Wow. That sounded like one heck of an authoritative answer. But I was always under the impression that it's against the law to have *ANY* encryption that the NSA can't break.
View Quote
Naw.
They really wanted that to be the case. Congress considered a resolution in the late 80's as I recall that would have done this. Anyhow, PGP was released into the wild and try as it may, the NSA can't unring that bell. Phil Zimmerman is the guy who wrote PGP, who I met briefly at a bookstore when I lived in Boulder, was the subject of a federal criminal investigation for "export of munitions" since strong cryptography counted the same as an RPG or something. ALets see .... (link digging... aha)... check this out for any (more) informatin than you ever wanted to know:
http://www.scramdisk.clara.net/pgpfaq.html
Also, in reviewing this thread I noticed that none of us have actually answered the poster's inquiry, to wit:
how does one use it? I don't use outlook for email mine is all web based, is that a problem?
How secure is it really?
What does one have to do to get started?
View Quote
First question: How does one use it?
PGP takes what you want to scramble, i.e., an e-mail message and encrypts it. If you do all your e-mail web, based you'd basically be composing your e-mail in notepad (NOT saving it), then using windows' "copy" function. Then, you tell PGP to "encrypt the clipboard" (which is the spot in memory where the message is), and you then would "paste" the encrypted message into your web-based e-mail software window. A message looks like this once scrambled.
-----BEGIN PGP MESSAGE-----
Version: PGP for Personal Privacy 5.0
MessageID: t54f4dZC8XNWuvidgLLMqMt1U3J7WUI5
Fjz7l0uYFKG9kN1SgYmkM5mpf8MPvESM7a2DJNv8VdLlIS3UH73Hd8+Mzn75n/Tf
Ub/oiPJTyUyeWBG0n8DRHfWzZRb9L3Uy5j7yJODAzf0U3CtM/RBwpYqBYm7swC/s
nGvx54RGP0IyF8OhLKCE6pO070xt5WY/hQoLKzkC1km+XHX5teOv6PaLA7ewi62E
ioLm/XKELPMl4WmwMjIh7vTF36DvlsHmdqwl302yp25AfcKL5DG2d2EspOPnPdai
fBRQj+vnX3vnoL15anq1GleflPvIpl6kvALsWllLBobyJFQtsIkTzJVPFyS0WKUv
Biajuroa990EIEWWqx/BaEvJnbKQkqIrcILhvALrvoZza5aCkqlhki17fcOqtMBO
l9UT6vN6upkPoBve0P9zpKb1Qvbx+L3zyXJMHTUZba9VNbnsNOjyk/CNxkB7YdBE
H6aFXwGnIPy41wlj/5IDKYBLnce29SF1gfJXpNXinxXpf+sBwK/aCKpBfpIXeDHH
4UGgNHHXVr/ILXPIGSivyy1p6wX6apdYKhwfZPNkhJMNFeSsZSzD3zO+3vjpfk8c
=yNu5
-----END PGP MESSAGE-----
View Quote
As for your second question, how secure is it really, you need a bit more information on how it works. Basically, the "weak link" in any encryption scheme is how to handle the "key" that decodes the message. If you don't have a secure way to get the key into the recipient's hand before you send the message, then your scheme is broken. (After all, if you're worried about someone looking through your e-mail to your lover/lawyer/accountant/etc, then you don't want to be e-mailing the "key" beforehand). PGP overcomes this using math. When you generate your "key" it actually generates TWO keys, one private and one public. Through the magic of math, the two keys are related in such a way that if you encrypt something with the public key, only the private key can be used to decrypt it. Also, the the private key cannot be mathematically ascertained from the public key.
So that's the most important aspect of PGP. If you want to send ME a message, you'd look up my public key (or I'd give it to you over even an unsecure channel), and then you'd use that public key and the PGP software to encrypt your message. Once the message is encrypted into the giberish above, only I can unencrypt the message by using my private key.
Actually, what's interesting with PGP is that the "keys" we're talking about (public and private) are not used to actually scramle your message. Instead, they scramble the key to a different encryption system that is used on the actual message text.
As far as security goes, PGP or "Pretty Good Privacy" is not just pretty good. Its very good. I remember reading somewhere that with a sufficiently large PGP key it would take thousands of years to crack the code, and that's if you used all the known silicon atoms in the universe to make a super computer that could try millions of keys a second.
BTW, encryption software has been going through a debate very much like that associated with gun control. The gov't (Klinton's administration in particular) said private citizens don't need it, and articulated a need to keep crypto out of the hands of baddies like terrorists. Of course, as is the case with guns, they'll get it anyway so my opinion is heck with it, lets all encrypt.
That said, encrypt less than 1/2 of 1/2 of 1/2 of 1% of all my e-mail, max. Mostly because I'm not allowed to install crypto at work and that's where I e-mail from.
As to the last question, what does one have to do to get started, basically you just need the software and to read the manual and documentation. Then have the program generate your key pair, upload your "public" key to a key server and have at it.
(Edited to fix an error or two)