Slashdot Mirror

← Back to Stories (view on slashdot.org)

PGP & GPG

Posted by ryuzaki0 on from the lock-it-up dept.

Ben Rothke writes "PGP (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever. It is so good and so effective that in the early 1990s the FBI launched a multi-year investigation against Phil Zimmerman, the creator of PGP, for possible violation of federal export laws, especially ITAR (International Traffic in Arms Regulation). After many years of investigation, the FBI ultimately dropped its case against Zimmerman. Even though PGP is synonymous with end-user encryption, there have only been a few books written on the subject. Jump to 2006, and PGP & GPG: Email for the Practical Paranoid is a welcome title." Read the rest of Ben's review. PGP & GPG: Email for the Practical Paranoid author Michael Lucas pages 216 publisher No Starch Press rating 8 reviewer Ben Rothke ISBN 1593270712 summary Pretty good overview of PGP & GPG

On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.

The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP.

The book is written for an end-user who, while comfortable with the workings of technology, is new to the sometimes strange world of public key cryptography. The author writes in an easy-to-read style and, through repetition, inculcates the principal ideas of encryption and cryptography to the reader.

The introduction and first chapter provide a good presentation of the concepts of encryption, cryptography and public-key cryptography. The idea of public-key cryptography, on which PGP is based, is not so intuitive, and many people struggle with the basic concepts. The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.

On a side note, the notion that even smart end-users can be intimidated by public key cryptography was detailed in a now seminal research paper 'Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.'

The premise of the paper is that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. The authors argue that effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software. The authors conclude that PGP 5.0 is not usable enough to provide effective security for most computer users despite its attractive graphical user interface. Even though PGP is in version 9.x, it still suffers from usability flaws.

Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' Military-grade encryption and military-grade cryptography are overused terms, most often by marketing departments, but there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified. Most people use 'military-grade encryption' to mean really strong crypto, much like those who use the term 'Olympic-size swimming pool' to refer to a really large pool. But the term 'military-grade encryption' is so misused by so many people that it is a lost cause to try to fight it.

In the rest of the book, chapters 2 - 11, the author details the varied usages of PGP & GPG. The book also details the differences between OpenPGP, PGP and GPG.
The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source, and OpenPGP is a protocol that defines a standard format for encrypted messages, signatures, and certificates for exchanging public keys.

The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly. Chapter 11 notes that although OpenPGP provides a reliable method of authentication and encryption, it is also not unbreakable. OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation, hardware or software compromise, fake keys and more. It is important to realize that OpenPGP provides significant, but not unbreakable security.

At 180 pages and priced at $24.95, PGP & GPG: Email for the Practical Paranoid is an excellent book that shows the end-user in an easy to read and often entertaining style just about everything they need to know to effectively and properly use PGP and OpenPGP.

For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.

You can purchase PGP & GPG: Email for the Practical Paranoid from bn.com.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

15 of 157 comments (clear)

  1. A New Core Class in College? by neonprimetime · · Score: 5, Insightful

    The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.

    So basically 99.9% of users online today.

    1. Re:A New Core Class in College? by 19thNervousBreakdown · · Score: 2, Insightful

      What level of understanding are we talking here? I understand how public/private key encryption works well enough to use it securely, and it's not that hard to grasp. I imagine a significant portion of Slashdotters understand it as well. With almost 1,000,000 accounts, if only one in ten of us got it, there's your 100K.

      Now if you mean understand as in "could create a secure public key algorithm," then OK, I see your point.

      --
      <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
  2. X.509 is better by Anonymous Coward · · Score: 0, Insightful

    Outlook supports it natively, no craziness like with PGP / GnuPG. Users much prefer the simpicity of an X.509 solution. I like PGP and think it has its place, but that place is only for the paranoids / techies who want to deal with its complexities.

    1. Re:X.509 is better by nog_lorp · · Score: 4, Insightful

      I don't think anyone with who: A) has concern for their privacy and security, and B) is in their right mind, would want to use MicroSoft's Outlook email client. (Anyone recall the Outlook exploit that was executed without even opening the email?)

      Aside from the fact that noone should use outlook, I read up a tiny bit on X.509. According to Wikipedia, X.509 uses signed certificates from CAs, meaning you have to PAY, and store your certificate with a "trusted company". Not only is this horrible for paranoids who wouldn't trust Verisign, but the US Gov. could subpoena your information from these companies, rendering your encryption useless (against the government).

    2. Re:X.509 is better by 1nhuman · · Score: 4, Insightful
      Users much prefer the simpicity of an X.509 solution.


      The simplicity of X.509? Is completly the other way around. PGP is simple :)

      You probably never implemented a corporate PKI infrastructure. I myself love PKI (it's a freeking miracle I got married, I know) and have implemented or at least contributed in implementing several PKI's over the years. Simplicity is definitely not the first thing that comes to mind. Things like OCSP and CRL's you need to check the validity of a key, basically everything around issuing keys, key-escrow etc. it is al pretty complicated. Not nescecairly the theory, but the actual implementation and integration. Plus not to mention expensive. And don't even get me started on the legal side of it, the contracts you need, the legal requirements, webtrust etc.etc.. Brrrrrrr.

      PKI is cool, has a lot of potential etc. Put it's not simple in anyway. Microsoft may make it look simple (did I just say that?), by basically "trusting" loads of CA's defaultly but how much is that trust worth exactly? Not much in my eyes. Oke, the encryption during transit... that should be ok. But is the signer of that email really who he says he is?

      Between me, my friends and my colleguae's we use GPG. Bunch of my friends are on Mac's like me others are on Linux or BSD flavored machines. Some even use Windows. I don't even know al the plug-ins everyone uses. Hell, I don't know the name of mine. It integrated with Apple Mail and I just press the buttons etc, type in my passphrase and it works. Simple. Plus the keys I trust, I explicitly trusted by hand. Basically this kind of trust is loads better then accepting any mail certificate issued by the Verisigns of the world.

      Here is the Mac link: http://macgpg.sourceforge.net/ . Loads of GUI GPG tools.

      --
      The glass is half-full. With poison. And there are cracks in the glass. The dirty, dirty glass.
  3. So What Does It Mean? by Anonymous Coward · · Score: 5, Insightful

    (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever.

    This statement may indeed be true. And yet, 98 out of 100 people on the street would have no idea what PGP is. What does that say about software encryption programs.

    No one knows, no one cares and very few have been affected by their ignorance.

    1. Re:So What Does It Mean? by Rob+T+Firefly · · Score: 5, Insightful
      No one knows, no one cares and very few have been affected by their ignorance.
      I'm sure many, many people have been affected.. it's just that when they get their email read or their private files exploited, they're ignorant that it could possibly have been prevented. Someone who doesn't know how to lock their front door might still be affected by a burglary.
      --
      Slashdot Burying Stories About Slashdot Media Owned
  4. Anon has a point though by p3d0 · · Score: 2, Insightful

    Acronyms should be defined in the summary.

    --
    Patrick Doyle
    I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
  5. Outlook plugin? by haeger · · Score: 2, Insightful
    I've been looking at different plugins for gpg but haven't found anything that's quite what I want. The best one I've found is something that uses the clipboard for encryption/decryption. Works OK for someone who doesn't mind a little work.
    What I'd like to see is an Outlook plugin (or OExpress) that does the following. (Please note that I wrote O/OE because they are the major players)

    * GPG included to make it easy for the user. Just one install for the whole package.
    * Automatically create keypair during installation
    * Default option to keep passphrase cached (not safe, yes I know, I know)
    * Automatically decrypt/sigcheck all incoming emails
    * Automatically encrypt/sign all outgoing mails.
    * Attach the pubkey to all outgoing mails where the address isn't in my keyring.
    * Automatically (just ask for password confirmation or something) addition of incoming pubkeys to my keyring.
    * GPL :-)
    * The people who got the pubkey would also get a link to where to download the plugin.

    I'm sure someone can expand this list quite a bit and I'm sure I forgot half of what I wanted to put on that list, but it's a start anyway.

    Anyone care to write such a plugin? Or is there one already that I don't know of?
    I do think that if there was something to that effect that you would see a spike in encrypted emails going across the globe.
    I used to encrypt/sign everything but since I was the only one using pgp/gpg it was kind of pointless.

    .haeger

    --
    You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
  6. Re:Pretty Poor Privacy by Anonymous Coward · · Score: 0, Insightful

    How in the world did a post this idiotic get modded up?

  7. Re:PGP vs. GPG by Anonymous Coward · · Score: 1, Insightful

    PGP => Pay to Get Privacy
    GPG => Get Privacy Gratis

  8. Re:S/MIME by Betabug · · Score: 2, Insightful

    > It is pretty clear S/MIME is going to win the battle to be the most
    > common form of email security on the Internet.

    If this is going to happen then S/MIME has yet some way to go first. Reality is that I see S/MIME only ever "used" by corporate minions. I put quote marks around "used", because I have yet to receive anything more than a signed mail. On the other hand there are ISPs and domain registrars who work with PGP - you can give them your public key and do business like that.

    Have you noticed how many open source projects use PGP signatures to verify source downloads? Would you like to wait for them to use S/MIME to sign those tarballs?

    Then there is what happens on a more personal level. Myself I'm communicating with geeks and non-geeks in my surrounding with GPG and it works fine once it's been set up. A book like the one described could be a big help here. I can't really say that the book "would help", because the review just plain sucks - it doesn't tell us if the book is any good, it just says what it attempts to do.

    The main problem with S/MIME is certificate revocation though. And this is an old problem with S/MIME, it's been said again and again. There is just no good strategy to deal with revoked keys/certificates. You have revocation lists, but they do not get used (same problem as with webserver SSL certificates). Even if revocation lists in S/MIME got used, the setup is tailored for corporations.

    That is the reason why PGP had and still has that little bit of success: It was designed for us "little guys", the normal people. We're no corparations, corporations don't work for us, and their software doesn't work for us.

  9. Re:I wish security were more accessible to the mas by DMoylan · · Score: 2, Insightful

    that's pretty secure compared to this site

    http://www.rncca.com/

    why they have a password is beyond me when they list the password on the site?

  10. Re:paranoia? by Ohreally_factor · · Score: 4, Insightful

    My guesses include:

    * They've coerced the author to build in a backdoor (a la clipper).
    * They've spent enough billions on serious hardware that they can brute-force it in a reasonable time.
    * They've got some very clever mathematician to figure out a viable attack.


    I think you can safely scratch #1, while also safely assuming #2. The trick is how timely, and how much encrypted traffic there is overall. If you or your message has been flagged as a high priority decrypt, then they're likely to throw a lot of crunch at it.

    However, if you're not flagged and more people start to use encryption, you're more likely to get lost in the noise.

    Your #3, I have no idea. I don't really have enough math knowledge to have a good grasp on the difficulties such a mathematician would face.

    --
    It's not offtopic, dumbass. It's orthogonal.
  11. Re:Mil Grade Crypto... IS defined :-P by Abcd1234 · · Score: 2, Insightful

    Perhaps there is a secret they only need to keep secure for 30 minutes, or they have an old PC. So in this case, a 40-bit cipher would be sufficient to protect their data in that case. So would that make a 40-bit cipher military-grade encryption?

    For that particular application, absolutely. And if I find myself in a similar situation, then I can safely do the same since, if the military feels that's sufficient to protect their likely-more-important data, then I probably can, too.

    Is this really that difficult to understand?