Reload this page using its associated frames

How Pretty Good Privacy (PGP) works

PGP is a implementation of an assymmetric, public/private key pair encryption algorithm that offers an easy solution to the very basic problem of any classic encipherment: How to exchange the required keys between the involved parties. To overcome this problem PGP features a 'split' key: the private part of the key is only known to the key 'owner' while the public part can be spread to whoever wants to send messages to the key owner.
Anyone can send an encrypted message to a PGP key owner by enciphering it with the the public key part of a PGP key but only the owner of the key has access to the private key part required to decipher the message again.
So basically to exchange messages with PGP between two persons p1 and p2 two PGP key pairs split in the public parts k1pub and k2pub respectively the private key parts k1pri and k2pri are required. The communication between the two works as follows:
  • p1 downloads p2's public key k2pub from a web site or a PGB key server
  • p2 downloads p1's public key k1pub from a web site or a PGB key server

p1 sending p2 a encrypted message works as follows:

  1. p1 encryptes the message text with p2's public key part k2pub.
  2. The encrypted message is sent to p2.
  3. p2 deciphers the message text with his own private key part k2pri.

And p2 sending p1 a encrypted message works as follows:

  1. p2 encryptes the message text with p1's public key part k1pub.
  2. The encrypted message is sent to p1.
  3. p1 deciphers the message text with his own private key part k1pri.

Anyone intercepting the message in step 2. (man in the middle attack) will have a hard time to decipher the message without p1's respectively p2's private key part.

Why did you put up PGP public keys here anyways?

While it's nice to have a mean to transfer messages secure I certainly don't assess the importance of the message content going back and forth between me and anyone in the TA community so high that it would justify the effort to establish a PGP encipherd communication.
But PGP comes with another nice side effect that allows a person to sign a message (basically any data) with their private key part. Any reader of the message can then use the public key part of the the supposed author to verify whether the message has been altered. Altering implies also that somone trying to impersonate somone else but having no access to that person's private key part will be unable to sign the faked message in a way that would make it pass PGP's signature verification without an altering warning.
And that's where I see the main purpose of PGP in Internet web communication: while it's very likely that stuff appearing on this web site is created by me it's almost impossible to tell whether somone posting under the account name 'tcbw' on message board X is the same person. Or imagine you see somone acting really stupid under an account name on a geming service and wonder whether the account got hacked. With PGP you could just ask the person to identify himself by signing a message like 'I'm really tcbw' with their private key and having them paste the result into a private messenger window. From there you can copy it to your clipboard and verify the signature in the message by PGP.

Where to get PGP software

The keys here are certainly only of use if you have the tools to work with them. That means you need to install a PGP software package first. Below are two links, there are commercial and free versions of PGP available on the Net:

PGP Corporation
This is a commercial provider for PGP software. They offer a personal desktop edition for around 40 US$.

The International PGP home page
This is the web site of one of the free PGP projects. The software costs you nothing but you don't get any support either.

tcbw's public PGP keys

Used until Type Download
Current
Diffie-Hellman/DSS public key file
RSA public key file
RSA legacy format (use with older versions of PGP software) public key file
2006/01/30
Diffie-Hellman/DSS public key file
RSA public key file
RSA legacy format (use with older versions of PGP software) public key file

Page last updated 2006/02/05 by tcbw@tcbw.net