Are you sending love letters across the internet and worried that they might be intercepted? (They will be!) Are you worried that your family will find the really awful poetry that you've written on your PC? (The kids will!) Have you accidentally downloaded offensive material from the internet and you want to really, truly delete it? (Don't worry, you can!) If so, have no fear because PGP (Pretty Good Privacy) is here. And it's free for personal use. If all you want to do is to understand what PGP can do, without downloading it and using it at this time, just read section 3 The 4 uses of PGP for absolute beginners
This posting is to help absolute beginners get started with PGP and so I have kept it to less than 2,000 words in 7 sections (though section 2 refers to a couple of sources from which to download PGP and then set it up). The 7 sections are:
I believe that a source of difficulty and frustration for PGP absolute beginners is that there is so much documentation available from so many sources (with most of it being long, detailed and complex) that many of them give up .... and this is a defeat for us all. A scythe needs to be taken to all of this information on their behalf.
I've recently progressed from being a PGP absolute beginner to just a beginner and I think that absolute beginners need simple, concise information that they HAVE to know INITIALLY without being given lots of reasons or explanations. As someone else said, 'absolute beginners need an ABC'. It's when absolute beginners have gained more experience that they can find out why things are done in a certain way and how to do more complex things IF THEY WANT TO. It's then that they can read Phil Zimmermann's (the author of PGP) documentation and it's then that they can look, with understanding, at many of the other excellent sources of advice that are available. So, until you've passed the absolute beginner stage, just do what I tell you!
I refer to a number of other web sites in this document. Thanks to them for making PGP adoption easier. Now, let's get started.
Return to Index
To download PGP, go to http://www.pgpi.com/ which is the home page for International PGP users. Click on the 'Download Wizard' in the 'Download the Latest Version' section. For legal reasons, if you are from Canada or the USA, you must download the US version. Otherwise, you must download the International version. Select your operating system and licensing (freeware if PGP is for personal use) and then click 'Show Latest Version'. Please note that, contrary to popular belief, the International version is NEVER weaker than the US version and it sometimes has advantages. (There is a FAQ on this site that gives the differences between the International and official US versions.) And now download PGP (which will take 15-100 minutes with a 28.8k modem depending on the PGP version selected).
Go to http://www.skuz.net/pgp4dummies and print out this site. BUT, don't do anything other than print it out. The Pig_Vomit printout gives information on how to set up PGP and the basics of using it. Go through it but bear the following in mind. In 'Configuring and Creating a Key Pair', you are referred to other web sites about pass phrases. At this time, just read my section 4 below instead but, when you have more experience, go and read the pass phrase sites recommended by Pig_Vomit. And when you actually create your keys, on a modern Pentium PC it will probably take about 10 minutes to generate a 4096 bit DH/DSS key pair and less than a minute to generate a 2048 bit RSA key. So, go through the Pig_Vomit instructions now.
Although terrific, I think that there are 4 things that the above sites do not explain in clear, simple, succinct terms and they are covered in sections 3 - 6 following.
Return to Index
PGP is basically used for 4 things.
As I said above, the Pig_Vomit site refers you to other web sites about pass phrases. At this time, just read this section. (nb Public and secret keys are explained in 'How It Works' in your Pig_Vomit printout.)
A pass phrase will protect your secret key in case it gets stolen or someone gets access to your computer. In either case, if you have a pass phrase, nobody apart from you can decrypt messages or files meant for you (i.e. created using your public key) and nobody else can sign messages pretending to be you because PGP users can spot this.
If you don't use a pass phrase, you're not taking security seriously. You're an absolute beginner, so do what you're told: use a pass phrase!
Make up your pass phrase by choosing 6 random words from a dictionary with at least 25,000 words in. Your pass phrase could then be safe for millions of years! Put blanks between the words if you want to or just run all the words together. If any of the 6 words start with a capital letter, replace by the lower case letter: it's easier to remember and type if you do. If you want to, you can change your pass phrase every 6 months or year (eg on your birthday). Whatever you do, make sure you can remember your pass phrase - see your Pig_Vomit printout for the reasons.
Return to Index
Read section 3b again. Your PGP signature is different for EVERY message you sign because PGP does a calculation on the message using your secret key (which is unique to you). As every message is different, the signature is different too so you can't cut and paste signatures from one message to another.
Note that the signature proves that the message came from the sender but it does not prove that the sender created the text in the message. eg if I clear sign the text of Hamlet, you still won't believe that I 'wrote' it.
If the signature on a clear signed message checks out then that's fine. But if a clear signed signature DOESN'T check out, it MAY still have come from the person it appears to have come from. The reason is that the clear signed message is copied to an e-mailer and if the message is reformatted in or by the e-mailer (eg word wrapping happens such that a word is moved from the end of one line to the beginning of another line), the signature WON'T check out because the message has changed between being PGP signed and being transmitted/received. However, it is SAFEST to treat the message with the failed signature as being from an impostor.
Return to Index
Using Windows based PGP can be a security risk. This is because your pass phrase, your key and your message plain text might be left in the Windows swap file thus compromising security if someone else has or gains access to your computer. If you can't cope with yet another thing to grasp at this time, skip the next paragraph!
A simple solution for Windows 95/98/NT users is to download BCWipe from http://www.jetico.sci.fi/ This can be used to securely overwrite the contents of the swap file a number of times (eg 7 times). Windows 3.1 users can download ZAPSWAP (part of the WIPEUTIL set of routines) from http://www.sky.net/~voyageur/ to securely overwrite the swap file. Or, of course, you can use DOS versions of PGP: PGP2.6.3i or PGP5.0i for International users; PGP2.6.2 or PGP5.0 for Canadian/USA users. All of the products mentioned here are free for personal use.
Return to Index
And that's all there is to it!
This revision is dated December 1998. Here is the News group header in which David Hamilton posted the original version of this guide to the net.
>From: firstname.lastname@example.org (David Hamilton)
>News groups: alt.security.pgp,comp.security.pgp.tech
>Subject: PGP for ABSOLUTE Beginners
>Date: Fri, 19 Jul 1996 22:40:01 GMT
>X-Newsreader: Forte Free Agent 1.0.82