Menu Close

How Do You Know It’s Really Cynthia (Armistead) Newman?

Introduction to PGP

Green characters on a black screen

What on earth is that mess of let­ters and num­bers at the end of some folks’ email and Usenet mes­sages? In many cas­es1Some­times a list of weird char­ac­ters at the end of a mes­sage is the sender’s geek code or a sim­i­lar code spe­cif­ic to a par­tic­u­lar inter­est group., it’s a PGP sig­na­ture. As an exam­ple, here’s a plain text mes­sage I wrote: 

This is a PGP-signed message. The signature will be longer for longer
messages.
Cyn

After I signed it with PGP, it looks like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is a PGP-signed message. The signature will be longer for longer
messages.
Cyn
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEuc12Pi9UCrPUU4OIUhCdqCQqoNwFAmIJh5YACgkQUhCdqCQq
oNy2hw//SOPrIGzVge/ffHKW3lFTSZlkUfQeNzltq208FWrXhg7noTGS/64gJYiu
IFHdb7y2JNZH5pT30fjifqLwa8DsHwP0ENwJQpTIsDtosTkWhkF6aNJocD2X6G8m
7grYLCYKdO6iSQ+HgYHCAybhalCF6q/qRiUEfA0VvDeM4vc/O6ZtsDM06eQstdur
jDpl6FYSpW3bMV72/6gV6WalsYkVp00RMzFjbJZY/I4bZH7ai2aGhvHqia8KVzUU
5fPwr7DrTsvW4yFQBUfeHsjzvanzONkV4st5zgS7U7OOJ4hYOFd/aTjcAgEDi4Sd
uw1Uv0So9bgMNUME1yrX2VqAgcjLuzEmvIanlI2UajeZRIoAYKNy9WnaZZBogKfC
+10kICWYAF4lqA+QmMqcDfnS85JV3FeKt/miOR2QGAhwa9wjn26LsJTOefxoEOGN
vEU4bBBI8ibtLJ+Kf19ePz7VvNtxVgqd4oRVQqeJwjZB5uohxpA6nMmt8obxTFpg
6oR0o3N8o0LQilnD5Qp/S1TcFrX0vqoT+7LjAJm0Xfw8nJI95lfTB7xbBhGaYqST
X0cMS7w08Z6PH4eQKIvBdqcG16vnRl365avRxh5qqPid/US2V8j6c/PsPoNw24al
8BTD5CaxnU0diBNcWy5Q2KnoqKPN++wITMqM8zYCgV0heigW9TI=
=AKyH
-----END PGP SIGNATURE-----

PGP is the best-known pub­lic-key encryp­tion method in use on the inter­net. If I sign a mes­sage I post to a par­tic­u­lar news­group using my pri­vate key, any­one who wish­es to ver­i­fy that it is from me and unal­tered can check the sig­na­ture on the mes­sage using my pub­lic key. If the mes­sage has been altered in any way, the sig­na­ture will not be valid. If some­one else forged a mes­sage in my name and tried to copy the sig­na­ture from one of my real posts, the sig­na­ture would­n’t check as valid on the forged mes­sage. That’s the rea­son I use it. 

Some peo­ple use PGP for actu­al encryp­tion. If I want­ed to send my friend Doug an email that con­tained very sen­si­tive infor­ma­tion, I’d write my mes­sage and sign it with my pri­vate key. I would then encrypt it with Doug’s pub­lic key, and email the encrypt­ed ver­sion to him. Upon receipt, he would decrypt the mes­sage using his pri­vate key, then check my sig­na­ture using my pub­lic key. We’d know that the mes­sage had not been read by any­one but us, and had not been altered in any way. I find very lit­tle need for encryp­tion, but some peo­ple use it frequently. 

For a far more thor­ough expla­na­tion of PGP, please check the Intro­duc­tion to PGP by Dr. Nat Queen. 

The last time I checked, Syman­tec owned PGP. You can still get a free­ware imple­men­ta­tion of OpenPGP (one of its descen­dants) at Gnu Pri­va­cy Guard. If you want to use encryp­tion for your email, Hush­mail is very easy to use. 

Want my key?

Last updat­ed 30 August 2022.
Pho­to by Markus Spiske on Unsplash