Browse Books

Reviewer: Graham K. Jenkins

I have been troubled for some time about the integrity of the patch and new release files that my company distributes through the Internet to its local support representatives. As one of those representatives, I have nightmares about the possible consequences of installing at a client site a patch with which someone has tampered. Therefore, when I was offered the opportunity to review this book, I embraced it with both arms. Within a couple of days of receiving the book, I had developed an understanding of PGP's capabilities for secure message transmission and authentication, file encryption, and so on. At the end of a third day, I had acquired the source code for a version of PGP that can be used in my country and installed it on the UNIX machine that serves as my Internet gateway. The comparative ease with which I accomplished all this is testimony to the clarity of this book. PGP is an acronym for “Pretty Good Privacy.” The program was originally developed during 1991 by Phil Zimmermann as a practical mechanism for the encryption of electronic mail. The primary algorithms used are RSA (public key encryption), IDEA (conventional encryption), and MD5 (secure hash function). PGP also employs the ZIP (equivalent to PKZIP) algorithm for compression, and uses radix-64 conversion and message splitting for ease of mailing. Stallings has enlisted the aid of Zimmermann and others to produce a book intended for people who have access to freeware or commercial implementations of PGP, with a focus on achieving privacy in electronic correspondence and locally stored files. Of course, such information is available elsewhere; what sets this book apart is its large number of process diagrams and screen illustrations. The first of the three parts of this book is entitled “How PGP Works.” Chapter 1 contains some introductory remarks, which are followed by a chapter that explains the principles of public key encryption using some “locked-box” diagrams. Secure hash functions are also explained. Chapter 3, “Sending and Receiving PGP Messages,” provides block diagrams showing all the operations that can be used by PGP (such as digital signature and compression) in sending and receiving messages. The order in which these operations are performed is critical, and the logic associated with that ordering is clearly explained. Some additional PGP capabilities, including secure message transmission to multiple recipients, are described in chapter 4. The generation and exchange of key components is covered in chapters 5 and 6. The importance of verifying public keys is explained by detailing a “man-in-the-middle” attack scenario. Block diagrams illustrate how a person designated “BG” (Bad Guy) might try to intercept messages traveling between two people. The second part of the book is entitled “Using PGP.” The chapters therein provide specific instructions for using DOS, Macintosh, and Windows implementations. I must confess to a feeling of utter dismay when I could not find any chapters dealing specifically with UNIX implementations. This dismay was somewhat allayed when I realized that the DOS instructions are also intended to cover UNIX implementations. But I would have appreciated a simple UNIX mail command example. The final part of the book contains “Supplemental Information.” The first chapter in this part (chapter 12) provides an overview of the cryptographic building blocks of PGP (IDEA, RSA, and MD5). The Caesar, Rot-13, DES, and Triple DES algorithms are also mentioned. The second chapter in this part is entitled “Choosing Your Passphrase.” Stallings presents some comparative statistics on the ease of cracking passwords with various characteristics, and suggests some selection strategies. Chapter 14 suggests where a reader might obtain PGP. There are US export restrictions on “official” versions. As an Australian, I managed to obtain an “unofficial international” version without too much trouble. I also discovered (from an Internet document referenced in this chapter) that the “2.6ui” versions cited in the book have now been superseded by “2.6i” versions. The final chapter provides usage instructions for some public key servers. It also gives details about the Stable Large Email Database (SLED), which can provide a higher level of authentication for those whose names appear therein. The book ends with a brief index and a two-page PGP command guide. I was disappointed at the absence of a list of references, although some references are noted in the body of the text. Information system users who are not concerned about the privacy of the messages they send or the files they own are living in a fool's paradise. If you are not such a person, you should read this book. I am unaware of any equivalent book in which the details of PGP are presented so clearly. I can also confirm (through my own experience with DOS, UNIX, and Windows implementations) that the details are accurate.