Pretty Good Privacy
Another tremendously popular encryption scheme is Pretty Good Privacy. PGP made a huge splash when Phil Zimmerman first published it freely on the Internet in 1991. PGP became a commercial product in 1996 and was subsequently purchased by Network Associates (NAI) in 1997. In 2002, the startup company PGP Corporation acquired the technology from NAI.
Since that time, PGP Corporation has sold a commercial version of PGP that runs on Windows and Mac OS X. The current version, PGP 9.0, offers individual file encryption, entire disk encryption, and integration with AOL Instant Messenger (AIM). PGP 9.0 also integrates with popular email software-such as Outlook, Microsoft Entourage, Lotus Notes, Qualcomm Eudora, Mozilla Thunderbird, and Apple Mail.
PGP uses a public key system, a method that generates a pair of encryption keys: a public key and a private key. The two keys are mathematically related, so data encrypted using the public key can be decrypted only by using the private key.
A PGP user generates a public and private key pair, then publishes the public key in a publicly accessible key directory or Web site. The private key, of course, is kept private and secret, and only its owner uses it. Although a password is required when using the private key to decrypt data, a password isn't required to use the public key to encrypt data because public keys are meant for public use.
For ease of use, PGP offers the ability to automatically query public key directories for a user's public key by using that person's email address as the query string. PGP can automatically retrieve public keys, which you can store locally on your system in a file-based keyring for easy access. By querying the public key directory, PGP can ensure that the keys in your keyring are current. If a user changes his or her public key, you have access to the latest key when you need to use it.
For added assurance of public key authenticity, public keys can also be digitally signed by another user's key. Having a key signed by another user gives you some assurance that a key actually belongs to its alleged owner. PGP can add a digital signature to a key by performing a mathematical operation, then adding the unique resulting output to the key. The signature can then be validated by checking the signature against the signing key that was used to create the signature. Think of this process as one person vouching for another person's identity.
Many people trust PGP because of its longstanding reputation in the industry as a technology for keeping information secure. Even so, if you decide to use PGP or another form of public key encryption, the recipients of your files must also use a compatible encryption system. A benefit of using PGP for email is that it supports its own proprietary encryption as well as X.509 and S/MIME, which I discuss next.
Also, whether you decide to use PGP, WinZip, or another encryption system, if you want to encrypt the contents of the message itself in addition to the files you're attaching, you'll need to write your message in a separate file and encrypt it, too. You could place that message file in the archive along with your other files, or you could make it a separate file attachment, depending on your particular needs.
PKI
Although Public Key Infrastructure (PKI) is unique, it works somewhat similarly to PGP. PKI uses a public and private key pair: People use your public key to encrypt data they want to send to you, and you use your private key to decrypt that data after you receive it.
One major difference is that, in PKI, the public key is typically stored in a data format known as a certificate. Certificates can contain much more information than just the key. For example, certificates also contain an expiration date, which lets you know when the certificate and associated key are no longer valid. In addition, a certificate might contain the key owner's name, address, phone number, or other data. Figure 2 shows certificate contents as seen from within Microsoft Internet Explorer (IE) or Outlook. To some extent, certificate content depends on what the owner wants to put inside.
Like PGP, PKI lets you establish a chain of trust, in which certificates can become signed through the use of other users' certificates. Furthermore, Certificate Authorities (CAs) have been established as trustworthy third parties that don't only issue certificates but also sign certificates—and therefore can vouch for the authenticity of a certificate. As with PGP and its associated key servers, certificates can be published to a publicly or privately accessible certificate server or LDAP server, emailed, or even posted to a Web site or file server.
To automatically validate a certificate's authenticity, email clients and Web browsers are typically designed to interact with the servers of CAs. This process can also inform you when a certificate has been revoked for whatever reasons, which in turn lets you know that the certificate can no longer be trusted. Of course, using a CA to issue and vouch for a certificate sometimes comes at a price, and that price can vary depending on which CA you choose. Some CAs offer free personal email certificates, and others charge significant fees.
Because PKI is based on the X.509 specification (which is a derivative of the LDAP X.500 specification), certificates issued by one authority— including certificates you generate for yourself—are typically compatible across multiple platforms, as long as those platforms support the X.509 standard. You could generate certificates yourself by using any number of available tools, such as OpenSSL.
If your organization uses Microsoft Certificate Services, you can use that to request a certificate. The process should be similar for both Windows Server 2003 and Windows 2000 Server. Access your certificate server's Web page (typically http://servername/CertSrv), then select Request a Certificate. On the next page, select User certificate request and follow the Web-based wizard until you're done. If your certificate services are configured to require administrative approval before issuing the certificate, you'll see a message to that effect, and you'll need to wait for an administrator to handle your request. Otherwise, you'll eventually see a link that lets you install the certificate immediately.
Register
