PGP and Keys

Pretty Good Privacy (PGP) is powerful encryption software written by Philip Zimmerman. It is now legally and freely available to US citizens, having satisfied the twin legal issues of patent infringement and export controls.

While most people think of encryption software as useful for encoding communications and therefore allowing secrecy, it is important to understand that the same algorithms that make encryption work are also at the heart of the protocols that allow people to trust one another in transactions that take place over computer networks. Examples include the authentication of the originator of a message and digital cash. For a comprehensive tome on cryptography that details some interesting protocols, consult Bruce Schneier, Applied Cryptography, Second Edition, Wiley, 1996. If you have the Pretty Good Privacy software, and want to send me an encrypted message, or if I happen to send you a message with a digital signature (to verify that I really am the originator of the message) then you will need my public key. Here is my 1024-bit public key:

Version: 2.6.2


However, if you are distrustful of the integrity of our communications over the network, then you should not necessarily believe that what you have just received above is truly my public key. It would be best to confirm it via some trusted method of communication. For this purpose, PGP will hash a key to yield a condensed, compressed version called the fingerprint of the key. So before you use my public key for the first time, you should use your copy of PGP to create the fingerprint of the key you obtained above. Then phone me, write me, visit me - whatever, but please do not do it over the unsecure network - and we will compare the hash you obtained with the hash that I know you should have obtained.

Why not just compare the public key I have in my possesion and the one you just obtained? It is rather lengthy (449 characters), and it would become quite tedious for us to compare our two copies. The hash function used to create the fingerprint has the property that it would be extremely difficult (impossible in a practical sense) for an attacker to substitute a different public key for mine that would have an identical fingerprint. And the fingerprint is even shorter (32 characters). I may just add my fingerprint to my business cards for a trusted method of distribution (that's assuming I get some business cards someday). I also plan to register my public key with a "trusted key server", possibly Four-11 Directory Services. So you could check there as a another way to verify my public key, but without my involvement. I have set up a page where you can learn more about cryptography and where to obtain Pretty Good Privacy software.

Rob Beezer,, Updated: Jan 2, 1997, Created: Nov 23, 1994