An Easy PGP Explanation and How You Can Use It
PGP is a term that often gets thrown around in security and privacy discussions. If you’re new to the privacy and security world, or you’re just curious, you’ve probably come across this term a number of times.
But what is it? And, most importantly, how can you use it for your own privacy and security?
PGP is actually the most widely-used encryption software and essential for online privacy. It’s quite a good thing to know about. So today, we’ll look at what the software is and how you can use it to make your life more secure.
What is it?
PGP (Pretty Good Privacy) was developed in 1991 by Phil Zimmerman, who named it after a fictional grocery store, “Ralph’s Pretty Good Grocery.”
Essentially, PGP is an internet standard known as OpenPGP that is used to encrypt data and create digital signatures. There are both free and paid versions of the software. The free version, GNU Privacy Guard (or GPG) is open source and produced by the Free Software Foundation.
A simple example
In order to understand how it works, let’s look a little bit closer at encryption. In standard encryption, for example, you want to send a secret love letter to your best friend’s girlfriend, you’d write the letter in one version, create a key, and then encrypt the original document. If your text is “I love you,” and your encryption key is letter = number, the encrypted message would be: 9 12-15-22-5 25-15-21.
If she has the key, she can decipher it quickly. The same key used to encrypt it is used to decrypt it.
This type of system works well for storing your own data (for example, your leather-bound love journals), where only you will have the key. But for communication, it doesn’t work so well. How do you get the key to the other person? And, if her boyfriend finds the key, he’ll be able to decrypt your message too.
For more sensitive issues, like national security, or personal freedoms of expression in authoritarian governments, for journalists or dissidents, who want to communicate securely, it’s not a good system at all, especially if they’re geographically separated.
A complex solution
PGP solves this problem by using what’s known as “public-key encryption.” There are two keys, not just one, in this version. A public key is used to encrypt the data, but you’ll need another, separate key, a private key in order to decrypt it.
In this system, you share your public key with the public, so that they can send you encrypted communications. It’s encrypted with your public key, and in such a way that only your private key can decrypt it. Not even the original sender can decrypt it. Your private key is kept strictly private, so that no one in the world should know it besides you.
The mathematics of the encryption is much more complicated than our “letter=number” from above, so it’s virtually impossible for anyone without the private key to decrypt the message. Take a look at an encrypted message:
The math is just too incredible to break. For instance, PGP has never used keys smaller than 128 bits. There are 2128 possible combinations for that, and only one key would work. Let’s imagine you had the technology to try a billion keys each second (which no one does), and you had one billion of these chips running at the same time. Even if you had such amazing technology, it would still take you more than 10,000,000,000,000 years to try all possible keys. That’s 1000 times the age of the known universe!
So, PGP’s privacy is actually pretty good.
So how can you use it?
PGP was recently most famously used when Edward Snowden convinced Glenn Greenwald to set up PGP in order to receive the secret NSA documents. If Snowden felt it was safe enough to protect against the NSA, it should be good enough for us.
PGP can (as in most cases) be used for emails. If you have your public key available on a directory, anyone can send you an encrypted message so that only your private key can decrypt it. That’s what Snowden did with Greenwald.
However, you should remember that only the body of the email text is encrypted. The subject and to, from, cc and timestamp will be available to anyone snooping.
But here’s another great feature: digital signatures.
Because of the math involved in the encryption process, PGP also allows communications to be verified by a digital signature. So, for example, you send a 5,000-page love-novel to your best friend’s girlfriend and encrypt it with her public key. You sign it with your private key (no one will see your private key, but you need the private key in order to sign it). The boyfriend finds it, somehow opens it and alters even one letter, the digitally signature will show as invalid.
That means that you can use it safely for many things.
Bitcoin wallets are signed with the developer’s private key. Because these wallets are pre-compiled, you need to be secure that they don’t have malicious code hidden inside that could steal your coins or information. With the signature feature, you can be sure that it’s completely valid.
You can use it also just to encrypt your own computer files. Instead of my easy version from above, you can encrypt your files (or at least the sensitive ones) so that only you have access to them on the computer.
In order to use it, you need to download and install GPG. If you’re on Ubuntu, you won’t need to do anything, because you’ll already have it.
After that, you’ll need to generate a new certificate, which is essentially your public key with some added data. This extra data lets others verify that the generated key is actually yours, and can include your name, email address, and more.
Once you create your public key, you can share it with others and even upload it to public key servers such as the PGP Global Directory or the MIT Key Server. That way, other people can send you private, unbreakable messages without having to ask for your public key.
From there on, your free to encrypt text or any files, send private emails, purchase things, and many more.
A word of warning
Of course, PGP-encrypted files have been broken before. But not because of the system’s fault. It was because of users’ own complicity. If someone has your private key, they have access to all of your files. Therefore, your privacy is only as strong as your ability to keep things private, so remain vigilant.