I have not used it for quite a few years now but the word is that you should use the older versions as the feds bought it up and have installed backdoors in the newer versions for about 4 or 5 years now. The older ones are up to this point, unbreakable. Zimmerman (the guy who wrote it) apparently is no longer affiliated with any version after V2.6.2.

I usually don't use the email plugins as it can cause problems when files are upgraded, etc.

I mainly use the tray icon to encrypt windows or clipboard contents, and use the app to encrypt files. The email plugins give too many problems, and I have encountered bugs where the email wouldn't get encrypted properly, thus leaving the contents exposed, which is why I do all this manually.

Since v8, another company has taken it over and you can get the Freeware version, but you cannot get all of the source code to the GUI since "hackers" (i.e. gov't thugs) used to, or could have, taken the full source and add back doors and redistribute...

PGP may not be secure after zimmerman left the project. You might also look into GPG (gnu privacy guard) which is open source and is an evolution of the original PGP.

http://www.gnupg.org/

For details

It's very secure, as long as you don't give out your private key and key phrase.

PGP has YET to be cracked.

Garand_Shooter,

The easiest way to get into PGP, IMO, is to download it, install it, and read the help file.

It's pretty easy to use, once you figure out the concept of public key encryption.

There are also several good online FAQs, and usenet groups that can help you along.
comp.securuty.pgp.* heirarchy is where to look on usenet.

The only comment I can add is in regards to anti-spam filters and mail relays.  Some packages refuse to process mail (or attachments) that have been encrypted with PGP or any other encryption program.  They are unable to scan the contents of the mail envelope and, depending on the setup, will usually hold it for personal review.  This prevents viruses from being propogated through encrypted emails.

You will usually only run into these issues when emailing to corporations or a paranoid/security minded buddy.  I don't believe this is a problem with the major web-based services.  

Actually, I don't consider it a problem, just something to be aware of in the chance a friend doesn't receive those nude pics of brittney I sent him.

I use PGP 2.6.2 from a DOS box for all key generaltion, (my version generates RSA keys up to 4097 bits), and they I use the VERY FIRST PGP for Windows (5.0) for e-mail integration with MS outlook.  (It will handle the RSA keys).  

As someone noted, versions beyond 5.0 of the Windows software may be compromised.  V 5.0 actually had its source published for a while to show the absence of back doors, but when Zimmerman sold the company they clamped down on this.  I now defy anyone to find a version of 5.0 "in the wild"   I've got a copy of the installer, BTW, which I can make available if anyone wants it.  

BTW, 5.0 uses RSA's own sub encryption library.  Some later verions use windows' default "crypto" library, which some folk say also is NSA compromised.  

Wow. That sounded like one heck of an authoritative answer. But I was always under the impression that it's against the law to have *ANY* encryption that the NSA can't break.

Naw.

They really wanted that to be the case.  Congress considered a resolution in the late 80's as I recall that would have done this.   Anyhow, PGP was released into the wild and try as it may, the NSA can't unring that bell.  Phil Zimmerman is the guy who wrote PGP, who I met briefly at a bookstore when I lived in Boulder, was the subject of a federal criminal investigation for "export of munitions" since strong cryptography counted the same as an RPG or something.  ALets see .... (link digging... aha)... check this out for any (more) informatin than you ever wanted to know:

http://www.scramdisk.clara.net/pgpfaq.html

Also, in reviewing this thread I noticed that none of us have actually answered the poster's inquiry, to wit:  



First question:  How does one use it?

PGP takes what you want to scramble, i.e., an e-mail message and encrypts it.  If you do all your e-mail web, based you'd basically be composing your e-mail in notepad (NOT saving it), then using windows' "copy" function.  Then, you tell PGP to "encrypt the clipboard" (which is the spot in memory where the message is), and you then would "paste" the encrypted message into your web-based e-mail software window.  A message looks like this once scrambled.



As for your second question, how secure is it really, you need a bit more information on how it works.  Basically, the "weak link" in any encryption scheme is how to handle the "key" that decodes the message.   If you don't have a secure way to get the key into the recipient's hand before you send the message, then your scheme is broken.  (After all, if you're worried about someone looking through your e-mail to your lover/lawyer/accountant/etc, then you don't want to be e-mailing the "key" beforehand).  PGP overcomes this using math.  When you generate your "key" it actually generates TWO keys, one private and one public.   Through the magic of math, the two keys are related in such a way that if you encrypt something with the public key, only the private key can be used to decrypt it.  Also, the the private key cannot be mathematically ascertained from the public key.  

So that's the most important aspect of PGP.  If you want to send ME a message, you'd look up my public key (or I'd give it to you over even an unsecure channel), and then you'd use that public key and the PGP software to encrypt your message.  Once the message is encrypted into the giberish above, only I can unencrypt the message by using my private key.  

Actually, what's interesting with PGP is that the "keys" we're talking about (public and private) are not used to actually scramle your message.  Instead, they scramble the key to a different encryption system that is used on the actual message text.  

As far as security goes, PGP or "Pretty Good Privacy" is not just pretty good.  Its very good.  I remember reading somewhere that with a sufficiently large PGP key it would take thousands of years to crack the code, and that's if you used all the known silicon atoms in the universe to make a super computer that could try millions of keys a second.

BTW, encryption software has been going through a debate very much like that associated with gun control.  The gov't (Klinton's administration in particular) said private citizens don't need it, and articulated a need to keep crypto out of the hands of baddies like terrorists.  Of course, as is the case with guns, they'll get it anyway so my opinion is heck with it, lets all encrypt.  

That said, encrypt less than 1/2 of 1/2 of 1/2 of 1% of all my e-mail, max.  Mostly because I'm not allowed to install crypto at work and that's where I e-mail from.  

As to the last question, what does one have to do to get started, basically you just need the software and to read the manual and documentation.  Then have the program generate your key pair, upload your "public" key to a key server and have at it.  

(Edited to fix an error or two)

The highest RSA key to be factored is 512 bits, yet they expect 576 bits to be factored sometime this year.  RSA expects their 2048 bit keys take up to a couple decades to factor.  (Factoring is not breaking:  rather it is computing against a key to determine how much time and CPU it would take to crack a private key string.) In 1999, the DES3 56-bit key was factored in around 22 hours.  It took a supercomputer with a slave network of nearly 100,000 PCs to acheive that record. However, advances in cryptography and technology will always push this envelope.

If you're not going to rely on automated de-cryption, then I'd suggest using a 1024 bit key if you can.  (Most secure websites utilize single use 128 bit keys so you can rest assure that you're information should be safe.)

As a side note:  Once you generated your public and private keys, immediate burn a copy to a CD-ROM and put it in your gun safe/safe deposit box.  If lost, there is no way to regenerate that key and anything encrypted with it will be forever unreadable.

For those of you who are worried about backdoors, go to [url]http://www.pgpi.org[/url].  The source code for current versions is freely available you are scan it for back doors.

Edited to correct typos.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

the problem I found with pgp is actually having a use for it. it does me zero good to encrypt my messages if none of my friends use pgp
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use

iQA/AwUBPtK7pZp1rus0cSHVEQKRFQCgoKZQXVBWxsrMTC4bHuUqiI51KJsAoODu
tstilq0WfnE09INbua8NcJ3k
=ZWKF
-----END PGP SIGNATURE-----

Yeah, I know what you mean.

I was once a fairly active lurker in IPL (PGP knowledge and remailer knowledge was required for "membership") but kinda lost interest.  Now, the only person I encrypt emails to is one of my brothers, and I only do that to try to piss off the feds. [;)]
They're really gonna be disappointed with our conversations if they happen to crack the encryption.

But it looks like quite a few folks around here are PGP users, and probably several others are interested.  Maybe we can figure out some way to use it here.

I guess we could start an email address and PGP key exchange thread.  Then people could grab those of the people they wanted to communicate with.

I'd prolly be a smart ass and send encrypted emails like "The red goose is flying south."

Not a bad idea.  It'd also give PGP newbies a chance to learn by sending encrypted messages to experienced users.

Conventional encryption using PGP would be a good start too.  Just post the "passphrase of the week" and let the PGP newbies compose and encrypt their message using the passphrase.

Could be fun.  [:)]

OK, I went ahead and started a PGP Public Key Exchange thread in the Urban Commandos forum:
   [url]http://www.ar15.com/forums/topic.html?b=1&f=124&t=188311[/url]

Perhaps others will also post their keys and people can use it as an exchange medium.

Edited to make the link hot.