This is an excellent article, except that it mentions everybody except JAWZ.
I think that I will email Dan Gillmor (dgillmor@sjmercury.com) and ask his opinion on JAWZ.
Posted at 3:53 p.m. PDT Friday, July 24, 1998
How to make encryption work for you
WHENEVER I write about encryption -- the scrambling of digital
information to keep it from prying eyes -- a few readers invariably
challenge me to put my public key where my mouth is. That is, they
want me to publish a long sequence of characters that will let them
send me information in a way that ensures only they and I can
understand it.
They're right to needle me. So I'm going to explain how you -- or
Alice or Bob Whistleblower -- can send me encrypted files.
In the process, you, Alice and Bob will learn how to enhance privacy in important ways. And that's what really matters. Why?
Because we are moving more and more of what we do onto data
networks -- sensitive information about our health, finances and
other aspects of our personal lives. If I'm ever going to exchange this kind of information online with my doctor or accountant or lawyer, I'll use strong encryption, and I'll make sure they do the same, or I'll find new professional help.
Your privacy is so important that I'm going to tell you some of the
hairy details about how to make encryption work for you. But let me
give you a little background first.
Before I wrote this, I visited with Philip Zimmermann, a man of note
in the pro-privacy community. A few years ago, Zimmermann wrote an important software program: PGP, which stands for Pretty Good
Privacy, a pretty big understatement.
Now, PGP isn't absolutely unbreakable. No encryption system is
absolutely unbreakable. However, since all of the supercomputers in
the world would have to work full-time for billions of years to crack
a single message scrambled by PGP, we're pretty safe using it.
PGP started out as freeware. A couple of years ago, Zimmermann
created a company to sell it commercially, too. After several
corporate mergers, PGP ended up in the hands of Santa Clara-based Network Associates Inc.
You can still download the latest version of PGP from Network
Associates' Web site nai.com for no charge if it's for non-commercial use. You can also buy it online or in a box that adds a manual and telephone support.
Keep in mind that PGP isn't the only such product. Other encryption
programs for personal computers include SynCrypt http//www.syncrypt.com), which has several useful features not
found in PGP. Microsoft and Netscape both include something
called S/MIME encryption, which is quickly growing more popular,
in their latest e-mail software. RSA Data Security
(http://www.rsa.com) offers a free S/MIME plug-in for some e-mail
programs. Unfortunately, many of these products are incompatible
with each other -- something the cryptography community should fix.
I also want to emphasize that this isn't a pitch for PGP. It's simply a plea that you take firmer control of your own privacy: Get some
encryption software, whatever brand, and start using it.
I believe that our government, despite repeated promises to the
contrary, will eventually try to ban or control the use of encryption
that it cannot easily crack. The government already has made life
more difficult for American companies trying to export products
containing strong encryption, because Uncle Sam still considers
encryption to be a weapon we need to keep here -- despite the
reality that you can buy strong encryption overseas.
One part of the government's campaign was hounding Zimmermann
for several years because someone put PGP on the Internet, from
which it was theoretically exported. His persecution was an
outrageous intrusion by authorities who were refusing to
acknowledge the reality that they could no longer prevent strong
encryption from gaining wider use.
OK, now that you know why you should use encryption software
and have a little background, let's explore some of the details. This
may feel a bit daunting at times -- though I've tried to avoid
denseness -- but I trust it'll be worth the effort.
The Windows version of PGP that I'm running at work plugs directly
into several e-mail packages, including Eudora, a superb e-mail
package available as freeware and in commercial versions, plus
Microsoft Exchange and Outlook Express. It'll also work seamlessly
with an upcoming version of Netscape's software.
Of course, millions of people use America Online for their e-mail.
The Windows version of PGP will help protect your privacy even
with AOL -- and that, if you'll bear with me as we go into some
detail, is what I'll show you how to do. (The Mac version of PGP
works even more smoothly with AOL than the Windows version,
incidentally.)
Installing PGP is fairly easy, though no encryption product is simple
enough for my tastes. I used a CD-ROM that contained both the
Mac and Windows (95/98/NT) versions, but keep in mind that I
could have downloaded the software after assuring Network
Associates, which was asking on behalf of the government, that I
wasn't trying to export the product illegally.
Let's assume you've downloaded it. As you install the software,
you're prompted to type in some basic registration information, such
as your name and, if you want, a company name. You can make up
a name if you want. (And you might do just that if you're a
whistle-blower, hint,hint.)
Then you have to create what are known as ''key pairs.'' To
understand this, let's look a bit under the covers.
When you encrypt something, you scramble it. To decrypt, you
unscramble the information. Encryption is like locking data in a vault. So to encrypt or decrypt, you need a key.
If all you want to do is make some files on your hard disk private,
the best way is to use regular encryption, using the same key to
encrypt and decrypt the files. That's safe when you're the only one
with access to the key.
But when you want to send messages from computer to computer,
you have a problem. Using regular, single-key encryption, both
parties need the key. That's impractical in many cases, and
ultimately, the only person you can rely on to keep a key secret is
yourself.
A pair of brilliant scientists -- Whitfield Diffie and Martin Hellman -- solved the problem a generation ago by inventing ''public-key''
encryption, a system that allowed people to send each other
messages without both having to use the same key. Another huge
contribution came from Ron Rivest, Adi Shamir and Leonard Adelman, who invented the RSA method used in many encryption products.
Public-key encryption basically works this way:
I have a public key and a private key, essentially very long numbers
that are generated together and have a mathematical relationship with
each other. I publish my public key. You use my public key to lock
up, or encrypt, a message you want me to read, and then you send
me the scrambled message. I use my private key, which only I
know, to unlock (decrypt) the message.
Actually, the process is a bit more complicated, because for some
crypto-specific reasons, it's not very efficient or safe to simply
scramble the entire message using someone else's public key. PGP
and other public-key systems use regular, single-key encryption to
scramble your original message, and create that new, single-use (also
called ''session'') key on the fly. The software then scrambles that
new, one-time key using my public key. You ship me a digital
package containing both the scrambled message and the key I'll use
to open it; remember, I'll be the only one who can open it because
I'll be the only one who can unscramble that original key you used to
encrypt your message in the first place.
Public-key encryption's wonderful math also gives you the ability to
attach a ''digital signature'' to your message -- verifying that you, and only you, could have sent that message. Here's how: If you scramble a message using your private key and send it to me, I can use your public key to unscramble it. Since you're the only person who could have scrambled it, I can safely assume you sent it.
You may want to encrypt a message with both your private key and
my public key. That way, I'll be the only one who can read it and
you'll be the only one who could have sent it.
OK, back to our installation and beginner's tutorial.
Let's say you're using the Windows version of PGP 5.5, though the
gist of this applies to the Mac version. (If you're running Unix, I'll just assume you already know what you're doing.) You've installed the
software and are about to create your key pairs, those public and
private keys.
The software asks you for a name and e-mail address -- say, Bob
Whistleblower (bobw@criminalcorp.com). It asks you how large a
key pair you want to generate; in general, the bigger the key pair, the safer it is, but the longer it takes to scramble and unscramble things. Bob, who's fairly paranoid, selects 3,072 bits, but you're pretty safe if you opt for the suggested 2,048 bits.
Then you're asked how long you want the keys to last. Bob goes
with ''never expires,'' but there are also some good reasons to pick
a shorter period. It's up to you.
Now comes a crucial part of the process. PGP wants you to select a
pass-phrase, something that is your own key into the key pairs.
You'd never remember the actual keys -- they're way too long -- but
you can definitely remember a phrase.
A bad pass-phrase would be your child's birthday. A good one is
long and strange enough to thwart a computer or person, but
something you can remember. Zimmermann says it should be
something you've had in your head for many years already.
My pass-phrase goes back to my childhood. One day, my father
and I were making up sentences that contained fake words. He said
something so silly it made me laugh at its sheer absurdity, and I've
had it in my head ever since.
You type in your phrase -- twice, once to verify the first -- and the
software generates the new key pairs. You'll have a couple of
self-evident steps to finish, and you'll see a new window on the
screen. This is called PGPKeys; it's a ''virtual key ring,'' a listing of various people's keys that now includes your own name and e-mail
address.
Now for a crucial chore. We need to register our public key so
other people can find it. After all, if I want Bob or Alice
Whistleblower to tip me to a great story, they need to be able to use
my public key to scramble their message. The same principle applies
to you, if you want other people to be able to send you private
messages.
First, connect to your Internet service provider. Then go to the menu
of PGPKeys and select Keys/Send Key to Server. You'll have a
choice of where you want to register your public key -- on a
computer, called a ''key server,'' at another location where other
people have registered before. Mine is on a computer at the
Massachusetts Institute of Technology
(http://pgpkeys.mit.edu:11371), but you can also send your PGP
public-key information to a machine at Network Associates or other
computers.
By now, you may have realized the basic flaw in this system.
Couldn't someone create a PGP key pair using your name and
e-mail address, trick other people into using the bogus key, hire a
hacker to intercept your transmissions (easier than cracking your
actual keys) and read all your mail? Someone could, but this would
work only if the sender didn't bother to verify that you were the
person who registered the key.
If you and I saw each other in person, I could hand you a floppy
disk containing my public key. You could load it into your key ring.
You could also verify my public key by downloading it from one of
the key servers. It'll show up in your PGPKeys list. Select Keys/Key
Properties. At the bottom, you'll see something called a Fingerprint,
a long series of numbers and letters, four at a time. You could then
phone and ask me to read you my fingerprint out loud. If you were
sure I was at the other end of the line, now you'd know you had my
real public key. If it doesn't match, you either got the wrong key
from the key server -- possibly the one I registered but forgot my
pass-phrase, duh -- or a bogus one.
I work for a newspaper, which makes this simpler. I can just publish
the thing, and then you can go straight to the publicly accessible
computer where you can obtain and verify my public key.
My fingerprint -- FE68 46C9 80C9 BC6E 3DD0 BE57 AD49
1487 CEDC 5C14 -- is hereby published. I'll also publish the full
public key on my Web page, the location of which is listed below.
As I noted, if you're using PGP 5.5 for Windows with newer
versions of Eudora or Microsoft Exchange or Outlook Express, you
can seamlessly encrypt e-mail to me. Just follow the instructions.
But if you use AOL or some other program, it's just a bit more
complicated, though still a long way from brain surgery. (The Mac
version is even easier; just use PGP from the menu.)
I'm assuming you've installed PGP by now and are using Windows.
In AOL, create a new message to me. When you're finished typing
what you want to tell me, select all of the body of the message and
copy it to the clipboard of your computer. Then click on the little
mail icon in the Windows 95 tray on your Windows Taskbar. Select
''Encrypt Clipboard.'' A ''PGP Key Selection Dialog'' window will
pop up. Use the mouse to select my name from the top pane, which
contains the list of public keys on your computer, and drag it to the
bottom pane in the window. Click OK.
Now, paste the contents of the clipboard over your original message
in the AOL mail-message window. You'll be replacing your original,
unscrambled message with the encrypted version -- it'll start
''-----BEGIN PGP MESSAGE-----'' followed by gobbledygook
-- and then send me the message. When I get it, I'll simply use my
private key to unscramble it. This is the barest of beginnings on how to use PGP, which comes with extensive help files. There are also several Internet newsgroups devoted to the topic, though the talk can get pretty technical. But this is worth learning, because your privacy is worth preserving.
I don't want to suggest that you have to encrypt every message or
file. Paranoia is no more helpful than lazily assuming no unauthorized
person could ever read what you send or store.
I plan to protect my privacy. I hope you will do the same.
Dan Gillmor's column appears each Sunday, Tuesday and Friday. Visit Dan's Web page (http://www.mercurycenter.com/columnists/gillmor). Or write him (and please include a daytime phone number -- for
verification, not publication) at the Mercury News, 750 Ridder
Park Dr., San Jose, Calif. 95190; e-mail:
dgillmor@sjmercury.com; phone (408) 920-5016; fax (408)920-5917.
|
