With this encryption you can send private e-mails to your friends, and be confident that no one else could read them. �PGP will also allow you to sign messages (or data files for the matter). �When you sign a message you can choose to either encrypt or not encrypt it, but that message can be verified as only coming from you. �If someone tampers with the message in the slightest way your PGP signature will show it. �When signing a message (or data file) you will use your secret key, then the people who wish to verify that it came from you use your public key.
The way in which you distrubute your public key is important. �You are mostly subject to man-in-the-middle attacks. �Someone intercepts your key and sends along a fake one to your friend instead of yours. �Here are some basic ways that key exchanges are done:
Problems with Public Key Servers
Lets say that you have your friends regularly download your public key from a PKS. �This is a pretty good way, but what if this happened:
As you can see from the example above, your keys you send don't get a unique name and end up with duplicates. �Now your original PGP public keys that you upload can't be tampered with, but the above senerio shows a way of getting around your original, valid key.
Problems with sending your public keys by e-mail
Basically it is somewhat similar to the above senerio, except that Jo HackYouUp will simply once again fake an e-mail and make it look like it came from you (e-mail headers and all) and send his fake PGP public key. �Once again your friend takes the key and gets the virus.
What can you do about all of this?
Well the most secure way to exchange keys is to actually hand each other a floppy disk with your key on it. �This isn't always very practicle though. �One good method would to be to post your public key on your website (as I have) and allow people to download it. �That way people know it only came from you and it isn't some fake duplicate like one could get on public key servers. �PGP also has other options too though, as you can see below.
PGP has the ability to allow other people to sign other people's keys. �This in affect says, I'm sure this key belongs to that person. �What you get is a web of trusted people who can verify (hopefull correctly) that the key is belonging to that person. �So you could sign your friends key and he could sign yours. �If you weren't sure it was your friends key you could find someone that knew it was his key for sure and have them sign it as well.
Better still though is the fact that all keys come with digital signatures that are unique to that key. �These signatures provide an excellent way of verifying keys. �The best way of verifying keys would to call the other person on the phone (regular phone or over the Internet, just as long as you use a VOICE conversation, since that is harder to fake) and read off your keys digital sig and have your friend read off his. �You can compare them as they are read off this way.
Where do I get PGP
Due to those lovely U.S. Export laws, if you live outside the U.S. you have to download from the international website. �If you live in the U.S. you can get it from the United States website. �If you do live in the U.S., please contact your local congressman and tell him to stop hurting U.S. encryption software companies and get those export laws removed!
You can get PGP for commercial (you pay for it) or non-commercial (free) from the following sites:
My PGP public key should have the following digital signature: