• Introduction: A word about PGP

• Before you begin

• Step 1: Downloading PGP

• While you're waiting.... Where did PGP come from and how does it work?

• Step 2: Unzipping and installing the PGP software

• Step 3: Setting up (Creating) your Public and Private PGP keys

• Step 4: Distributing your Public Key

• Step 5: Making your Public Key available through a certificate server

• Step 6: Adding someone else's Public Key to your keyring

• Step 7: Using the PGP encryption software to send and receive secure e-mails

• Back to Dr. Caftori's home page

• Back to Bernie Poole's home page

You'll have to reboot (restart) your system after the PGP (Pretty Good Privacy) software has been downloaded and installed, so save any work on your computer and quit any open programs other than your web browser before you proceed.  This tutorial has been designed for users of Windows PCs.  A version of the tutorial for the Mac platform is in the works and will be ready soon.  The tutorial describes the basics of the PGP software in order to help beginners get up and running using encryption.

• In your browser, go to the Massachussetts Institute of Technology (MIT) Distribution Center for PGP (Pretty Good Privacy)

• Scroll down the page and click on the PGP Freeware Version 6.5.8 or click on download to proceed from here.

• On the next web page, you'll be asked to answer a few simple questions.  You have to answer Yes to all the questions as a way for you to declare that you won't misuse the software once you've downloaded it.  Read each of the questions carefully before selecting Yes as your answer.  Then click on the Submit button.

• On the next web page, click on the first download link under PGP Freeware v6.5.8 (Windows 95/98/NT/2000).  You'll be prompted now to decide if you want to open the software right away or download it (Save it) to your computer hard drive.  You want to Save this file to disk, so make sure this option is selected in the File Download dialog box, then click on OK.

• Now you have to tell your browser where you want to save the PGP program.  Be sure to select a location on your hard drive where later you'll be able to easily find the zip file of the PGP software, then click on the Save button.  The download will take a while, depending on the speed of your connection to the web.

• Rarely does anything of significance arise out of the blue.  PGP (Pretty Good Privacy) is the culmination of a long history of cryptographic discoveries.  Cryptography is the science of writing in secret codes.  It is nothing new.  Since the human race became a species of its own, we have pondered the challenge of concealing our communications from others.  Secrecy--stealth--is not a preserve of the human species.  Secrecy--stealth--is a matter of survival for all our brothers, sisters and cousins in the animal world from which we have evolved.  Whether in times of peace or in times of war, we all harbor secret thoughts, feelings, desires, objectives, and so forth that we want to share only with those we absolutely trust, and that we want to carefully conceal from those who would take advantage of us if they knew what we had in mind.

• Encryption makes this possible.  Phil Zimmermann invented PGP because he recognized that cryptography "is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone."  Here is where you can read Phil Zimmermann's fuller explanation as to why you need PGP.  In the development of PGP, Zimmermann was greatly assisted by his knowledge of the long history of cryptography.  Like Sir Isaac Newton, Zimmermann was able to achieve what he achieved because he "stood on the shoulders of giants" who went before him.

• How does PGP work?  OK, here goes; put your thinking cap on...  When you have successfully completed Step 3 of this tutorial, you'll have created two keys to lock and unlock the secrets of your information.  There is your Public Key, which you'll share with anyone you wish (the tutorial also will show you how you can put your Public Key on an international server so that even strangers could send you encrypted data if they wanted).  Your Public Key is used to encrypt--put into secret code--a message so that its meaning is concealed to everyone except you. Then there is your Private Key, which you'll jealously guard by not sharing with anyone.  The Private Key is used to decrypt--decode--the data (messages and so forth) that has been encrypted using your Public Key.  So the message encrypted (encoded) using your Public Key can only be decrypted (decoded) by you, the owner of the corresponding Private Key.  

• This solves one of two major problems with older methods of encryption, namely that you had to somehow share the key with anyone you wanted to be able to read (decrypt) your secret message.  The very act of sharing the key meant that some untrustworthy so-and-so could intercept it--and frequently did.  Which meant your code was practically useless.  The second major problem with older methods of encryption was the relative ease with which the code could be broken.  Codes have to be incredibly complex if they're to foil the attempts of astute humans to crack them.  This is all the more the case today when we have increasingly powerful computers to do the dirty, "brute force," work of trying every conceivable combination of  key possibilities for us.  PGP, and other similar encryption systems, use a key that is really--well--astronomically large.  And the size of the key can be increased whenever necessary to stay one step ahead of advances in technology.  Time alone will tell if PGP can stand the test of time, but for now it's one of the best encryption technologies you'll find.

• If you would like to read the history of encryption and understand the origins of Zimmermann's PGP program, an excellent account is given in Simon Singh's CODE BOOK (Doubleday, New York, NY, 1999).  Find out more about PGP at the International PGP home page.  The CryptoRights Foundation is another good website for information regarding privacy issues.  You might also like to join the PGP-BASICS User group where you can find speedy and informed answers to questions that might arise as you get started using PGP.  Once you're more experienced with the program, you can join the PGP Users Mailing List so you can keep in touch with issues related to privacy. 

• Once the download is complete, you'll have the zipped version of the PGP program on your hard drive.  Now you have to unzip it.  For this, your best bet is to use the shareware WinZip which you'll need to have installed on your computer.  You may already have this program from when you had to install other software.  You can check if you have the WinZip program by simply double clicking on the file you just downloaded (PGPFW658Win32.zip).  If you don't have WinZip installed on your computer, or if you're in doubt, you can go get it (download it) from the web.  The best place to do this is at http://www.winzip.com/ddchomea.htm.  Follow the directions to install the WinZip software on your computer.

• Now locate the PGP zip file PGPFW658Win32.zip wherever you downloaded it on your computer and double click on it to unzip it.

• Next you'll be prompted to run the PGP Setup program, which will begin immediately.  You'll be presented right away with the PGP Freeware 6.5.8 Setup Wizard.

• Follow the Wizard's step-by-step directions, clicking on the Next button as you go along.  When asked, let the Wizard do all the setup for you, then wait while the Wizard goes to work.

• Once the PGP software is installed, you will have to reboot your system.  PGP will prompt you to go ahead and Restart.

• After your system has been restarted, you are ready to create your Public and Private Keys. 

• Now that you have the PGP software installed on your computer, you need to create a Public and Private Key pair.  This you can do at any time.  Remember as you complete the steps that follow that your Public Key is so-called because you will willingly share it with others so that they can use it to send you secret information.  Your Private Key is so-called because it alone will decode any information encoded with your Public Key.  As long as you alone have knowledge of your Private Key, your privacy is assured.  Here are the steps to follow:

1. Open PGPkeys by selecting Start/Programs/PGP/PGPkeys or by clicking on the PGPtray icon in the lower right corner of your screen and selecting PGPkeys in the pop up menu.

2. The PGPkeys window opens up, listing various people's Public Keys, among which in a short while will be yours and any others (your correspondents) that you choose to add to the list.

3. In the PGPkeys menu bar, click on the Generate New Keypair icon to bring up the PGP Key Generation Wizard.  Read the introductory dialog, then click on Next.

4. The PGP Key Generation Wizard now asks you to enter your name and e-mail address.  Do this now.  You can use any name you like and it's a good idea to use a genuine e-mail address so you can take advantage of the PGP feature which will look up the correct key for you when you are writing to a particular correspondent.  Click Next when you're done entering your name and e-mail address.

5. Now the PGP Key Generation Wizard asks you to select a key type.  Accept the default (Diffie-Hellman/DSS) and click Next.

6. The PGP Key Generation Wizard next asks you to specify a size for your new keys.  Again accept the default (2048 bits, which will give you a key so large that it would be well nigh impossible to figure out even by the most powerful computer in the world) and click Next.

7. Now the PGP Key Generation Wizard asks you when you want your key pair to expire.  Accept the default (Key pair never expires) and click Next again.

8. The PGP Key Generation Wizard now asks you to enter a passphrase.  Think about this before you proceed.  Choose a passphrase that has at least eight (8) characters (that's a minimum of 8 characters as a requirement), with a mix of upper and lowercase letters or other characters.  The greater the mix of characters and the longer the passphrase, the better.  As Herb Kanner explains, "The size of the passphrase, and the inclusion of mixed case and non-alphabetics is to increase the difficulty of a brute force attack on your passphrase."  So, if you use a longer passphrase (Herb's is 15 characters long, and Bernie's is 33!!) even if someone used a supercomputer, it would take an intolerably long time for it to try all combinations till it hit on your passphrase.  Enter your passphrase once you've decided what it will be, hit Tab, and re-enter it for confirmation. Then click Next again.

9. If you have entered an inadequate passphrase, the PGP Wizard will warn you and ask you to go back and re-enter another passphrase.  But if all is well, the PGP Key Generation Wizard will now go ahead and generate your key pair.  You may be prompted to move your mouse around or hit random keys on the keyboard to help the Wizard create a more secure key.  Click Next when the Wizard has finished generating your key.

10. You'll now be asked if you want to send your new Public Key to a server where others around the globe can find it and use it when they want to encrypt data they wish to send you.  This is optional, so click in the box only if you wish to do this, then click on Next once more.

• That's it!  You're done creating your PGP Public and Private Keys.  Now all you have to do is share your Public Key with anyone with whom you wish to exchange secure information.  The next sections tell you how to do this, and how to use your key and those of your correspondents to encrypt and decrypt the data that you exchange. 

• This is simple.  Best way to do it is to send it as an e-mail to whoever you want to have it.  Read what follows carefully, however, so you understand how PGP works.  Needless to say, the recipient of your Public Key will have to have PGP installed on their own computer if they want to be able to use your Public Key to encrypt the data they want to send you.  Likewise, you have to have anyone else's Public Key if you want to send them encrypted data.  This is a bit tricky to understand at first, but think about it.  Anyone who uses PGP has two keys, a Public Key and a Private Key.  Your Public Key is used by other people to encrypt information they want to send you so no one else but you can know what the information contains.  When you receive an encrypted message from someone (could be any kind of data, not just text), you use your Private Key to decrypt it.  The neat thing is that you're the only person who can decrypt the secret message because you're the only person who has the Private Key, with the passphrase that unlocks it (unless you share your passphrase and Private Key with someone else, which would defeat the purpose of PGP!).

• If you want to, you can put your Public Key on one or more servers that form an international server chain.  Effectively, this makes your Public Key available to anyone anywhere who would like to exchange secure communications with you.  The Manual that accompanies the PGP program you downloaded explains how to do this if you did not already select that option during the installation process (Step 3:10 above).

• To include your Public Key in an e-mail message, here's all you do:

1. Open PGPkeys by selecting Start/Programs/PGP/PGPkeys or by clicking again on the PGPtray icon in the lower right corner of your screen and selecting PGPkeys in the pop up menu.

2. Locate your keypair among the list of keys in the dialog box and select it (by clicking once on it).  Then copy it (Edit/Copy or control-C)

3. Start a new message in your e-mail editor, in the To: box enter the e-mail address of the recipient, and type a subject header such as "My Public Key"

4. Now click to put the cursor in the body of the e-mail, Paste your Public Key (Edit/Paste or control-V) into the body of the e-mail, and send it.

Back to the Table of Contents

Step 6: Adding someone else's Public Key to your keyring

Back to the Table of Contents
 

© Netiva Caftori, Bernie Poole, 2001.  All rights reserved / poole@pitt.edu, ncaftori@neiu.edu / Revised 5/16/01