TypewriterFrom The Urbach Letter – February 2007

Return to Archive

Keeping Secrets (Part 3)

Cyber LockIf you don't care that private details about your finances, medical history, and sensitive personal matters may become public knowledge, you can safely ignore what I'm about to tell you. Likewise, if you're 100% certain there's nothing on your computer's hard drive you wouldn't mind seeing printed on the front page of tomorrow's newspaper, it's OK to save yourself a little reading time. (There are some silly things over there in the right column to amuse you instead.) However, if you would like to know how I keep my private life private, how I send and receive sensitive email messages with absolute assurance they've never been intercepted or altered, and how I make sure my laptop computer, if stolen, has zero value to anyone but me, read on brother.

I can make those bold statements because I know about PGP. And, in just a few minutes, you will too. This is installment number three in the "Keeping Secrets" article series. Here are links for Part One and Part Two. If you've been following along, you already know a little bit about the background of encryption (Cesar's cipher and the Ovaltine secret decoder ring), "old school" cryptography (the airport courier with cuffed briefcase containing symmetric lock/unlock codes or codebooks), and lastly, the idea behind public key cryptography (PKC). As a quick reminder, PKC involves matched sets of keys: a private key that you keep very, very secret, and a public key that the world can see. You use your private key to lock (encrypt) and unlock (decrypt) secret messages. But you show your public key to everyone. They can use it to prepare a message only you can read. That's the beauty of PKC: no need to ever exchange "secret" codes with anyone.

More Than Pretty Good
PGP stands for "Pretty Good Privacy," but it's more than pretty good. It's actually the very best non-military crypto available. Like many very good things, PGP was invented by a single idealistic individual, Phil Zimmerman, who felt that encryption shouldn't be the exclusive province of government agencies and military organizations. Unfortunately for Phil, the U.S. Government didn't feel the same way, and accused him of illegally exporting encryption technology. He spent three years of his life defending himself in a costly prosecution, which was eventually dropped when it was shown that similar systems were already known outside of the United States. Of course, post 9/11, we're all concerned about terrorists using encrypted messages to communicate their evil plans. However… the cat's been out of the bag for quite some time now. For example, the technology of steganography has been around for decades. Steganography is the art and science of imbedding a secret message inside an innocent-appearing document, music file, or graphic image. The 9/11 terrorists apparently used this method of communication. However, that certainly shouldn't keep you from keeping legitimate and lawful secrets of your own.

Silver KeysThe strategies I'm going to show you are perfectly legal. You as a citizen have every right to maintain the privacy of your documents and communications.

If I've made my case, and convinced you that it's time to get serious about securing your communications and private information, what's next? I'll give you the bad news first. You'll need to spend a little money. $83 dollars to be exact. That's how much it'll cost for a one-year single-user license of PGP Desktop Professional (after a 30-day free trial). PGP Desktop automates all the tough parts of dealing with this technology. It does a lot more, but here are the 3 main benefits from my perspective:

  1. PGP Desktop helps you create your own super-secret private key and the matching public key. It then uploads that public key to a "keyserver" so other folks who want to communicate with you can find it (and you can find theirs as well).

  2. It monitors your inbound and outbound emails, selectively encrypting and decrypting messages according to your specifications (i.e. only certain messages to certain people get encrypted, etc.).

  3. Especially important for laptops, it provides for "Whole Disk Encryption." In a process which initially takes a few hours (but is afterwards immediate and invisible), your entire hard disk is thoroughly encrypted. To use the computer after that you MUST enter your passphrase on start-up, and it's business as usual. Without a passphrase, however, the computer does nothing. Absolutely nothing. Renders it quite useful as a door-stop... but not much else.

PGG SigBaby Steps
At the very minimum, I recommend downloading PGP Desktop and using it to secure the contents of your disk. It's every easy to do and will give you great peace of mind. Later, you can explore the more advanced features of the software and start to exchange private messages. By the way, there are other ways of encrypting your disk. Windows XP Professional has the ability to do it on a file or folder basis. There are also public domain methods of securing your email at no cost. But for me at least, time is money. I'll spend a few dollars to have a simple, foolproof system that'll actually get used. That's why I recommend PGP, particularly if you have a laptop computer (which of course is far more likely to be lost/stolen than a desktop computer).

Training Wheels
However, if you are interested ONLY in sending and receiving secure emails with a limited number of people (under 20), there is an good, free alternative I can recommend. It's called PrivateMail from TrustTone Communications, Inc. As noted on their site, PrivateMail features "Grandma can use simplicity." It's the most straightforward application for Outlook or Hotmail users I've found.

Outlook Screen

PrivateMail adds a simple toolbar which gives you control over the security features of your email. There are 3 versions: Free, Pro, and Enterprise. Like PGP Desktop, PrivateMail also automates key generation and interchange.

How to Trade Secret Messages with Victor Urbach
Well, you'll need to know my public key (or how to find it). First, the hard way. Here's my public key:

Version: PGP Desktop 9.5.2 (Build 4075)


You could just copy and paste that into your copy of PGP Desktop, but there's an easier way. Since I've also published it to the PGP Global Directory, a massive "Key Server" that functions like a global white pages for PGP keys, you can look me up (or find other folks you'd like to communicate with).

Don't let the ugliness of that key block up there deter you from getting started with PGP. I included it more to show you what a public key looks like than anything else. Believe me, the software deals with all the hard stuff. It automates key exchanges, the encryption/decryption, and all the other techie stuff. You just need a general idea of what to do, which I hope this article has provided.

There's more to the story though. Next month I'll show you how to make sure the document you just received as an email attachment is really from whom you think, and how to tell if anybody else has altered it. Stay tuned!

Return to Archive

(c) Copyright 2002-2010 Victor Urbach
This article may be reprinted with permission and attribution