Encrypt & Sign Text

Two of PGP's main functions

by Edward Langenback

© 10/30/03

An Important note about HTML format email

If you are going to be using PGP to sign and / or encrypt email messages, then it is absolutely important that you make sure that your email program is NOT composing in HTML!. The reason for this is that HTML emails are subject to being reformatted, and this will render PGP messages and signatures unusable. The proceture varies from one email program to another, but it is possible to turn off HTML formatting in all of them.

For these examples you'll need to open Notepad and type a few lines of text.:

this is a test message, 
encrypted with pgp using Test User's public key

When you're finished, click on the padlock icon in the system tray. Select 'Current Window' and then select 'Encrypt & Sign'. The text in the Notepad window will all be selected and then the 'Key Selection Dialog' will appear. Select the key you just created ("Test User <testuser@domain.com>") and drag it down to the Recipients list and click <OK>

Next you will be prompted to enter the passphrase for the signing key. Note that if you had more than one key pair, you would be able to choose which one to use as the signing key from the list in this window. For now of course, you only have the one key so enter the passphrase for it and click <OK>.

After a few seconds the text that you had in Notepad will be replaced. The resulting message will look like this:

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

Save this file temporarily. You can now copy and paste this message into an email, or save the file and attach it to an email or save it on disk. You could even print it out and send it by postal mail (though i'd hate to be the guy who had to type that thing in! Even one error would make it impossible to decrypt it! This message could be posted anywhere, in any public message board or newsgroup with total confidence that no matter how many people saw it, only the person or persons whose public keys were used to create it would be able to read it's content.

Later on, Test User needs the information that was encrypted in the text file. So open the file in Notepad and click on the padlock icon. Select 'Current Window' and then select 'Decrypt & Verify'

PGP will select all of the text in the Notepad window and after a second the 'enter passphrase' window will appear. Here PGP informs us that the message was encrypted to Test User's key. Had it been encrypted to more than one key, any of them could have been used to decrypt it. In this case of course we'll enter the passphrase for Test User's key and click <OK>

PGP churns for a few seconds and a Text Viewer window appears with the following text in it:

*** PGP Signature Status: good
*** Signer: test user <testuser@domain.com> 
*** Signed: 7/23/02 9:06:06 PM
*** Verified: 7/23/02 9:14:59 PM

this is a test message, 
encrypted with pgp using Test User's public key


On this window there is a <Copy to Clipboard> button that allows you to copy the content of the decrypted message and paste it into another file. In this case, we won't bother, instead click <OK> to close the text viewer. You will notice that the content of the Notepad file is unchanged, and would stay that way unless we had chosen to copy the decrypted message and paste it into Notepad.

This same procedure can also be used in an email client or word processor. If you have trouble with the 'Current Window' option on the PGP menu, you can also highlight the text you want to work with and then use Copy or Cut to put it into the Windows clipboard and then choose 'Clipboard' instead of 'Current Window' on the PGP padlock icon. They both have the same options on them.

In another example, the same message could have simply been 'signed' with a unique digital signature that could assure that the message was from the person who claimed to write it and that it had not been altered in any way. Simply 'signing' a message is done in the same manner as the previous example with the exception that instead of choosing 'Encrypt & Sign' you chooose 'Sign'.

So the message:

this is a test message, 
signed with pgp using Test User's public key

After it is 'signed', looks like this:


this is a test message, 
signed with pgp using Test User's public key


Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

Now if you take this message and select 'Current Window' and 'Decrypt & Verify' on the PGP padlock icon, the text viewer will pop up again with the following in it:

*** PGP Signature Status: good
*** Signer: test user <testuser@domain.com> 
*** Signed: 7/23/02 11:07:35 PM
*** Verified: 7/23/02 11:09:57 PM

this is a test message, 
signed with pgp using Test User's public key


This shows that Test User did indeed sign this message, and the fact that it's status is good indicates that the message has not been altered since it was signed. If it had changed by even one character, the PGP Signature Status would be 'bad'. This means that while the message was sent "In the clear" (which means 'Not Encrypted'), if the status is good, then we know that the message has not been altered. (as an experiment, go back to the message that you signed and change one character or add even a single space to it and then try to 'Decrypt & Verify' it. The Signature Status will be bad)

When a message is signed you are assured that the signer's ID is the same as who it claims to be. This is because unlike encrypting a message, the signer's private key is used to sign the message and then their public key is used to verify that signature. Since only the signer would have access to the private key and only they would know the passphrase for it, then a good signature status shows that the message is valid and came from the signer.