Slashdot Mirror
PGP & GPG
Ben Rothke writes "PGP (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever. It is so good and so effective that in the early 1990s the FBI launched a multi-year investigation against Phil Zimmerman, the creator of PGP, for possible violation of federal export laws, especially ITAR (International Traffic in Arms Regulation). After many years of investigation, the FBI ultimately dropped its case against Zimmerman. Even though PGP is synonymous with end-user encryption, there have only been a few books written on the subject. Jump to 2006, and PGP & GPG: Email for the Practical Paranoid is a welcome title." Read the rest of Ben's review.
PGP & GPG: Email for the Practical Paranoid
author
Michael Lucas
pages
216
publisher
No Starch Press
rating
8
reviewer
Ben Rothke
ISBN
1593270712
summary
Pretty good overview of PGP & GPG
On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.
The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP.
The book is written for an end-user who, while comfortable with the workings of technology, is new to the sometimes strange world of public key cryptography. The author writes in an easy-to-read style and, through repetition, inculcates the principal ideas of encryption and cryptography to the reader.
The introduction and first chapter provide a good presentation of the concepts of encryption, cryptography and public-key cryptography. The idea of public-key cryptography, on which PGP is based, is not so intuitive, and many people struggle with the basic concepts. The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.
On a side note, the notion that even smart end-users can be intimidated by public key cryptography was detailed in a now seminal research paper 'Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.'
The premise of the paper is that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. The authors argue that effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software. The authors conclude that PGP 5.0 is not usable enough to provide effective security for most computer users despite its attractive graphical user interface. Even though PGP is in version 9.x, it still suffers from usability flaws.
Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' Military-grade encryption and military-grade cryptography are overused terms, most often by marketing departments, but there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified. Most people use 'military-grade encryption' to mean really strong crypto, much like those who use the term 'Olympic-size swimming pool' to refer to a really large pool. But the term 'military-grade encryption' is so misused by so many people that it is a lost cause to try to fight it.
In the rest of the book, chapters 2 - 11, the author details the varied usages of PGP & GPG. The book also details the differences between OpenPGP, PGP and GPG.
The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source, and OpenPGP is a protocol that defines a standard format for encrypted messages, signatures, and certificates for exchanging public keys.
The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly. Chapter 11 notes that although OpenPGP provides a reliable method of authentication and encryption, it is also not unbreakable. OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation, hardware or software compromise, fake keys and more. It is important to realize that OpenPGP provides significant, but not unbreakable security.
At 180 pages and priced at $24.95, PGP & GPG: Email for the Practical Paranoid is an excellent book that shows the end-user in an easy to read and often entertaining style just about everything they need to know to effectively and properly use PGP and OpenPGP.
For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.
You can purchase PGP & GPG: Email for the Practical Paranoid from bn.com.
Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.
The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP.
The book is written for an end-user who, while comfortable with the workings of technology, is new to the sometimes strange world of public key cryptography. The author writes in an easy-to-read style and, through repetition, inculcates the principal ideas of encryption and cryptography to the reader.
The introduction and first chapter provide a good presentation of the concepts of encryption, cryptography and public-key cryptography. The idea of public-key cryptography, on which PGP is based, is not so intuitive, and many people struggle with the basic concepts. The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.
On a side note, the notion that even smart end-users can be intimidated by public key cryptography was detailed in a now seminal research paper 'Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.'
The premise of the paper is that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. The authors argue that effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software. The authors conclude that PGP 5.0 is not usable enough to provide effective security for most computer users despite its attractive graphical user interface. Even though PGP is in version 9.x, it still suffers from usability flaws.
Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' Military-grade encryption and military-grade cryptography are overused terms, most often by marketing departments, but there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified. Most people use 'military-grade encryption' to mean really strong crypto, much like those who use the term 'Olympic-size swimming pool' to refer to a really large pool. But the term 'military-grade encryption' is so misused by so many people that it is a lost cause to try to fight it.
In the rest of the book, chapters 2 - 11, the author details the varied usages of PGP & GPG. The book also details the differences between OpenPGP, PGP and GPG.
The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source, and OpenPGP is a protocol that defines a standard format for encrypted messages, signatures, and certificates for exchanging public keys.
The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly. Chapter 11 notes that although OpenPGP provides a reliable method of authentication and encryption, it is also not unbreakable. OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation, hardware or software compromise, fake keys and more. It is important to realize that OpenPGP provides significant, but not unbreakable security.
At 180 pages and priced at $24.95, PGP & GPG: Email for the Practical Paranoid is an excellent book that shows the end-user in an easy to read and often entertaining style just about everything they need to know to effectively and properly use PGP and OpenPGP.
For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.
You can purchase PGP & GPG: Email for the Practical Paranoid from bn.com.
Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.
So basically 99.9% of users online today.
(Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever.
This statement may indeed be true. And yet, 98 out of 100 people on the street would have no idea what PGP is. What does that say about software encryption programs.
No one knows, no one cares and very few have been affected by their ignorance.
PGP & GPG: Email for the Practical Paranoid
title soon to become "PGP & GPG: encryption for the practical suspicious target of the homeland security dept."
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
There's a Public Key field in the User Preferences page on Slashdot, but does anyone know where you go to pick up other users' keys?
"Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' ... there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified."
Ahem, reference http://www.nsa.gov/ia/industry/crypto_suite_b.cfm
While Suite A is classified, Suite B, specifically AES, is specifically mentioned as being suitable for up to TOP SECRET info.
Military grade is not a useless term, as it is therein defined.
HOO-AH!
Just the other day I saw the following on the website of an author selling her own book directly:
Sigh...
Secession is the right of all sentient beings.
I read up a tiny bit on X.509.
That is obvious.
According to Wikipedia, X.509 uses signed certificates from CAs, meaning you have to PAY,
No, you can set up your own CA (for free) with openssl. And in fact, you don't need a CA at all. You can use your own certificates that aren't signed by anyone, just like PGP/GPG. In fact, the underlying math (public-key cryptography) is exactly the same as PGP/GPG.
and store your certificate with a "trusted company".
Store your certificate? Bullshit. You send the CA a certificate signing request. They sign it, and send it back to you. The certificate is useless without your private key, and the private key doesn't leave your possession. Decryption can only be done with the private key. So don't lose it.
Not only is this horrible for paranoids who wouldn't trust Verisign,
You don't need to trust Versign for X.509 to work. The only time you need to trust Versign (or any other CA) is to identify the cert of someone you never met. How do you know that a cert really belongs to the person? Verisign (or some other CA) signed the certificate. How do you know if a PGP key really belongs to someone you never met? Someone signed it.
But do you trust the signer? That question occurs with certificates and PGP keys.
but the US Gov. could subpoena your information from these companies, rendering your encryption useless (against the government).
Even if the US Gov't seizes all of verisign's info, that won't help them break your cryptography, since the private key (see above) never left your possession and Verisign never had it.
It's one thing to be paranoid, it's another thing to be an idiot. Understand how cryptography works before you start to rant & rave.
Frankly, if the US Gov't really, really wants to break your encryption, they'll bug your computer, or your house, or call in the NSA, or send in the Marines.