Next, you need to verify the calculated checksum (3D93D73942117C4C0182CB15E01DE70F) against the MD5 Sum Summary that GnuPG provides at www.gnupg.org/(en)/download/integrity_check.html. For the Windows GnuPG 1.2.5 ZIP compressed file, the correct MD5 sum is 3d93d73942117c4c0182cb15e01de70f (case is not important). Because the strings match, you have verified the integrity of the downloaded file and can proceed to installing GnuPG.

You need to extract the GnuPG binaries to a secure place on your hard drive (i.e., somewhere that is not directly accessible to the Internet). The default location for Windows installations is c:\gnupg. Note: If you choose a location other than c:\gnupg you must edit the registry file gnupg-w32.reg (included in the binary distribution) to reflect the new location of the binaries; don't forget to execute the registry edits! An additional, and very useful, step is to add the path to the GnuPG binaries to your system PATH variable. Though not required, this step saves time when dealing with GnuPG at the command line, as you simply type "gpg" from any directory to launch GnuPG.

Once you have finished the initial verification, unpacking, and system configuration, you can verify your installation by opening the command prompt, navigating to the directory where you extracted the GnuPG binaries, and typing:

gpg --version

If everything was done correctly, you should see:

gpg (GnuPG) 1.2.5
Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: c:/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256
Compression: Uncompressed, ZIP, ZLIB

The next thing to do is to create your key pair. Because both your public and private keys are stored on your computer, GnuPG encrypts your private key further with a passphrase. When you use your private key, GnuPG prompts you for your passphrase, decrypts your private key in memory, and then uses it. To protect against dictionary attacks it is important to choose a "good" pass phrase for your private key (i.e., something that is not easily guessed by a human or brute force attack).

To ensure that you have a properly randomized passphrase, you may want to consider Diceware (http://world.std.com/~reinhold/diceware.html). Diceware theory uses dice to generate random words from a list of about 8,000 words. First, download the Diceware wordlist from http://world.std.com/~reinhold/diceware.wordlist.asc; an alternative list that removes some of the Americanisms from the list is at http://world.std.com/~reinhold/beale.wordlist.asc. After you have a list (or both), find a die and roll it five times, writing the results rolled to create a random five-digit number. Locate the corresponding word from the word list and write that word down. Diceware recommends repeating this process five times (25 rolls) to produce an optimal passphrase for most users (breakable only by organizations with large computing budgets). For instance, my rolls were as follows: 11234, 61262, 23212, 63352, and 42463

Looking these numbers up in the word list, I got "acorn timex ditto wade modem" as the passphrase for my private key.

Included in the CFC is a method to generate Diceware passphrases. The method implements Java's java.security.SecureRandom package to provide cryptographically strong pseudo-random numbers to query a copy of a Diceware word list and return a passphrase of the length you specify in the method call. As a brief side note, computers are incapable of producing truly random numbers; the java.security.SecureRandom does a minimal job of complying with the National Institute of Standards and Technology's "Security Requirements for Cryptographic Modules" (http://csrc.nist.gov/cryptval/140-2.htm), but to get a truly random passphrase, a die (or dice) must be used in conjunction with the Diceware word list.

You may want to keep the paper your passphrase is written on in a safe place. However, this also becomes a security issue in that people other than you could gain access to your key. It should be noted that currently in the United States, written documents (including passphrases and keys) can be subpoenaed. Further, the Patriot Act allows the use of the FBI's Carnivore system, designed to perform electronic eavesdropping (with judicial oversight), and is rumored to have the capability to harvest passphrases—so use your passphrase only for good!

After generating your passphrase, the next step is to generate your private and public key rings. Navigate to where your GnuPG binaries are located and run the following command:

gpg -gen-key

An interactive menu appears with options for the type of key pair you want to create. Type "1" to accept the default of "DSA and ElGamal" (the other options, "DSA" and "RSA," are for signing files only). You are next prompted for your desired encryption level for your "ELG-E" key pair; the default is 1024 bits, more than enough for most users. To accept this default, hit the enter key. Next, specify when the key will expire. For our purposes here, the "key does not expire" option will suffice, so hit the enter key again. You are asked if you are sure you want to do this. If you are sure, type "y" and hit the enter key.

• Source Code