that, you do need to read quite a bit of the manual.

If you want to write PGP-encrypted e-mail, you have to read the manual. This article can't substitute for the manual in teaching you how to keep your e-mail private. You have your choice of the free manual distributed with the source code, the printed version of the official manual sold by MIT Press, or the O'Reilly book, PGP: Pretty Good Privacy, ISBN 1-56592-098-8, written by Simson Garfinkel.

So Why Read This Article?

So you can “PGP-lurk”. You don't have to send PGP-encrypted e-mail in order to take advantage of PGP signatures; you can simply verify that messages sent by other people are really sent by them, and not by someone else masquerading as them. But in order to do that, you really need a little bit of background. Don't worry, this won't hurt a bit...

PGP is based on public key cryptography. Each person has a public key that everyone else needs to know, and a private key which must not be known by anyone else. A message is encrypted with both the sender's private key and the recipient's public key. The message can only be decrypted with the recipient's private key, which only the recipient knows.

It is possible, however, to simply sign a message without encrypting it. The sender's private key is used to sign the message, and the sender's public key is used to validate the signature. Notice that the recipient doesn't need any keys at all to validate a signature. As long as recipients are able to trust that their copies of the sender's public key are correct, they can trust the signature.

Since you don't need to protect the secrecy of a private key in order to use PGP to validate signatures, you don't need to read a book to learn how create a private key and keep it secret. You just need to know how to find other people's public keys and know how to use PGP to check signatures.

If you have read the newsgroup comp.os.linux.announce, you will have noticed by now that every message posted there is “digitally signed by the moderator, using PGP”. Lars Wirzenius, the moderator, allows you to be sure that he approved the articles for posting by PGP-signing them. In his signature, he states, “Finger wirzeniu@kruuna.helsinki.fi for PGP key needed for validating signature.” If you run the command finger wirzeniu@kruuna.helsinki.fi, you will see something resembling Listing 1. Don't type that key in from the listing; if the key is going to do you any good, you will be able to get it over the internet. If you don't like finger, you can get it from his home page, www.cs.helsinki.fi/~wirzeniu/.

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState