Mail privacy. PGP.

...Security is not a product, it's a process...

Last year two US researchers from Carnegie Mellon University asked 12 test subjects to try to send an encrypted e-mail message using PGP - one of the most popular encryption programs available. Of the 12 subjects who underwent the 90 minute test, three failed to properly encrypt the message they were sending, seven used the wrong keys to encrypt it and one was unable to work out how to send the message at all. All those taking part were college undergraduates and very familiar with e-mail. The test subjects struggled because they did not fully understand how the encryption system of PGP works.
So using PGP - or any encryption or "security" product without understanding what it does, and does not, protect against is a recipe for disaster. There are two ways to get to the other side of a security barrier: go through it, or go around it. Strong encryption is essentially impossible to go through; however, unless encryption is used as part of an integrated and comprehensive security process, it is generally easy to go around. Even a good tool is no substitute for understanding what security is, considering how much of what sorts is enough for your circumstances, and thinking about how to achieve it. PGP is, however, an excellent tool, and can certainly be part of a responsible security process.

PGP uses a technique known as public key cryptography to scramble messages. It uses two keys to scramble and decipher messages. One key is known as a public key and is widely distributed; the other, the private key, is held securely by an individual. Messages are protected by scrambling them with the public key of the person you are sending a message to A helpful analogy might be that of a puzzle. Each key is like a puzzle piece and unless they fit together, your message will not readable. Mathematics ensures that only the private key held by the person you are mailing can decrypt the message. So if you are transmitting sensitive information via e-mail, PGP is a feature that will protect you from snoopers and hackers who might try to intercept the information. Even if they figure out how to intercept it, they can't read.

Sounds good ? You want your piece of privacy ? Nice, here some steps.

The first thing you need to do is go to PGPi ( http://www.pgpi.org/products/pgp/versions/freeware/ ) for PGP distribution. What we are going after is PGPFreeware 8.0.2. When you get to the site, go to the download wizard.

1. Select the OS that you use, such as Windows 95/98/NT and click on the link.
2. Choose one of the latest versions of PGP from the list and click on the link.
3. Check the License Agreement box and download your version.

Once you have downloaded PGP, go to the location where you saved it to and double click it. This will begin the installation process. After you have finished reading the License Agreement and ReadMe press the "Next" button . That will bring up the following screen

At this screen, you will want to select "No, I'm a New User". If you are reading this tutorial, then you probably don't have any keys. That's ok, because in a few short steps, you will. After you press "Next" and the window asking where you would like to install PGP will appear. The default directory is fine, however, if you would like to install it somewhere else, that is fine. After you have selected the directory, please press the "Next" button to bring up the following screen

Here you will be asked to type in your name and organization name. After you have finished, please press the "Later" button.

At this screen, you will decide what components of PGP you would like to install. Choose the plugin that matches your email program (for example- Outlook, Outlook Express, Eudora, etc.). After you have finished selecting what you want. Pressing the "Next" button you begin the actual installation process. How fast it goes is dependent on your computer's speed. However, it should not take more than a couple of minutes. When it is finished you'll be ready to proceed to the key generation.  

Now you are ready for generating an initial key. PGP will place this key on your keyring, PGP's name for a key database. I recommend you consider this a temporary key you will use to get familiar with PGP. There are two critical things avoid with this initial key: firstly, do not forget your passphrase. Secondly, do not upload this key to a key server. You will likely want to generate another key, with a strong passphrase, when you have gotten used to PGP.

After installation, PGP is accessible through the PGPtray icon in the system tray area.

This is the PGP Tray icon. It contains every tool you need to operate PGP on your system. You can right or left click once on this icon. When you do, you should see a menu that has the following options in it (from the top)- Hide, About PGP, License, Help, Options, PGPkeys, PGPmail, Current Window, and Clipboard. The Current window and Clipboard options have submenus that can be reached by moving the mouse toward them.

Simply click on the PGPtray icon and select the PGPkeys item from the menu that pops up.

You can generate a key by choosing the Keys-New Key from the PGPkeys menu or simply by clicking on the Key icon. This will launch the key generation wizard.

This is the PGP Key Generation Wizard it will lead you through the process. Click "Next" or "Expert".

The text that you enter into the "Full Name" "Email address" field will be associated with your key and distinguish it as belonging to you . You do not actually need to use your name. Whatever you name you choose, do not put any spaces in it.

For Expert mode there are three more choices.
1)Key type: Diffie-Hellman/DSS, RSA, or RSA Legacy. For this tutorial, please choose RSA.
2)Key size: The size of your key pair. The default is 2048. I would highly discourage using anything less than this. In my opinion, this is the best choice.
3)Key expiration: The expiration date of your keys. The default “Never” is just fine.

Click "Next".

This is the most crucial phase of your key generation. This is the pass phrase section. Notice I said pass PHRASE and not pass WORD. It is paramount that you choose a long phrase of upper and lower letters, numbers and characters. The weak link in PGP is the pass phrase. It is the easiest to compromise. So choose a phrase that can withstand an attack. The "Passphrase Quality" indicator will help you. Also, it should be something that you can remember without having to write it down. After you have typed and retyped your pass phrase for confirmation, please press the "Next" button.
REMEMBER ! If you forget the passphrase, you will NOT be able to use the key to decrypt ANYTHING.

After the actual keys generation procedure press "Finish". This will bring up the PGP Keys window. You should be able to see your key in the window. Success!!   

Using PGP.

The simplest way to distribute your temporary key is to mail it to people with whom you wish to correspond. With most mail clients, you can simply drag the key from the PGPkey display into the body of a mail message, or select Edit-Copy on the PGPkey menu and Edit-Paste on the message menu.

You can also export the key to a text file and include that text file in a message. All of these procedures will include a mailable version of your PGP key.

There are two general ways to obtain the PGP key of a correspondent.
The first way is to ask the correspondent to mail you the key.

You can put a key into your keyrings by displaying the mail message containing the key, then selecting "Current Window-Decrypt and Verify" from the PGPtray menu. After you have put correspondent's key on your keyrings, you can then verify their signatures and encrypt messages to them. They need to similarly install you keys in order to verify your signatures and encrypt messages to you.

The second way, if the correspondent has sent the key to a key server, is to obtain the key from a key server.

You can use PGPkey to search the network of PGP key servers. Start PGPkey by choosing PGPkey from the PGPtray icon, then choose Server-Search. Enter your correspondent's name or e-mail address in the search contents field, and click the Search button.
In either case, before you use the key, you should verify the key ownership.

The recommended way to do this is to contact your correspondent in some way by which you can validate your correspondent's identity, and ask your correspondent to verify the key fingerprint. The key fingerprint is displayed when you right click on the key and choose Key Properties. The fingerprint is a series of words (or, if you click the Hexadecimal check box, a series of hexadecimal digits) that encode a hash of the key. If your correspondent verifies the key fingerprint, you can know that the key belongs to the correspondent.
Before you use a key, you must mark it as valid. You do this by signing the key.

You sign the key by selecting it in the PGPkeys display, and choosing Key-Sign.

If you wish to attest to the key ownership to others, make your signature exportable by selecting the "Allow your key to be exported" checkbox; otherwise, leave it clear.

Sending and Receiving Encrypted Emails

If you installed PGP with the Microsoft Outlook Express plug-in, PGP puts controls on the icon bars in the New Message window and in the window where received messages are displayed. These icons let you decrypt and verify messages, encrypt messages, digitally sign messages, encrypt and digitally sign messages, and start PGPkeys.

When you receive a message encoded with PGP click on the "Decode and verify" PGP tool on the tool bar to decode the message and verify any attached signature. PGP will copy the encrypted message to the Windows clipboard, decode it, and display it in the secure message viewer.

To send a message encrypted with PGP, compose the message normally. Before you send it, click on the Encrypt Message Before Sending and/or the Sign Message Before Sending buttons at the top right corner of the new message window.

PGP will encrypt the message to the addressees of the message, and replace the cleartext message body with the encrypted message body.

note:
Outlook Express does not make the full message available to PGP. For this reason, PGP encryption will cause text formatting (font and color choice, for example) to be lost. Also, attachments will be sent in the clear. You can work around this in several ways. You can separately encrypt files to be attached, and attach the encrypted versions. You can compose a formatted message using Wordpad or Word, save the message as an RTF file, encrypt the RTF file using PGP, and send the encrypted file as your message.

PGP can be used easily with other mailers, although not quite as easily as the mailers for which it has plug-ins.
If the mailer supports select all, copy, and paste operations (as almost all do), message encryption, signing, and decryption can be performed through the PGPtray program.

To sign and/or encrypt an outgoing mail message, first compose it as usual, then click on the PGPtray icon and then on Current Window-Encrypt, Current Window-Sign, or Current Window-Encrypt and Sign. PGP will process the message as desired, and replace the cleartext message in the composition window with the encrypted message. You can then send the processed message in the usual way. Similarly, a received message can be decrypted in place by clicking on the PGPtray icon, then on Current Window-Decrypt and Verify.
If the mailer does not support window operations, then PGP can still be used by manually moving data to and from the clipboard. After composing the message, select the entire message, and copy the text to the clipboard.

The usual menu operation to do this is Edit-Copy. Then, sign and/or encrypt the message with PGPtray by choosing Clipboard-Encrypt, Clipboard-Sign, or Clipboard-Encrypt and Sign. This processes the contents of the clipboard and puts the results back on the clipboard. Finally, replace the cleartext message by pasting the processed message over it. The usual menu operation to do this is Edit-Paste. You can then send the processed message in the usual way. Similarly, encrypted messages you receive can be decrypted by copying the message to the clipboard, then using the Clipboard-Decrypt and Verify menu option of PGPtray.