[Jim's Web Nook | GnuPG Keys | GnuPG and Private Email]
GnuPG is short for GNU Privacy Guard (also called GPG[1]), a tool that helps me communicate securely and protect my privacy.
The most common uses of GnuPG are:
"You mean email isn't private? But i didn't send it to anyone except you!"
Unfortunately, electronic mail gives the illusion that it is private. If i send a message and only address it to you, it (usually) arrives in your mailbox, and you appear to be the only person that can read it, unless i also send it to someone else. It feels just like sending a letter in an envelope: your address appears on the outside, but the message is on the inside, where no one can read it until you receive it and open the envelope.
In reality, though, when i send you an email message, it's much more like sending a postcard. Your address appears on the outside, and it ends up in your mailbox, but my message to you is also written on the outside, where everyone who handles the postcard can read it.
Most of the time, postcards (and email messages) are written in plain text: i simply write the message in a language that i know you understand, such as English. Unfortunately, many other people can read English, so my message isn't private. I could write you in a different language, such as German or Norwegian (or, with a little work, even French or maybe Latin). But there are also other people who can read German, Norwegian, French, or Latin (that's part of the point of a language, that more than one person understand it).
If i want to send you a postcard that no one can read, i have to write it in a way such that i know you will understand it, but that no one else will be able to understand. The obvious way to do this is with some sort of secret language or secret code: when i write, "The weather's beautiful. Wish you were here," you might know that meant (for example), "Lee's HIV test came back positive," or, "Sandy's in jail again," or, "My coworker Chris was such an asshole today."
That can quickly get tedious and tiresome, however: we have to spend a lot of time arranging translations for our secret messages. If we have to constantly spend time arranging secret codes, there's a danger that someone could overhear us. And if we weren't careful, a smart person might be able to discover (or "break") our secret code.
GnuPG helps us to send each other private email using "secret codes"
in a way that's not tedious or tiresome, and the secret code is very
difficult to break. Using GnuPG, i can encrypt a message to you
in a secret code such that only you can decrypt it and read it.
Similarly, you can write me an encrypted message that only i can
decrypt and read.
About GnuPG Keys
GnuPG uses very long random numbers called keys to "lock" (encrypt) and "unlock" (decrypt) email messages. These random numbers are similar in some ways to the keys we use to open a lock or to start an automobile: if you have the right key, you can open the lock (or turn on the ignition). For some locks---such as a deadbolt used to lock the front doors---you also need a key to lock the door, as well as to unlock it. If you have the wrong key, you will be able to neither lock nor unlock the door.
In the same way, you need the right key to encrypt or decrypt an email message using GnuPG.
GnuPG keys are slightly different than regular physical keys, though:
With regular keys, the same key can lock or unlock the same door. GnuPG
keys, however, come in two "flavors": public and private.
Either key can "lock" (encrypt) a message, but you have to use the
other key to "unlock" the encrypted message.
How to Use GnuPG Keys
You keep your private key safe and secret from everyone, while you give your public key to anyone wants to send you private messages.
To send you a message that no one else can read, i encrypt it using your public key. When i've done that, the only way to decrypt the message to read it is using your private key. That is, no one (not even i) can read the encrypted message unless they have your private key---which no one but you is supposed to have.
If you want to write me back, you encrypt a message to me using my public key. Then, only i am able to decrypt it, using my own private key.
Basically, GnuPG public keys give us a way to write each other in a
secret code, even though the public keys aren't secret.
About Digital Signatures
"But you did send it to me. It says right here 'From: Jim Knoble'."
I explained above that email messages are sort of like postcards: They have an address, and a message written on the outside (not on the inside). However, there's one important way that email messages aren't the same as postcards: If you recognize my handwriting, you can usually tell whether i wrote the postcard. If someone else wrote you a postcard and signed my name at the bottom, you could see that i didn't write it.
More importantly, if someone changed a postcard between the time i sent it and the time you got it (for example, by adding the word "not" in a strategic location), you might be able to tell that the changed part is not in my handwriting and that the postcard has been altered.
Unfortunately, that's not a very good method to rely on. Besides,
email messages don't really have any handwriting at all. Using
digital signatures, though, GnuPG can help you be sure that i
wrote an email message, and that the content of the email message
hasn't been changed since i wrote it.
How to Use Digital Signatures
I sign a message using my private key. GnuPG uses a special mathematical formula to calculate a rather long number, called a hash, that uniquely represents that message---that is, if the message changes at all, even a tiny bit (for example, by adding or removing a single space or comma), then the hash changes too. GnuPG encrypts the hash using my private key (which, you remember, no one else is supposed to have) to create a digital signature.
To verify my message, you need my public key. GnuPG calculates another hash of the message you received, then decrypts the hash contained in the digital signature and compares them. If the hashes are the same, the message is unchanged. If the hashes are different, the message you got is not the same one i sent; it's been changed somehow in transit.
We can also use digital signatures together with private email: If
i sign a message (using my private key), and encrypt it (using your
public key), then only you can decrypt and read it, and you can verify
the signature to be sure that i sent the message and that it's
unchanged.
More Information About GnuPG
Further information about GnuPG is available at the GNU Privacy Guard website. There's plenty of documentation
there, including a handbook and a HOW-TO.
More Information About Privacy
Further information about privacy and the Internet is available at the following spots:
[Jim's Web Nook | GnuPG Keys | GnuPG and Private Email]