PGP : Java Glossary

*0-9ABCDEFGHIJKLMNOPQRSTUVWXYZ (all)
The CurrCon Java Applet displays prices on this web page converted with today’s exchange rates into your local international currency, e.g. Euros, US dollars, Canadian dollars, British Pounds, Indian Rupees… CurrCon requires an up-to-date browser and Java version 1.7 or later, preferably 1.8.0_25. If you can’t see the prices in your local currency, Troubleshoot. Use Chrome for best results.

PGP
PGP (Pretty Good Privacy). A technique for encrypting and digital signatures based on the difficulty of finding the prime factors of very large numbers.
How is PGP Different? How PGP Works
Terminology Hex Encoding
Backups Keyword Encoding
Finding Public Keys Keyword Encoding Applet
Where to Get PGP Legal Issues
Eudora S/MIME
Thunderbird Links
Agent Newsreader

How is PGP Different from other Signing and Encryption?

PGP (plus related systems like GNU (Gnu’ Not Unix!) privacy Guard, CTC (Concurrent Technologies Corporation), and the more distant systems like Pegwit) uses public key encryption as a way of exchanging the private keys you need for the faster conventional encryption (like Triple-DES). PGP does not require both communicating parties to know a shared private key agreed on in advance the way DES (Data Encryption Standard) does.

PGP is different from other digital signing/encryption techniques in that there are no central certificate issuing authorities. You make your own certificates (containing just your name, email address and public key but not your private one), and get other ordinary people to digitally sign them as accurate. This creates a web of trust. You know if a certificate is valid by how much you trust the people who signed the certificate. You tell PGP how much you trust various certificates and how much you trust various people to accurately sign other’s certificates and it computes a trustworthiness of each certificate on your keyring.

Terminology

The PGP people don’t use the term certificate like everyone else does. They call them public keys even though the public key files contain more information than just the public key. They use a single key icon  PGP public key icon to represent a public key, and either a double key icon or a person’s head icon PGP private key icon to represent a public/private pair.

PGP people sometimes erroneously refer to your private key as a secret key. Granted the key is secret, but in crytography the term secret implies there is no corresponding public key.

You can safely give exported public keys to others and your public keyring file of your entire key collection, but not your private/secret keyring file.

Backups

Make many backups of your PGP data files, especially of all your private/secret keys and their passphrases and put them where you are sure you will be able to find them again. You will never be able to correct the public key registries without them to even delete the key. If you loose the private key for an email address, you will never again be able to receive encrypted mail on that mail address. People will continue to send you email encrypted with your old lost key and you won’t be able to make any sense of it.

With Zimmerman’s PGP that I use, the public keys are stored in pubring.pkr and the private/secret keys are stored in secring.skr.

Be very careful when reinstalling software that you don’t leave you old keys behind.

How to Find and Import Other People’s Public Keys

You learn of other’s public keys by picking them off websites. For example, you can download/see my PGP public key at http://mindprod.com/contact/Roedy Green pgp (0x6A4D31AA) pub.asc. You can sent me PGP-encrypted email with it via email Roedy Green pgp. Please don’t attempt PGP email with any other of my email addresses or with any of my old public PGP keys. The key looks like gibberish, but when you import it into your PGP keyring it contains my public key, name and email address hidden in there.

After you import someone’s public key you must sign it with your private key, to indicate you consider it valid. You can then adjust the trust level you feel about public keys that person has validated. There is no central authentication agency. It all works by a peer to peer web of trust. There is a central registry like a phone book of email addresses and public keys, but there is no guarantee that any of its information is valid.

You can receive PGP certificates via unsecured email. You can discover them in Newsgroup postings. PGP 7.0 contains a feature to lookup a public key or register yours in any one of a number of central registries, e. g.

RFC 4880 describes how client PGP software such as EnigMail or GnuPG talks to the public key servers. Some webservers also allow you to search for keys with your browser.

Once you declare my public key as trustworthy, then you can send me encrypted email, and you can verify if any digitally signed mail from me really came from me.

If you just want to send me PGP-signed mail, you don’t even have to do that much.

You importing my public key, however, is not sufficient to let me send you encrypted email. (I need your public key for that.) It won’t let me verify that email from you really came from you. (I need your public key for that.) Of course we both need some sort of PGP software installed on our machines.

There is also a feature you can register a third party with the right to revoke your key in case you lose your private key or forget your passphrase. However, it is too late to do that once you lose you key or passphrase. If you lose your private key, mail continues to arrive encrypted with your old key and databases persist in handing out the obsolete key. All you can do is publicly ask people to use the new key and email address and stop using the old ones. (How do I know this?…) In Thunderbird Enigmail, you can create a revoke certificate you can later use if you lose your keys to revoke the certificate.

Where to Get PGP

You can download a simple PGP 8.0 suite free from PGPI.org. Unfortunately it does not work on Vista.

All that is left of the original Network Associates (bought out by McAfee) PGP website are products with prices so high they won’t even post them. You have to request a formal price quotation. These are clearly not aimed at personal users.

The freeware products are for non-commercial use. There are now a suite of reasonably priced commercial products at the PGP Store. For example a PC (Personal Computer) PGP 1 year licence is  $80.00 USD The freeware editions don’t have integration into email. The freeware version asks you to fill in a licence key. If you don’t, it turns off some features. If you do, it upgrades to the commercial version.

The old, free Network Associates PGP version 7.0.3 works with Eudora email integration.

The patent recently expired on PGP and, in recent years, the patentholder, etwork Associates lost all interest in supporting its former PGP products. In recent years, we saw signing authorities like Thawte dropping PGP support. Perhaps they will start re-instating it. Enigmail-PGP does not supportthe latest Firefox. It looks like PGP for the masses has disappeared.

PGP and Eudora

PGP is easiest to use if you have a mailer like Eudora that integrates it. You click on the sign icon and nothing happens until you hit send, then you key your passphrase. Send only plain message if you want them readable. Eudora includes the body and your tagline in the signature, but not the subject.

Signed formatted messages arrive as mysterious enclosures ending in *.ems. You must double click them to view them and verify the signature. Eudora encrypts the body and your tagline, but not the subject.

When you click encrypt nothing happen until you hit send. Then it automatically looks up the public key of the recipient in the keyserver.pgp.com database. Encrypted messages come in looking like gibberish with nothing telling you what they are. It is up to you to recognize what them as encrypted messages and right click plugins, decrypt and verify.

Sometimes the encrypted message arrives as a *.ems attachment. You must double click it and give your passphrase to decrypt it and verify the signature. Eudora wisely gives you the option of leaving the message in encrypted or unencrypted form in your mail folder. You may be trying to protect it from prying eyes at your end as well as en route.

You can also digitally sign and/or encrypt your messages with PGP by having it sign the clipboard then paste the text back into pretty well any newsreader/mailreader. That way your mailreader/newsreader need not support PGP directly. Unfortunately, only the message body then is signed. The header including the message subject:, to: and from: are unprotected.

PGP and the Thunderbird Mail Reader

There is a free PGP plug-in for Thunderbird MailReader and also SeaMonkey called Enigmail. It supports inline-PGP RFC 4880 and PGP/MIME RFC 3156. It uses GNU-PG.

PGP and Agent Newsreader

The add-on PGPeep partly integrates PGP into Forte Agent, however it is not smart enough to include the signature line in the digitally signed part of the message. This area of integration is still in its infancy. It is not ready for the masses. It must become totally transparent.

How PGP Works

PGP uses the SHA-1 (Secure Hash Algorithm 1) digest type for signing email.

The PGP message format is described in RFC 4880.

PGP also has a wipe feature for securely erasing files and also erasing the free space including the space at the tail end of each file in its allocated cluster.

When you install it, make sure you choose a directory for your public and secret keyrings that won’t be lost or erased and that will be backed up.

PGP Hex Encoding

PGP public keys (fingerprints) are 160 bits long, or 20 bytes, or 40 hex digits.

Keyword Encoding

Public keys are sometimes represented by selections from a pair of 16 × 16 row-wise grids of 256 English words each using this list to encode the each byte of the key, selecting the row as the high order nibble and the column as the low order nibble. The advantage of the keywords is you can speak a public key over the phone accurately. It protects you against dropping, transcription, and mishearing. Words are all quite distinct. See the PGP keywords Applet to interconvert back and forth or to experiment to understand how it works.

Even two-syllable PGP Words
  0 1 2 3 4 5 6 7 8 9 A B C D E F  
  0 1 2 3 4 5 6 7 8 9 A B C D E F  
0 aardvark absurd accrue acme adrift adult afflict ahead aimless Algol allow alone ammo ancient apple artist 0
1 assume Athens atlas Aztec baboon backfield backward banjo beaming bedlamp beehive beeswax befriend Belfast berserk billiard 1
2 bison blackjack blockade blowtorch bluebird bombast bookshelf brackish breadline breakup brickyard briefcase Burbank button buzzard cement 2
3 chairlift chatter checkup chisel choking chopper Christmas clamshell classic classroom cleanup clockwork cobra commence concert cowbell 3
4 crackdown cranky crowfoot crucial crumpled crusade cubic dashboard deadbolt deckhand dogsled dragnet drainage dreadful drifter dropper 4
5 drumbeat drunken Dupont dwelling eating edict egghead eightball endorse endow enlist erase escape exceed eyeglass eyetooth 5
6 facial fallout flagpole flatfoot flytrap fracture framework freedom frighten gazelle Geiger glitter glucose goggles goldfish gremlin 6
7 guidance hamlet highchair hockey indoors indulge inverse involve island jawbone keyboard kickoff kiwi klaxon locale lockup 7
8 merit minnow miser Mohawk mural music necklace Neptune newborn nightbird Oakland obtuse offload optic orca payday 8
9 peachy pheasant physique playhouse Pluto preclude prefer preshrunk printer prowler pupil puppy python quadrant quiver quota 9
A ragtime ratchet rebirth reform regain reindeer rematch repay retouch revenge reward rhythm ribcage ringbolt robust rocker A
B ruffled sailboat sawdust scallion scenic scorecard Scotland seabird select sentence shadow shamrock showgirl skullcap skydive slingshot B
C slowdown snapline snapshot snowcap snowslide solo southward soybean spaniel spearhead spellbind spheroid spigot spindle spyglass stagehand C
D stagnate stairway standard stapler steamship sterling stockman stopwatch stormy sugar surmount suspense sweatband swelter tactics talon D
E tapeworm tempest tiger tissue tonic topmost tracker transit trauma treadmill Trojan trouble tumor tunnel tycoon uncut E
F unearth unwind uproot upset upshot vapor village virus Vulcan waffle wallet watchword wayside willow woodlark Zulu F
Odd three-syllable PGP Words
  0 1 2 3 4 5 6 7 8 9 A B C D E F  
  0 1 2 3 4 5 6 7 8 9 A B C D E F  
0 adroitness adviser aftermath aggregate alkali almighty amulet amusement antenna applicant Apollo armistice article asteroid Atlantic atmosphere 0
1 autopsy Babylon backwater barbecue belowground bifocals bodyguard bookseller borderline bottomless Bradbury bravado Brazilian breakaway Burlington businessman 1
2 butterfat Camelot candidate cannonball Capricorn caravan caretaker celebrate cellulose certify chambermaid Cherokee Chicago clergyman coherence combustion 2
3 commando company component concurrent confidence conformist congregate consensus consulting corporate corrosion councilman crossover crucifix cumbersome customer 3
4 Dakota decadence December decimal designing detector detergent determine dictator dinosaur direction disable disbelief disruptive distortion document 4
5 embezzle enchanting enrollment enterprise equation equipment escapade Eskimo everyday examine existence exodus fascinate filament finicky forever 5
6 fortitude frequency gadgetry Galveston getaway glossary gossamer graduate gravity guitarist hamburger Hamilton handiwork hazardous headwaters hemisphere 6
7 hesitate hideaway holiness hurricane hydraulic impartial impetus inception indigo inertia infancy inferno informant insincere insurgent integrate 7
8 intention inventive Istanbul Jamaica Jupiter leprosy letterhead liberty maritime matchmaker maverick Medusa megaton microscope microwave midsummer 8
9 millionaire miracle misnomer molasses molecule Montana monument mosquito narrative nebula newsletter Norwegian October Ohio onlooker opulent 9
A Orlando outfielder Pacific pandemic Pandora paperweight paragon paragraph paramount passenger pedigree Pegasus penetrate perceptive performance pharmacy A
B phonetic photograph pioneer pocketful politeness positive potato processor provincial proximate puberty publisher pyramid quantity racketeer rebellion B
C recipe recover repellent replica reproduce resistor responsive retraction retrieval retrospect revenue revival revolver sandalwood sardonic Saturday C
D savagery scavenger sensation sociable souvenir specialist speculate stethoscope stupendous supportive surrender suspicious sympathy tambourine telephone therapist D
E tobacco tolerance tomorrow torpedo tradition travesty trombonist truncated typewriter ultimate undaunted underfoot unicorn unify universe unravel E
F upcoming vacancy vagabond vertigo Virginia visitor vocalist voyager warranty Waterloo whimsical Wichita Wilmington Wyoming yesteryear Yucatan F

e.g. A typicial 160-bit, 20-byte, 40-hex-digit, 20-word, public PGP key fingerprint is rendered either in hex:
9AA3 43B6 324D F154 4098 F58F EF62 A55F 92CB 3EDD
or as a grid of words: 9A=pupil (i.e. word at row 9 column A of the even table), A3=pandemic (row A column 3 of the odd table ), 43=crucial (row 4 column 3 of the even table ), B6=potato (row B column 6 of the odd table ) etc.

pupil pandemic crucial potato
checkup disruptive unwind equation
crackdown narrative vapor midsummer
uncut gadgetry reindeer forever
physique revival concert tambourine
Americans have a silly law that code written in the USA that does strong encryption cannot be exported outside the USA and Canada, even though the algorithms are published. This has had the effect of stimulating European and Australians to provide such software which is immune to the restriction, taking business away from American companies. In particular, BouncyCastle.org is located in Australia. You can use Oracle’s weak or strong JCE (Java Cryptography Extension), but if you use the strong JCE, you can’t export your product. The solution is to plug-replace Oracle’s JCE with one written outside the USA.

The Alternative — S/MIME (Secure Multipurpose Internet Mail Exchange)

The other popular scheme used for EMAIL signature verification and encryption is S/MIME. Unfortunately, Eudora does not natively support it, though you can get plug-ins. Thawte no longer issues PGP certificates.
When you send a message, you sign it with your own private key, the one associated with the from email address, and encrypt it with the recipient’s public key, the one they ask you to use for that particular email address.

This page is posted
on the web at:

http://mindprod.com/jgloss/pgp.html

Optional Replicator mirror
of mindprod.com
on local hard disk J:

J:\mindprod\jgloss\pgp.html
logo
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.
no blog for this page
IP:[65.110.21.43]
Your face IP:[54.161.147.106]
You are visitor number