Week 33: Pretty Good Privacy --More than pretty good

When
As needed.

Why
Pretty Good Privacy (PGP) secures e-mails and files against attackers if used on a secure system and configured correctly. (So please don't send me notes or conspiracy theories about how NSA can crack it.) Like a firewall, PGP is a security tool and like any security tool, it isn't secure if you don't understand what you're doing.

Strategy
The PGP User's Guide explains that PGP is a hybrid cryptosystem: When a user encrypts plaintext with PGP, the data is first compressed, which saves transmission time and disk space and, more importantly, strengthens cryptographic security. Most cryptanalysis techniques exploit patterns found in the plaintext to crack the cipher. Compression reduces these patterns in the plaintext, greatly enhancing resistance to cryptanalysis. PGP then creates a session key, which is a one-time-only secret key generated by random mouse movements and keystrokes. Once the data is encrypted, the session key is encrypted to the recipient's public key and transmitted along with the ciphertext to the recipient. Decryption works in reverse. The recipient's copy of PGP uses his private key to recover the temporary session key, which PGP then uses it to decrypt the conventionally encrypted ciphertext.

Get a current version of PGP that works on your system, unpack and install it. Then make up a secret passphrase and create your public and private keys. Once you validate your public key, you can distribute copies of the public key and upload it to a key server.

Using a good passphrase to protect your private keys and keeping them truly private is key. Rogue software might send your passphrase keystrokes and your PGP key file back to someone who can then use the info to read your messages, another reason to be vigilant about scanning for viruses and spyware.

PGP Corp. publishes its source code so customers and cryptography experts can validate its integrity.

More information
PGP Corp. offers a free limited-capability version of PGP Mail for individual, non-commercial use at http://www.pgp.com, as well as lots of documentation, including the Introduction to Cryptography from the PGP User's Guide. If you're still not sure how it works and want to experiment more, GnuPG is a complete, free replacement for PGP, learn more about it at http://www.gnupg.org. To read why Philip Zimmermann, the creator of PGP, invented it, go to http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html.

About the author,,
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written information security assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com.

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Last week: Wireless –Less wires, more issues

Next week: Mid-year review -- what's going right?

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Weekly Security Planner Weekly Security Planner: April Weekly Security Planner: March Weekly Security Planner: January Weekly Security Planner: February Weekly Security Planner: December Weekly Security Planner: November Weekly Security Planner: September Weekly Security Planner: August Weekly Security Planner: October Weekly Security Planner: July Email Encryption (SMIME & PGP) Trend Micro joins growing email encryption market Code Green enters consolidated DLP Market Is the iPhone amenable to any method of email encryption? Tumbleweed merger seen as a negative for email security customers Secure messaging complications result in limited protection Information security book excerpts and reviews ING hopes to cut phishing attacks with encryption software Companies still monitoring email manually, survey finds Should iPhone email be sent without SSL encryption? Can the symmetric encryption algorithm for S/MIME messages be changed? Email Encryption (SMIME & PGP) Research Software 2006 Products of the Year: Antivirus Websense Enterprise 5.5 Kaspersky Anti-Virus Business Optimal 5.0 HOT PICK: Aladdin's eSafe5 chock full of content protections Avinti iSolation Server 1.1 Content Alarm 1.1 Products of the Year: Antivirus/antiworm Your desktop antivirus product may be leaving you wide open to attack RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary asymmetric cryptography  (SearchSecurity.com) cryptographic checksum  (SearchSecurity.com) data encryption/decryption IC  (SearchSecurity.com) deniable encryption  (SearchSecurity.com) elliptical curve cryptography  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) MPPE  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) session key  (SearchSecurity.com) Twofish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.