PGP and GPG: Email for the Practical Paranoid

Cryptography is a difficult topic, but many people are interested in keeping their email communications private. Where can a "moderately skilled geek" find a good introduction that will teach them the practical skills? PGP & GPG: Email for the Practical Paranoid claims it can help. Quantum Skyline from our own Dev Hardware forums reviews the book.

As with software reviews, I find book reviews difficult to do.  Depending on the target of the book, I sometimes have a difficult time trying to put myself into a mindset that is required for understanding certain concepts, or explaining to myself why things are the way they are.  PGP & GPG: Email for the Practical Paranoid by Michael W. Lucas is a book which, according to the back cover, is aimed at "moderately skilled geeks who are unfamiliar with public-key cryptography but who want to protect their communications on the cheap."  This is an aspect of the book which I will touch on a few times, and it will be apparent as to why later in the review.

Lucas is the author of several books which include Absolute BSD, a book which has seen much praise at Amazon.  Lucas has also written Absolute OpenBSD: Unix for the Practical Paranoid and Cisco Routers for the Desperate: Router Management, the Easy Way for No Starch Press.  His biography on the back cover describes him as a "network and security engineer with extensive experience working with high-availability systems," and he is a columnist for the O’Reilly Network with articles in several online publications.  He owns blackhelicopters.org, which is quite appropriate considering what he writes about.

In the interests of full disclosure, I have more than a cursory interest in computer and Internet security, and I am familiar with the applications of cryptography to ensure privacy.  I personally think that the use of public-key cryptography is a must when there are certain requirements that are dictated by the situation, and I worry that novices look at cryptography and cryptographic tools as a magic bullet that solves all of one’s problems in this area.  Because this book is aimed at those who wish to help with securing their online communications, I was interested in seeing how this kind of information is presented to novices.

{mospagebreak title=A Textbook on Email}

PGP & GPG is laid out in an instructional format much like a textbook. It is intended to be read linearly.  Skipping chapters to get specific bits of information is likely to confuse the reader.  The first two chapters introduce the OpenPGP standard, PGP and GPG, and the differences between them before putting the reader through "Cryptography Kindergarten."  Following the introduction, Lucas takes the reader through installing PGP Corporation’s PGP desktop client, GPG, and a Windows interface to it called WinPT.  When showing how to use or install the tools, Lucas devotes one chapter to PGP and GPG each, and Lucas reminds the reader to skip the chapters that are not useful for him- or herself. 

Following the discussion on installation, in chapters 5 through 7 Lucas explains the concepts behind the Web of Trust and how to manage public keys in the Web of Trust.  Chapters 8 through 10 talk about how to use the OpenPGP standard with commonly used email tools, and Lucas finishes the book with other considerations and caveats when using OpenPGP, as well as appendices on how to use the command line tools.

The introduction to PGP &GPG is rather enjoyable; Lucas does an excellent job of providing a summary of the history behind OpenPGP and Phil Zimmermann’s story is quick and to the point. At the beginning of the first chapter, Lucas goes over common tasks that include public key cryptography and identifies what OpenPGP can do to address those tasks. His explanation of cryptographic terms is done at a high enough level that novices will understand the concepts, but those who are more familiar with cryptography may complain that he is skipping details in the book.

However, while Lucas did a good job of introducing and explaining the concepts and what OpenPGP provides, it seemed that he did not do an adequate job of motivating the case for why a regular user would begin using OpenPGP with their email.  The closest he gets to that kind of statement is when Lucas states that "non-repudiation alone makes it worth while to use OpenPGP" and gives examples of some extreme situations where OpenPGP is a good idea.  Given that the reader is not likely to be in a repressive country (although some would argue that this is where some western countries are heading), PGP & GPG does not specifically instruct the reader to evaluate his or her tolerance for risk and then decide what is appropriate.  For a book that reads like a how-to document, this is a critical step that was missed. 

{mospagebreak title=Details of Instruction} 

When describing how to use PGP or GPG, Lucas tries hard to ensure that the reader is comfortable working with the tools.  PGP & GPG is laced with screen shots of how to use any of the programs, or, in the case of GPG from the command line, textual descriptions of commands and their output.  It is also encouraging to see that Lucas provided instructions on how to use GPG on Linux.  There is a large amount of text spent on step-by-step instructions on everything from installation to digitally signing email and managing identities.  The instructions are complete, and are written in such a manner that a regular user with limited command line experience could actually perform the tasks described.  Lucas’ writing style is quite inviting, and he tends to insert some humor in areas of the book that would be quite dry otherwise.  When explaining the output from command line GPG, Lucas highlights parts of the output and illustrates what they mean.  This goes a long way towards making the use of the command line less intimidating for the reader, and complements the appendices.

However, while Lucas provides a large number of screen shots, PGP & GPG  is almost completely devoid of pictures or diagrams.  For example, it would be nice to have some diagrams in the chapters regarding the encoding, encryption, and signing of email so that the reader has a visual representation of how s/he is changing his or her email when using OpenPGP.  PGP & GPG is the first book from No Starch Press that I have read and as a result, I’m not sure if it is representative of a particular style that No Starch Press is trying to use in its books or if this is indicative of Lucas’ style of writing.  He does make use of inset text and footnotes to give the reader some details that may be tangential or extra background information.

Lucas highly stresses certain things during the course of PGP & GPG.  When he finds a topic that he wants to drive home, he repeats it throughout the course of the book so that the reader is left with the impression that a particular issue is important and always needs to be thought of when working with OpenPGP.  For example, Lucas emphasizes the use of key expiration dates, and absolutely insists on keeping backups of private keys and revocation certificates.  To further illustrate his points, he repeats his explanation as to why he believes these topics to be important by showing the potential consequences and their significance.  In a book like this, these explanations are as important as the concepts themselves, because they allow the reader to understand why Lucas is taking a hard stance on a particular topic.

Chapter 11, "Other OpenPGP Considerations", is the chapter mentioned earlier that talks about caveats when using OpenPGP.  This chapter is a must read, and dispels the majority of my worries that a reader might take the usage of OpenPGP as a panacea when it comes to email security.  In this chapter, Lucas states that while OpenPGP is good, simple misuse can have a large effect on its effectiveness.  Also, Lucas introduces "rubber hose cryptography" and shows that humans are the weakest link in systems like this.  He also provides suggestions on how to manage keys when working in teams and when using shared systems in plain and simple terms.

{mospagebreak title=Conclusion}

In conclusion, PGP & GPG: Email for the Practical Paranoid is a good read for someone who wants to get started in the world of email security.  Lucas tries hard to simplify difficult tasks and concepts – he says that the math that proves that cryptography works can make your head hurt – while maintaining a level of informality and ease that should not intimidate most users.  PGP & GPG also gives the reader a feel for important issues by repeating them and explaining the potential results for not considering them. 

However, where Lucas does a good job of explaining what to do, I don’t think that PGP & GPG explained why the reader would want to do it.  There are a lot of things that must be done when managing the Web of Trust, and it can seem like a lot of work for little benefit to the reader.  Similarly, the lack of diagrams in the book make it hard to visualize the process one is going through.

Having said that, I would recommend PGP & GPG to any novice cryptographer, not just someone who is looking at securing their email.  Books like this make cryptography a bit more accessible, and despite the title, prompt those who aren’t paranoid yet to start protecting their data and communications.

For more information on PGP & GPG: Email for the Practical Paranoid, please feel free to visit No Starch Press’ site on the book; it can be bought from Amazon here.  If you have comments, questions, or beefs on this review, leave a comment here or in the DevHardware Forums.  I would like to hear what you think.

Google+ Comments

Google+ Comments