Editors' Rating
Published: 13 Jul 2001
PGP (Pretty Good Privacy) is a respected encryption mechanism for protecting email correspondence. PGPi is available for free, so the main reason for purchasing PGP Personal Security 7.03 would be to obtain the extra features that McAfee provides. These include a built-in firewall, self-decrypting files, a virtual hard drive that encrypts files and automatically decrypts them as they are accessed, plus free technical support via a Web page.
For many people, PGP is synonymous with trustworthy data security. Created by Phil Zimmermann in response to proposed US anti-cryptography legislation, PGP caused conniptions in the security services and delight around the world. It was the first freely obtainable, reliable and usable system for encrypting files and emails without relying on the distribution of secret keys. Public key encryption means you can give out a key to everyone, and they can use it to encrypt messages for you. Nobody can then decrypt the message without the private key that you -- hopefully -- keep secret.
PGP was free for many years, with the security of the software ensured by public source code -- in other words, nobody could hide a backdoor in the software, as the users had the option of remaking it themselves. Network Associates (of which McAfee is a subsidiary) continues to do this, but only for the public key parts of PGP Personal Security. The company has commercialised the product and now sells a full version while giving away the bare bones of the software in the old tradition. The full version, PGP Personal Security 7.03, matches current trends by including a firewall, encrypted virtual hard disk drives and a bevy of other disparate functions.
PGP is a strong and reliable encryption system, if it's used right. The major problem is the complexity of managing key authentication for more than a handful of users. If you send me your public key, I call you to verify the fingerprint. Then I sign the key to verify that I trust that key. I then send you your own public key so you can get my signature of your key. You then do the same for my key.
This works fine for two correspondents. However, with each added user the number of signatures verifying the keys escalates. Beyond about five users it gets too complicated to manage, so you have to use some kind of central server to manage the keys. The problem then loses some of the trust that on which PGP is based. I trust your key, not because I have checked it out, but because someone I trust has said your key is trustworthy. On a server, I have to trust that the server is completely secure and that the administrator of the server has checked out each key.
The firewall uses technology from Network Associates' Cybercop product, which has been around for a while and is considered trustworthy. It comes with sets of predefined rules to filter packets according to how you plan to use your computer. If you're using an Internet-connected machine without the benefit of a corporate firewall, this is probably good enough. You can also fine-tune the settings, with a wide variety of automatic alerts and actions. The system also provides an IPSEC VPN client, ICQ encryption, email plug-ins for all popular clients and automatic file wiping on delete -- removing all trace of data from your hard disk. The free version of this software doesn't have the firewall, self-decrypting files, virtual hard drive or technical support, and you're not supposed to use it commercially.
Disk encryption is very important on laptops, because they are carried around in public. Most computers that stay put in an office don't really need encryption -- if other proper security systems are in place. That's a big 'if'. Disk encryption slows the systems down, increases the administration needed, and makes valuable company data subject to loss if the key gets lost or the computer malfunctions. You are likely to create more risk with it than without it.
This is not the easiest software to use, and if you're going to use it in anger, then practice first and keep your skills current. You could easily encrypt your data and then leave it for months, only to find you've forgotten pass phrases or how the software works. There is a pass phrase recovery scheme that involves setting up five questions to which only you know the answer, but this reduces security.
As a general-purpose tool to prevent snoopers and network administrators from reading your private data, PGP Personal Security is a good all-round product that will do the job if used sensibly. It's secure, trusted and verifiable. However, it will only be effective if you understand what it's doing and make it part of an overall security scheme -- just installing and running it won't provide a miracle cure.
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
