The ABC's of PGP

by Walter Heindl

Walter Heindl is an attorney who has been practicing commercial and insurance law since 1983. He is also an avid computer user who develops software as a hobby. The explosion of the Internet has resulted in an explosion in interest in cryptography, digital signatures, electronic commerce and many related issues which raise a number of practical implications for attorneys. One of his programs, Lock & Key, is a Windows 95-based "front end" for Pretty Good Privacy (PGP), which makes the intricacies of PGP accessible and convenient to Windows 95 users.

The purpose of this article is to (1) explain why attorneys – and others concerned about privacy – should be using encryption when communicating over the Internet; (2) explain, in layman's terms, what PGP is and what it does; and (3) show how Lock & Key enables PGP's use as a practical solution for attorneys concerned about security issues.

THE EXPLOSION of interest in the Internet within the past four years has been one of the most interesting cultural phenomena of our time. As recently as five years ago, the Internet was predominantly the domain of educators, scientists, and government agencies. Since that time, however, the Internet has become widely available to businesses and to ordinary computer users. The content to be found on the Internet has exploded both in quantity and range. The use of the Internet for electronic commerce is only in its infancy, but it can be predicted with some assurance that the next five years will see the same sort of growth in the Internet as a medium of commerce.

While most of the attention has been given to the World Wide Web, still the most widely used Internet service is electronic mail. Within the corporation where I work, electronic mail has dramatically increased both the speed and efficiency of internal communications, as well as productivity. Internet mail offers the same promise for communication among persons within different organizations.

This benefit is not, however, without its risks. Most corporate networks are closed systems which can only be accessed by authorized persons (or at least persons having possession of a password). By contrast, the Internet is an open system. "Packets" of information are routed from the sender to the recipient through any number of computers along the way. Electronic mail messages are temporarily stored on both the servers of the sender and the recipient as well. There is the potential for any computer along the way, or, for that matter, any user connected to the Internet, to intercept what were intended to be private messages. While security measures may be implemented at particular servers (e.g. "firewalls," which restrict access by the outside world to that portion of a corporation's network which is behind the "firewall"), there are many stories of security breaches.

Most users (at least in the United States) send e-mail over the Internet without the slightest concern that the message will be intercepted. Within the United States, we have a culture that has caused us to take privacy for granted. This right to be secure in one's person, reflected in the fourth amendment's prohibition against unreasonable searches and seizures, and in judicial oversight over the granting of search warrants, is perhaps a major cause of this. It is reflected in the anti-wiretapping laws, in state and federal privacy laws, and elsewhere. Whatever its cause, it has clearly permeated our culture. Most Americans have an expectation that their communications will be private, regardless of whether that view is realistic.

It is interesting, but perhaps not surprising, that the technology to actually assure that private communication will remain private – e.g. cryptography – sometimes attracts more interest outside the United States than within the United States. Societies which have more regularly been confronted with the risk that private communications may not really be private have a more realistic appreciation of the risk than most Americans.

Of course, the consequences that would come from interception of most private communications is slight. While we might feel our privacy has been violated by the interception of a college student's e-mail message home, the practical risk is slight. This is not, however, true for many people who wish to use Internet communications for business purposes. The most obvious example, perhaps, is the banking system. Another example is attorneys.

Much of the communications made by or to attorneys is protected by various privileges. Most fundamental is the privilege of communication between an attorney and client. This, too, is effectively guaranteed by the U.S. Constitution. However, this privilege is not absolute. Only communications which are intended to be confidential are protected. Whether a communication is intended to be confidential is governed by an objective standard. Was it reasonable for the attorney to expect that the communication was private? This may be a reasonable expectation where an attorney counsels a client behind closed doors. It is not reasonable if the conversation is held at a location where it should be expected that the conversation will be overheard.

The attorney has a duty under the codes of professional responsibility to safeguard the confidentiality of communications with clients. It is clear that a lack of care can lead to this confidentiality being forfeited. Because of the importance placed by our legal system on maintaining this confidentiality, this lack of care may not only constitute malpractice but may be an ethical violation as well.

This has resulted in a dilemma for attorneys. Some attorneys use the Internet for communications with clients without taking any precautions to assure that their messages will not be "overheard" by others with access to the Internet. This may be tantamount to having a conversation on a street corner. Other attorneys are aware of and concerned about the risk of interception and, being unaware of the potential solutions, have simply foregone making use of the Internet for client communication.

The Internet is, and will remain, an open network. Since the network itself can't be made secure, it is necessary to secure the messages which are sent through the Internet. This is where cryptography comes in.

Or, the attorney may be aware of security solutions such as PGP, but does not know where to begin. With the exception of such commercial implementations as ViaCrypt, PGP is not an off-the-shelf product. It requires fairly high levels of both knowledge and interest in order to find it, install it, and use it. And, while there are commercial encryption programs available on store shelves, they are by and large not interchangeable. While they may provide an effective solution for use within a particular organization, they are not practical for widespread communication between organizations. As will be explained shortly, this is one of the principal benefits of so-called "public key" systems, and one that proprietary solutions cannot deliver. PGP is (with a little bit of effort) easily obtained anywhere and in widespread use everywhere, making it ideal for "public key" security solutions, as will be explained shortly.

MANY LAWYERS who have never tried encryption themselves have at least heard of PGP. PGP (which stands for Pretty Good Privacy) has received a great deal of publicity, mostly as a result of the U.S. Government's abortive efforts to prosecute its author, Philip Zimmermann. Some background in how cryptography works is necessary to understand that case. All cryptography uses a "key" (basically, a series of digits or characters) to encrypt messages. A mathematical formula or algorithm is used to process the information using the key. To decipher the message, one must have both the key and the formula – or must have a computer strong enough and fast enough to crack the code by "brute force." The longer the key, the more secure the encryption – that is, the more immune it is from being cracked by "brute force." While U.S. law does not restrict the domestic use of cryptography (yet another example of our fundamental respect for the right of privacy), the export of cryptographic software using keys more than 40 bits long is prohibited by the same laws which prohibit the export of munitions. PGP uses a key as long as 1,024 bits – substantially stronger than the export laws permit to be exported. A message encrypted with such a key is virtually immune from decryption by brute force. In a world of overstated advertising claims, the product's name itself – Pretty Good Privacy – is almost a laughable understatement.

Zimmermann made PGP available on the Internet. Any Internet user will know that, because the Internet is worldwide, this meant that users outside the United States could download PGP. This is, of course, exactly what happened; and PGP is now widely available on Internet servers outside of the United States. The U.S. government sought to prosecute Zimmermann, an action which drew a great deal of protest within the Internet community. Ultimately those efforts were dropped.

It is, however, partially as a result of those efforts, that PGP requires a little effort to obtain. It is not (except for commercial versions such as ViaCrypt) available on store shelves; nor is it available through most of the online software repositories such as CompuServe, ZDNet, Simtel and the like. There are two versions available: an international version (2.6.3i) and a U.S. version (2.6.2). The U.S. version is freeware which can be obtained from M.I.T. at http://bs.mit.edu:8001/pgp-form.html. This version uses a slightly different algorithm which doesn't violate U.S. patents. Because of the export control restrictions, the M.I.T. server does ask some questions designed to make sure the software is going to be used in the United States and not exported. The international version is available at the International PGP home page, http://www.ifi.uio.no/pgp, and other locations. If you do not yet have PGP, you can get it using these links.   Please note that the U.S. and international versions are entirely compatible.

After you've downloaded one of these versions, you'll have a .ZIP file which should be unzipped into the directory of your choosing, e.g. c:\pgp. You will also need to add the following line to your autoexec.bat file:

SET PGPPATH=C:\PGP

Of course, if you've put PGP someplace other than c:\pgp, adjust this accordingly.

In a few moments, I'll show you the "easy" and "hard" ways to use PGP. Before I do that, however, I should explain exactly what PGP does, and why the technology which it uses is right in the forefront of both encryption security and "digital signatures."

ALL CRYPTOGRAPHY uses a "key" to encrypt and decrypt messages. Conventional cryptography uses a single key which is known to both the sender and the recipient. This key could be a simple pass phrase such as "better safe than sorry." The encryption program uses its encryption formula to process the message with the key, to produce something that will be unreadable to humans. For example, suppose I want to encrypt the following message:

Now is the time for all good men to come to the aid of their party.

If I encrypt this message conventionally, using the key "better safe than sorry," this produces the following:

pgAAAF7Y1/lxNaByWNc8HjTsdASklwqbpoz/yswIZE7+Dt84jep1FSwheDq2hlOLTP 7i6256VdLcSUHDLN860Lueu5UvcdPJUev0MzqnEKyE1uSImmfiKbfP7cRHES3Zk4V8K2

While this seems like gibberish, anyone having the key and the encryption formula can easily decode this message.

The main weakness of conventional cryptography is the need to keep the key secure, since anyone having knowledge of the key can decipher the messages encrypted with it. Since the whole purpose of encrypting in the first place is to be able to transmit messages confidentially through an insecure system, it follows that the insecure system shouldn't be relied on to transmit the key itself. Thus, you need to be able to transmit the key to the recipient by some other means.

Conventional cryptography has other limitations as well. If you need to send secure messages to many different individuals using different keys, key management becomes difficult. The recipient in possession of the key must also take measures at his end to secure it; and the more people that have access to a key, the less secure it is.

PGP USES A TECHNIQUE called asymmetric cryptography which overcomes these limitations. Asymmetric cryptography uses a pair of keys to encrypt and decrypt. Think of the pair of keys as being like the two halves of a Mizpah pendant: the whole message can only be read if the two halves are placed together. Thus it is with this dual-key system. A message encrypted with one key can only be decrypted with the other. The process works in either direction: either key can be used for encrypting. However, the other key (NOT the same key) must be used to decrypt.

In practice, one of the two keys is kept secure. This is called a secret key. Ideally, only one person will have access to that key. This key may be further secured by a pass phrase, so that even someone with access to that user's computer cannot use the secret key. The other key (called a public key) can be freely distributed – even published on a BBS. There are literally thousands of PGP users who have published their public keys on their own web page, or who have uploaded their public keys to key servers.

How can even one of the keys be made public? This will become clear if we trace a couple of messages from sender to recipient. This will show the two related uses of PGP: encryption and electronic (digital) signatures.

Suppose that Sender wants to send a secure message to Recipient. Sender obtains Recipient's public key, either directly from Recipient, or from a public key server. Sender uses that public key to encrypt the message. We already know that the message can only be decrypted using Recipient's secret key. Sender himself cannot even decrypt the message once it has been encrypted, since all Sender has is the public key. Likewise, others who might have the Recipient's public key can't decrypt it either. This is why the public key can be freely distributed.

Or suppose that the Sender wants to send a message to Recipient, and wants Recipient to know that the message came from the Sender and no one else. Sender uses his own secret key to encrypt the message. Recipient gets the Sender's public key from a key server or directly from Sender, and decrypts the message using the public key. If the decryption "works," then the Recipient knows that the message had to come from Sender. This is, in a nutshell, the basis for electronic signatures.

The two methods can be combined. For example, suppose a Buyer wants to buy goods from Seller using his credit card. Buyer wants to make sure that no one but the Seller can read the credit card information. Seller wants to make sure that it was indeed Buyer that authorized the transaction. Buyer uses Seller's public key to encrypt the message, and then uses his own secret key to "sign" it. Seller then uses his own secret key to decrypt the message, and uses Buyer's public key to verify Buyer's electronic signature.

There is a security issue that must be resolved before this system can be relied on. That is, how do you know that the person who sends you a public key, or sends you a message signed with a secret key, is really the "owner" of that key? I could, for example, easily create a key pair in the name of Bill Clinton <billc@whitehouse.gov>, send you a message encrypted with the secret key, and send you the public key. You might assume that the sender really was Bill Clinton simply because the public key says that it was signed by Bill Clinton. However, all the public key is saying is that the message was signed with the matching secret key. You have no assurance that the owner of that secret key is really Bill Clinton. You could easily use the public key to encrypt a message, thinking that only Bill Clinton can decrypt it; however, the impostor who has the secret key, and not Bill Clinton, is the one who can decrypt it.

How can one protect against this kind of imposture? There are three ways: key fingerprints, key certifications, and key repositories.

A key fingerprint is a series of digits that uniquely identifies a key (like a serial number). Every key pair generated by PGP includes a 16-character "fingerprint." In order to use the key fingerprint to verify the key, you would call the person who sent you the key and ask that person to read the fingerprint, and you would verify that against the fingerprint of the public key you were given. Assuming you knew for sure you were talking to the right person (for example, if you recognized his voice), this gives you some assurance that the key belongs to the sender and wasn't sent to you by an impostor.

Key certification and key repositories are related ways of relying on a third party to authenticate the key. The difference between the two is that the key certification travels with the key. In both cases, it is a third party that has done the checking to verify that the owner of the key is who he claims to be, and the third party (much like a notary public) verifies that the key is genuine.

Suppose you have Joe's public key. You know Joe's key is genuine because Joe (whose voice you recognize) read the fingerprint to you. You also trust Joe. Now suppose you receive Suzy's public key across the Internet. You could, of course, call Suzy to verify the key fingerprint. However, you may not know Suzy personally and wouldn't recognize her voice. Suzy's key, however, comes "certified" by Joe's key, meaning that Joe has verified that the key really belongs to Suzy. You have already verified Joe's key so you know that it really was Joe that has vouched for Suzy's key. Suzy's key is said to have been "certified" by Joe.

The third method is the use of a public key repository, which is essentially an agency charged with verifying the genuineness of public keys. The public key repository occupies the same role as the notary public, and is supposed to verify the identity of the owner of the key. If you've read about or heard about the Utah Digital Signature Act, you will know that it provides for the establishment and licensing of public key repositories.

Another potential problem: suppose you want to encrypt a message so that more than one person can read it? For example, Tom wants to send a secure message to Dick and Harry, who are in different cities. Must Tom encrypt and send the same message twice? No – PGP allows more than one public key to be used to encrypt a message. Such a message can be decrypted using any of the secret keys. (You can, using PGP, encrypt all messages so that you, the sender, can later decrypt it using your own secret key. This is an ideal way of keeping a copy of the messages securely on your own computer.)

NOW THAT WE'VE seen a bit of the theory of PGP, how do we put it into practice? Unfortunately, PGP itself is a DOS-based program with a rather complex command syntax. Let's say you're an attorney and want to send a confidential status memo across the Internet to a client. You'd have to drop down to a DOS prompt and enter a command like the following:

C:\PGP\PGP.EXE -eas "Joe Client" c:\docs\clients\abc\doakes1.doc

What this command does is to tell PGP to encrypt (e) and sign (s) the file c:\docs\clients\abc\doakes1.doc using Joe Client's public key, and to render the result in a text format ("armored," (a)) which can be passed through Internet mail channels. PGP will respond by prompting the user to enter the "pass phrase" for his own secret key, which is necessary to affix an electronic signature.

This can be a tedious and frustrating process for anyone, such as an attorney who may be quite accomplished at using a Windows-based word processor but who is not accustomed to dropping down to DOS prompts to type long commands. And this is perhaps another reason why PGP is not as widely used as the need for its services would indicate.

A number of Windows-based "front ends" have been made to shield the user from these complexities and to make PGP more user-friendly. While these programs differ in what they do and how they do it, they all fundamentally work the same way: they find out what the user wants to do, using a more friendly Windows-style dialog box, and then they issue the appropriate command to PGP to do the hard part.

LOCK & KEY is one such front end, which I wrote to integrate PGP into the Windows 95 user interface. While I am by profession an attorney, I have also developed software as an avocation for a number of years. Last year, I became interested in PGP because of security and electronic commerce issues that my own client was looking into. I, too, found the DOS commands to be tedious, and tried out several of the existing "front ends." Most of those "front ends" were originally written for Windows 3.1 and use the traditional Windows 3.1 "application-centered" way of doing things: that is, you start an application, and then you use the application to create or find the file that you want to work on.

Because Lock & Key is integrated with the Windows 95 Explorer, a Windows 95 user will probably find it to be the easiest way to use PGP. If you have used Windows 95 for a while, you know that Windows 95 uses a "document-centered" way of doing things. That is, using the Windows 95 Explorer, you create Folders, create blank documents in those folders, and then double-click on the documents to launch the appropriate application to edit that document. New Windows 95 users may not yet have adopted this metaphor, but once you have done so, you will find that working in Windows is easier than ever. This is particulary true if you need to use more than one application to work on files, since you can simply right-click on any file and tell Windows what you want to do with that file, whether that be to open that file for editing, to print that file, to send that file to an e-mail recipient, to view that file in a viewing program – or to encrypt that file.

This is where Lock & Key fits into things, and in a minute we'll see how to use it for practical security. But first you will need to download Lock & Key and install it. You can get the latest version of Lock & Key by clicking here. (Isn't the Internet easy!) What you will get is a self-extracting .ZIP file. Put this file into an empty folder and double-click on it. All the files will be unzipped into that folder.

Before you go any further, you should know that Lock & Key is written in Visual Basic. In case you're not familiar with Visual Basic, it is a programming language that lets people like attorneys write four-star applications. In order to run Lock & Key, you will need the Visual Basic Runtime Library, which is a set of three files (VB40032.DLL, MSVCRT40.DLL and OLEPRO32.DLL) which are needed to run any Visual Basic application. You might have these files already; they'd be in your \Windows\System folder. If you don't have them, or don't know, you can get them by pressing here. You will get a .ZIP archive which should be unzipped to your \Windows\System folder.

To install Lock & Key, simply double-click on the INSTALL.EXE icon. You will first be asked to choose a language in which you'd like to interact with Lock & Key. (In addition to English, Lock & Key presently works in Spanish, French, German, Dutch, Italian, Russian, Norwegian, Danish and Finnish.) Lock & Key will then install itself automatically. Along the way, it will check to see whether you have installed a viewing program called QuickView (as we will see, one of Lock & Key's features is that it will integrate with QuickView if present). It will also give you a chance to add my public key to your "public key ring" (your "address book" for keys), which you might want to do if you ever expect to want to send me an encrypted message. Finally, you will get a chance to view the Lock & Key user guide, a Windows help file. You can do that later to pick up some of the "short strokes." I'll try to show you what you really need to know in this article.

* * * * *

ONE OF THE first things you'll want to do is create your own "key pair." You will do this using KEYCHAIN, which is Lock & Key's tool for managing "key rings." PGP maintains two "key rings," a public key ring (think of this as an address book for public keys) and a secret key ring (you might have more than one). KEYCHAIN lets you manage both. Begin by running KEYCHAIN (This is the Key Management icon which the installation program placed on your Windows 95 Start Menu, in the Lock & Key group). You will get a window that looks something like what is shown here. (Well, not exactly. You probably won't have this many public keys yet. The window might even be empty. If you chose to install my public key when you installed Lock & Key, you will have at least one public key present, so you can send me an encrypted message.) If you click on the Secret Key Ring tab, it will probably be blank. So the first thing we will do is create your key pair. To do this, first make sure that you've clicked on the Secret Key Ring tab. Then, from the menu, choose "Generate Key Pair" (or press Ctrl-G). You will get a message that this has to be done by actually interacting with PGP. That's okay; answer Yes. (This might be the only time you have to do this.)

PGP will then be launched in a DOS box. All you need to do is follow the prompts. You will first be asked to choose a level of security. You will probably want to choose the highest level, since that's why you're doing this in the first place. (There is a slight tradeoff in speed, but if you have a fast computer you won't notice.)

Next, you will be asked to enter your user name. Usually this will be your full name followed by your e-mail address; for example, mine is Walter E. Heindl <wheindl@voicenet.com>. You can put anything you wish but your recipients will appreciate it if you follow that convention.

Third, you will be asked to enter your pass phrase (which you will need to use the secret key), and to confirm the pass phrase (so that you don't make a typing mistake and get an unusable key). This should be from one to 30 characters. You can use anything you like. However, Lock & Key will prefer that you not use < or > or | or * or ? or more than one consecutive space. The same usual rules for picking pass phrases should be followed: it should be something you will remember, but not something someone else is likely to guess. (Don't use your mother's maiden name.)

Finally, you will be asked to type a series of random keystrokes. This serves to assure that your key will be unique. PGP is basically measuring the timing of the keystrokes. Stop when PGP tells you to stop. In a few seconds PGP will exit, and the KEYCHAIN window will be updated to reflect both your public and your secret key.

Next, make sure you have at least one public key other than the one you just created for yourself. If you didn't add mine when you installed Lock & Key, all is not lost. Here it is again. (After you begin using PGP for a while, you will find yourself sending and receiving "public key blocks" like this as part of e-mail messages.) Lock & Key makes these especially easy to work with. To see what I mean, simply select the entire key block – make sure you get the whole thing including the first and last lines – and copy it to the Windows clipboard. Then, run Lock & Key from your Windows 95 Start Menu.

Type Bits/KeyID    Date       User ID
pub  1024/8A6A9611 1996/08/13 Walter E. Heindl <wheindl@voicenet.com>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQCNAzIQX1gAAAEEALScp5wuTGUmgqxKE0MAAl9gj4LAg01W/s1eOvDNxMlCzUgc
132JTX9XAnMX3SkTX57zTUY8wh5QxzQEEct4A4jpSTiv4qWUwRyF9GJM1G3JgJ2v
2co/a+Y1mjls87rxQSqt+ooLh9pwGP7NlUumC55ZVY8tzk80wlVrqiqKapYRAAUR
tCdXYWx0ZXIgRS4gSGVpbmRsIDx3aGVpbmRsQHZvaWNlbmV0LmNvbT6JAJUDBRAz
DER8VWuqKopqlhEBAXd7A/95lLSEXWKaQlizaNndyag2e6OXPKZJiLBMcQ+p8kPX
1jMVe3I6BeI0qSX4onC5eyRnro3vOzQ5dHldmEY/2WTm2MsYxbI5JkP/lRnAWeZX
/VZ6VxZ7vAQSPtN7pcpoooXZRbaxHz4ihy2kgnbhELF9uzljHrKyRFqtELDWI1q2
6w==
=Hd6P
-----END PGP PUBLIC KEY BLOCK-----

Lock & Key will "read" this public key block and ask you if you want to add it to your public key ring. Answer yes.

Now, suppose you want to encrypt a file using PGP so that only a particular recipient can view that file. This might be a file you created using your wordprocessor (such as a confidential status memo to a client), or it could be a spreadsheet containing confidential financial information. It could be any confidential file, even a graphic file (say, a proof of the Sports Illustrated Swimsuit Edition cover before it is publicly released). Open the Explorer window containing the file, right-click on the file, and choose Send To Lock & Key, as shown.

This will bring up the dialog box for LOCK32, which is the half of Lock & Key which is used for encrypting files and messages. You will be given several choices. Most of these choices will stay the same from one use to the next. The only exceptions are that you must select a recipient each time, and you must (if you want to "sign" the file) enter your pass phrase each time. Here's an overview of the choices to be made.

• Recipient: The window contains a drop-down list containing all of the public keys in your public key ring. Simply choose one. If you want to send to more than one recipient, you can simply type in one word from the names, e.g. John Paul George Ringo. As long as the names are unique within your keyring, this will work. Make sure the "Encrypt Copy To Self" box is checked. You'll need this in order to decrypt the message. Chances are, you'll want to leave that checked. You will certainly need to check it if you want to follow along with this tutorial.

• Input: Note that the name of the file is shown here. Note that this may be a Windows 95 long file name – something that Lock & Key supports even though PGP won't do it directly. There is an option to "wipe" the input file (destroy it beyond recovery) after it is encrypted. Options that don't make sense in a given context are grayed out. In this case, "wipe" is grayed out because the output is being delivered to the Clipboard rather than saved as a file (explained below), in which case a crash or a power burp could destroy both the encrypted and un-encrypted versions.

• Output: Here you have three major choices: Binary, Armored and Clipboard. Choose Binary if you want to produce a file that you will deliver on disk. Choose Armored if you want to produce a file that you will be sending as an attachment over the Internet. Choose Clipboard if you want to simply paste the result into an e-mail program's editor window (very convenient for smaller files). You'll probably use the Clipboard option a lot, but for now choose Binary or Armored.

If you choose Clipboard, you get to make two other choices. First, you can choose to include your public key (like the one shown previously), which will allow the recipient to send you an encrypted response, and which the recipient will need to have to read your electronic "signature." Second, you can choose to include the original file name. If the recipient is also using Lock & Key, this information will automatically be used when saving the file to disk. (The recipient doesn't need to have Lock & Key – this is a convenience.) Again, options that don't make sense are grayed out. These last two options won't make sense if you chose Binary or Armored, and so will be grayed out.

• Encryption Method: The choices are Public-Private Key, conventional (single key) or none (you can sign a message without encrypting it). Most of the time you will choose Public-Private Key.

• Signature: If this is checked, you will need to type in your pass phrase. If this is not checked, the rest will be grayed out.

After you have made your selections, click OK. PGP will then run in the background. When it is finished, you will get both a visible and an audible sound (a lock snapping shut) letting you know that PGP is finished.

If you chose Binary or Armored, you will see that there is now a new file in the Explorer folder. The file will have a lock for an icon, will have the original file name including original extension, and a new extension .PGP (binary) or .ASC (armored). This is the encrypted file, which can now safely be sent to the recipient using the Internet. If you chose Clipboard, then the encrypted data will be in the Windows clipboard. You can open a message in any e-mail program and paste the encrypted data into the e-mail message.

Now comes the fun part: decrypting the encrypted message. Be warned: you will ONLY be able to do this if you checked "Encrypt Copy To Self" when you encrypted the file. Otherwise, the encrypted file is secure from your eyes as well as the rest of the world.

If you chose Binary or Armored, simply double-click on the encrypted file. This will cause the main window of KEY32 (Lock & Key's decryption module) to appear. This dialog box is even simpler. You must, of course, enter your pass phrase, which, you'll remember, is necessary to make your secret key do anything, e.g. to decrypt this file. You must also choose what you want to do with the file after it is decrypted. You can save it as a file; you can open it using the application that was used to create it (e.g. opening a spreadsheet in Excel); you can print it; you can copy it to the Clipboard (if it is just plain text). Your choice is remembered between uses. (Of course, you must enter your pass phrase each time.)

The first option, however, is the most interesting: View Only. If you have QuickView or QuickView Plus installed, Lock & Key will send the decrypted output to it. QuickView comes with Windows 95 and lets you view most major wordprocessor, spreadsheet, graphic and other files, with most formatting preserved, without having to use, or even own, the application it was created in. QuickView Plus is an upgrade which adds support for many other applications and other features such as being able to print the file. Lock & Key looks for QuickView when it is installed and will tell you if it finds it. If it doesn't find it, then get out your Windows 95 CD and install it. QuickView is an extremely useful and valuable utility in its own right for any Windows 95 user; but when you see how Lock & Key integrates it into PGP . . .

If you do have QuickView installed, then choose View Only, enter your pass phrase, and press OK. Again, PGP will work in the background, and you'll get an audible and visible indication (this time, a lock snapping open) from Lock & Key when PGP is finished. At this point, if the file was signed when it was encrypted, a message will appear indicating that the file was signed.

If all goes well, in a few seconds QuickView will pop open, and display the decrypted file, whether it be a plain text file, a word processing document, a spreadsheet, or a graphic file. After you close QuickView, Lock & Key will delete the decrypted file from the disk (the encrypted file will still be there).