PGP, or Pretty Good Privacy, is a security program that allows users to encrypt and decrypt e-mail, as well as incorporating the added protection of digital signatures for user verification. OpenPGP builds upon PGP with enhanced PGP standards, military-grade security and an increased number of encryption algorithms.
Michael W. Lucas, author of PGP & GPG: E-mail for the Practical Paranoid recommends that IT managers take advantage of easy-to-use OpenPGP to add an extra layer of internal security that can prevent tampering from within an organization. The most difficult part is not installation or using OpenPGP but educating users.
What does OpenPGP have to offer for IT managers to protect their IT shops? Have there ever been any instances where PGP encryption has been broken?
Michael W. Lucas: OpenPGP puts control of security in the hands of the IT manager. Even if you only use it internally amongst your IT staff, it provides a layer of security that's difficult to achieve otherwise.
One common problem in computer security is 'who watches the watchmen?' Your e-mail administrator has the ability to view and edit any e-mail message that passes through the system. When I'm troubleshooting a network problem, I often must use a packet sniffer. At that point, I will see the contents of e-mail messages unless I take specific steps to prevent it. Even your helpdesk staff has access to people's personal data. All of these people
OpenPGP directly addresses these problems of confidentiality, integrity and non-repudiation. With OpenPGP, not even the mail administrator can view the contents of a message as it passes through the system. The network administrator can change the packets as they go past, but then OpenPGP's internal checks will flag the message. The help desk staff can sit down at a user's computer, but without the OpenPGP passphrase, they can't send a digitally signed message as the user.
OpenPGP encryption has been broken from time to time, but it's usually because it has been poorly used. The requirements for OpenPGP have also risen over time. Modern computers could easily, using brute force, crack PGP messages from the early 1990s. There have also been changes in the OpenPGP protocol to make it more resistant to cryptanalysis and attack. As with any security software, you must keep your OpenPGP tools up-to-date.
Are there any gotchas to avoid when working with OpenPGP?
Lucas: The biggest critical point with OpenPGP is the passphrase. If you choose an easily-guessed passphrase, such as the name of a sports team or your child, someone might use that to pose as you.
Once you have good passphrase practices, you should make sure that you keep your OpenPGP software up-to-date, as well as things like anti-virus programs and firewalls.
How does PGP's ease of implementation compare to similar tools?
Lucas: I'd call either GnuPG [Gnu Privacy Guard] or PGP 'harder than a Web server, but easier than a database.'
OpenPGP is actually simpler than it looks -- you can perform do six functions with it, after all. These functions have a few options, but they all boil down to just six basic tasks. Once you define your requirements, deciding which of those six you need to use is entirely routine.
You'll find big thick books on OpenPGP; most of which are several years old and concentrate on the math. Don't get me wrong; the math is pretty cool. But most IT people don't want to spend their time learning mathematics just to use a tool. Once you get to ditch all of the math, OpenPGP isn't bad at all.
As with any security system, the hardest part of implementing OpenPGP is educating the users. Our users think that if they click "OK" those scary warnings just go away. Many of us have trouble keeping our users from shouting their passwords across the cubicles, and it might seem that asking them to handle OpenPGP is far beyond their abilities. But once you explain what it can do for them, and show them how it can protect them, you'll have fewer problems and more security.
I find OpenPGP easier to implement than many other programs currently in use in IT environments, let alone many security programs.
How can IT managers use PGP, even if they don't do software development?
Lucas: I'm not a software developer, and I use OpenPGP all the time. Anyone can use OpenPGP. My wife uses it to protect our family's financial documents. I would happily set my grandma up with it, if she used e-mail.
Anyone who is interested in retaining their privacy can use OpenPGP. It doesn't cost much, and it gets you a lot.
This was first published in May 2006