Let’s say your friend is failing an exam you are taking together. Let’s also say that you want to help him, but you are scared of the supervisor in your exam room. Now you know that the supervisor won’t sanction you for quacking at your friend (it is Special Ed. ) but you will get sanctioned if you tell him the answer to a question. Well in the classroom, your friend would fail. But in the real world, you have PGP.
In an increasingly common situation, a dissident or whistle-blower, working in an autocratic government wants to send a secret email to somebody in the press. In this situation, there are three parties. The sender (let’s say it’s you), the recipient, and the ‘peeking Tom’. The challenge is to get a message from you to the recipient when everybody hears what you say but Tom doesn’t understand what you are saying.
Use case 1: Not have information interpreted between the sender and recipient
You know that your communication will be intercepted and read. If the message is deciphered, you are screwed. Nobody can jail you for singing limericks or quacking though, can they? How then, to send gibberish, which cloaks your message without being incriminated?
PGP!!! The recipient makes a PGP key pair; one public and one private. Both keys are gibberish to the human eye. He hides his private key and flaunts his public key. He posts holiday pictures on Instagram with it. He puts it up on facebook. He tweets it. Hell, he recites it to his Google home! He basically advertises it.
You make a pair too. You see his key; you copy it and use a PGP program to encrypt your message to him using his public key. The only way to decode that message, now is by using his private key which was generated alongside his public key. You can also sign the message with your private key to tell him it is coming from you. Bringing us to the other use case.
Use Case 2: Know the provenance of a message (or file)
You see Elon Musk’s twitter announcing that he going to buy Twitter. You don’t believe it. It is too strange. But then, is it? He did name his child X Æ A-12 which is so un-pronounceable, it defeats the purpose of names. Now if Elon had used the power of PGP, you wouldn’t have had to wonder.
PGP!!! The sender of a public message (publisher) adds an encrypted version of the message below his real text message using his private key. This is called signing a message. Provided you have the publisher’s public key, you can, in just one click, verify that the message came from Elon himself and not Parag A or Jack D trying to trip Elon up.
The same logic sent for text messages can be used for files broadcasted by senders.
‘Implementations’
PGP is ostensible ‘implemented’ by many messaging platforms including Whatsapp and Protonmail. Whatsapp is actually suing the government over the issue in India, where the government wants
on the occurrence of any public emergency or in the interest of the public safety — if it is satisfied that it is necessary or expedient to do so, in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence, for reasons to be recorded in writing, by order — direct that any message or class of messages, to or from any person or class of persons received by any telecommunication services…
to be able to decode messages sent. Basically, when they damn want, even before a crime has been committed.
Whatsapp is obviously not open source, however, even if these ‘implementations’ were open source, not many of us can go check their code to see if they have been faithful to our privacy. Moreover, I don’t think that Whatsapp, if faced by the choice of losing 500M Indian customers, would choose privacy over profit.
In other words, if you want to be sure of not being intercepted in your electronic communications, you should just use an open-source PGP client. Some Linux distributions come with PGP implementations out of the box.
Guide 1: I want to send a PGP encrypted message to X. Steps?
1. Find X’s public PGP key.
· If X doesn’t own one, call him up and tell him to download an open source not for profit PGP program (like Gpg4win) and make a key pair. He should post the public key to the public domain. You need to save this key.
2. Encrypt your plain-text message
· Use a PGP program to encrypt your message with the person’s public key. Now, only he has the power to read the message.
3. Send it any way you want.
· Your message, even if intercepted, is of no use to peeping Tom. It is gibberish. It is balderdash. It is the gobbledygook of a deranged mind. Only He with the Private Key can decipher it. As long as he doesn’t tell it to anyone, you are safe.
Guide 2: I want to verify a message, ostensibly from X. Steps?
1. Find X’s public PGP key.
· Download and save the key. If it is in text, you need to save it as .gpg
2. Decode the message
· Use a PGP program to decrypt his message. You will see if his message was encrypted with a key that you have saved on your computer.
Limitations:
1. The recipient betrays you (or is compromised)
· This one is obvious and applicable to any encryption. You send a cloaked message to X. X betrays your trust and tells Tom. Tom, who has a monopoly over violence, comes to your house, beats the hell out of you and then locks you up (or kills you). Tom also tortures you taking over your private key. Tch tch tch..
2. You don’t have the correct public key
· Tom impersonates X and makes a clever website which hosts a public key ostensibly belonging to X. You end up believing the key is X’s. Now you have sent a message that Tom can decode. If Tom was waiting for you to slip up, expect nasty visitors.
Other Salient points:
· You can encrypt a message with multiple keys so that it can be read by them all.
· Unless you list yourself as a recipient in your encoded messages, you will not be able to read what you sent before.
· You can generate a keypair with a validity so that messages written to you can only be decoded in a particular timeframe. This is always recommended if you want to send secrets.
· An alias is better than your real name if you want privacy.
· PGP stands for ‘Pretty Good Privacy’, which it is. It is essentially impossible for anyone, including the NSA to break PGP.
· PGP was invented by Phil Zimmerman in 1991 because he cared about your privacy. Read more about it here. https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html
