How to encrypt your email, and more

So you want to hide email and messages from prying eyes? It’s easy enough to do. Use PGP or one of its many variants to encrypt messages. Some versions, such as the one from PGP Corp., install seamlessly into your email client and are simple to use. Other versions may require geek skills or are command-line based.

PGP was originally invented by Phil Zimmermann as open source based on previous crypto algorithms. Is it secure? The short answer. Yes.

The long answer. PGP code has been examined by crypto experts. No one has been able to find a hole or a way to crack it. 

When used properly, PGP is believed to be capable of very high security. It is widely believed, within the cryptographic community, that — if anyone — only government agencies such as NSA might be capable of directly breaking properly produced, PGP-protected, messages. However, to the best of publicly available information, there is no known method for any entity to break PGP by cryptographic, computational means regardless of the version being employed. In 1996, cryptographer Bruce Schneier characterized an early version as being "the closest you’re likely to get to military-grade encryption" (Applied Cryptography, 2nd ed., p587).

Zimmermann’s version of PGP is now owned by PGP Corp. who make the source code available for all to see. This guarantees transparency and no back doors. They have a freeware version too.

It’s important to note that Phil Zimmermann is a certifiable good guy. From his website.

Philip R. Zimmermann is the creator of Pretty Good Privacy, an email encryption software package. Originally designed as a human rights tool, PGP was published for free on the Internet in 1991. This made Zimmermann the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread worldwide. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. … The government dropped its case in early 1996.

Had he been indicted, we would have seen, as Wired Magazine put it at the time, "the first holy war emerging out of the Internet." Seriously. I was there as it happened.

You can now buy the commercial PGP Corp version via Phil.

Freeware PGP has lots of links and versions available.

takes crypto one step further. It hides your message in other files. These can be graphics files, MP3s, WAVs, as well as many other formats. The crucial point is, the file appears unchanged! The JPG looks the same, the MP3 plays the same. You can also encrypt your message first, then stego it, giving two levels of protection. The beauty of steganography is – they can’t decrypt your message if they don’t know it’s been encrypted.

StegoArchive has lots of stego programs and info.

SpamMimic is a neat hack. It encodes short messages into output appearing to be gibberish spam. Send it, it looks like spam. Then the receiver decodes it. Works online or you can download a program.

Unless you really, really like cryptic command line utilities, I suggest you steer clear of command line versions of PGP and get a graphic version like that from PGP Corp. Modern versions of PGP generally work fine with each other, meaning you can encode using the PGP Corp. version and your friend can decrypt the same message using a command line version. This is not true of steganography. Both sides will need the same program to successfully encrypt/decrypt.

With modern crypto, no one can read your email unless you want them to.

Tags PGP Encryption Steganography


  1. “So you want to hide email and messages from prying eyes? It’s easy enough to do. Use PGP or one of its many variants to encrypt messages.”

    The sad fact is that using PGP to encrypt your email messages will also protect them from the prying eyes of your correspondents. Until encryption is seamlessly supported by many of the popular email clients (included web-based ones), email encryption is going to remain a geek-to-geek stunt.

  2. That’s true of the command line version. I used Windows PGP a few years ago, and it plugged into the mail client and encrypted with one-two clicks. Easy to use.

    The command line versions though are cryptic beyond belief. Definite propeller-head stuff.

  3. I made a comment on Craig Murrays site that probably comes across as a bit rude and disrespectful of you. For this I apologise as it wasn’t meant to sound that way (it’s 5am and I’m to old to cope with lack of sleep these days). While I agree that PGP is probably fine for users like yourself and myself and other low level internet types for people like Craig it is a completely different kettle of fish.
    Read this link
    If you don’t to read the link here’s the abstract.
    We examine the problem of keyboard acoustic emanations. We present a novel attack taking as input a 10-minute sound recording of a user typing English text using a keyboard, and then recovering up to 96% of typed characters. There is no need for a labeled training recording. Moreover the recognizer bootstrapped this way can even recognize random text such as passwords: In our experiments, 90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts. Our attack uses the statistical constraints of the underlying content, English language, to reconstruct text from sound recordings without any labeled training data. The attack uses a combination of standard machine learning and speech recognition techniques, including cepstrum features, Hidden Markov Models, linear classification, and feedback-based incremental learning.
    Not forgetting the stories that abound about the ‘tempest program’ of course. I can also guarantee if we know of one way they can easily obtain your private key there are probably a dozen that we know nothing of.
    Not including of course hidden video surveillance and all of the other tools of nation states and their security apparatus.

  4. Sure, it they get your private key, then they can crack it.

    Assuming they don’t have it, then PGP disk encryption is easy to use and uncrackable.

  5. I just reread my comment (now I have had 3.5 hours sleep) and it still sounds a bit insulting (depending on how you interpret ‘low level internet type’) so if you are feeling insulted imagine me in a tin foil hat and you’ll be fine.
    BTW: speaking of encryption and all that sort of personal comp. sec. stuff have you read about Magic Lantern and the stance taken by antivirus vendors? It’s getting quite scary.

    Props: for your anti-bush/war work

Comments are closed.