Small office/home office (SOHO) users often need to send and receive private email. Although SOHOs don't have the resources available to larger organizations to maintain email security and integrity, SOHOs still need to use cryptography for protection.

Cryptography is not a new idea. In 1518, Johannes Trithemius, a Benedictine monk, wrote Polygraphiae, the first published work on cryptography. He later wrote Steganographia, where he described a cipher in which he represented each letter by words in many columns of text written inconspicuously inside the text of a prayer book. Popular for their detailed descriptions and discussions of ciphers, the two books were banned as heretical sorcery during the Inquisition. Nevertheless, cryptography has survived through the years, and in 1991, Phil Zimmerman created a computer cryptography program, named Pretty Good Privacy (PGP), to secure Internet email from prying eyes.

PGP


The PGP freeware version (without technical support) encrypts and decrypts email, and can send digital signatures that the receiver uses to verify the authenticity of the sender and message. The PGP commercial version (with technical support) adds encryption for locally stored files. Since its inception, PGP has evolved into today's standard for email security.

The basis for PGP is the public key infrastructure (PKI). A Certificate Authority (CA) uses PKI to create public and private keys, using the same algorithm. CA makes the private key available only to the person requesting the private key, and distributes the public key as part of a digital certificate to all interested parties. Using the private key, an email recipient decrypts text that the sender encrypted with the public key. For example, if I send email to you, I can obtain your public key (but not your private key) from a central directory service, and I can use that public key to encrypt my email to you. When you receive my email, you can use your private key to decrypt the message. In addition to securing email to maintain privacy, you can use your private key to encrypt a digital certificate to authenticate yourself to me so that I can verify that you are the one who actually sent the email. When I receive the certificate, I can use your public key to decrypt the message.

PGP modifies the public key system slightly by using a faster encryption algorithm to encrypt the entire message—in effect, using a shorter key. Because encrypting an entire message can consume processor time, PGP uses the public key to encrypt the shorter key, which in turn encrypts the email message. PGP sends the message and shorter key to the recipient, who first uses the private key to decrypt the shorter key, and then uses the shorter key to decrypt the message.

Users must download or buy and install the PGP software on their systems. The PGP program then generates a public key that you must register with a public key server, which provides your public key to people with whom you exchange email. (Network Associates, for example, maintains a Lightweight Directory Access Protocol (LDAP)/HTTP public key server that contains more than 300,000 registered public keys.)

PGP Algorithms


Two different algorithms create the public and private keys: Rivest-Shamir-Adleman (RSA) and Diffie-Hellman. The RSA version, for which PGP must pay a license fee to RSA, uses the International Data Encryption Algorithm (IDEA) to generate a shorter key for encrypting the email message, and uses RSA to encrypt the shorter key. (See the RSA Web site for more information.) The Diffie-Hellman version uses the CAST algorithm to generate the shorter key for encrypting the email message, and uses Diffie-Hellman to encrypt the shorter key.

For sending digital signatures, PGP uses an algorithm that hashes from the user's name and other signature information. PGP then uses the sender's private key to encrypt this hash code. The receiver uses the sender's public key to decrypt the hash code. If the receiver's hash code matches the hash code sent as the digital signature for the message, the recipient can verify the message's integrity. The RSA version of PGP uses the MD5 algorithm to generate the hash code, while PGP's Diffie-Hellman version uses the SHA-1 algorithm.

International Use


Initially, the US government restricted the exportation of PGP technology. Now, however, you can exchange PGP-encrypted email with users outside the United States if both you and your recipient have the correct PGP versions. Unlike most other encryption products, the international version of PGP is just as secure as the domestic version.

Other PGP-Based Products


In addition to using PGP encryption to secure your email, PGP Security offers disk encryption products (which encrypt disk volume-level data, providing faster access and stronger security over traditional file-based encryption), and complete personal security products (which include intrusion detection, a personal firewall, secure VPN capabilities, and various encryption utilities).

Licensing


Because it's against the freeware PGP license to use the software for commercial purposes, SOHO users need to purchase a commercial version of PGP from Network Associates, Inc. (NAI). You can also buy add-ons that give backward compatibility for newer RSA versions with older versions. (However, the Diffie-Hellman version and the RSA version of PGP don't work together because each uses a different algorithm.) Additionally, different developers offer OpenPGP, which is based on the same PKI concept. When NAI bought PGP, Inc. (the company that developed PGP), the terms of the sale dictated that the PGP code remain open to everyone under a public license. While NAI sells the commercial PGP product, OpenPGP's developers offer their free version.