Pretty Good Privacy or PGP Explained
Pretty Good Privacy (PGP) is an encryption software that uses symmetric and asymmetric encryption for high-level security to protect digital services and communication systems. PGP also supports digital signatures to guarantee data integrity and sender authenticity.
Basics
PGP is encryption software created by Phil Zimmerman to ensure privacy, security, and authentication for online communication systems. Zimmerman made the first PGP program freely available in response to the growing demand for privacy.
Since its inception in 1991, various versions of PGP software have been developed. In 1997, Phil Zimmerman proposed the creation of an open-source PGP standard to the Internet Engineering Task Force (IETF), which was accepted. This proposal led to the development of the OpenPGP protocol, which defines standard formats for encryption keys and messages.
PGP was initially owned by PGP Inc, but Network Associates Inc acquired it later. In 2010, Symantec Corp. acquired PGP for $300 million. Today, the term PGP is used as a trademark for Symantec's OpenPGP-compliant products.
Initially used to secure email messages and attachments, PGP is now applied in various use cases such as digital signatures, full disk encryption, and network protection.
How Does PGP Work?
PGP is a hybrid cryptosystem that employs symmetric and asymmetric encryption for high-level security. It was among the earliest widely available software to utilize public key cryptography.
To begin the encryption process, plaintext files are compressed by PGP to save space and transmission time, as well as to increase security. After compression, the compressed plaintext file is encrypted using a single-use key, known as the session key, which is generated randomly through the use of symmetric cryptography. Every PGP communication session has its unique session key.
Following that, the session key is encrypted using asymmetric encryption, where the intended receiver provides their public key to the sender. In this case, for example, Sarah encrypts the session key with Tom's public key to safely share it through the internet. This step ensures that the session key can be safely transmitted regardless of security conditions.
RSA algorithm is commonly used for the asymmetric encryption of the session key, as it is with other encryption systems such as the Transport Layer Security (TLS) protocol, which secures a vast portion of the Internet.
After Sarah encrypts the session key, she sends the ciphertext and the encrypted session key to Tom. Tom uses his private key to decrypt the session key, which he then uses to decrypt the ciphertext back into the original plaintext.
PGP offers more than just encryption and decryption. It also supports digital signatures, which have three primary functions. The first function is authentication. Tom can use PGP to verify that the message sender was Sarah. The second function is integrity. Tom can ensure that the message wasn't altered by using PGP. The third function is non-repudiation. After Sarah signs the message digitally, she can't deny having sent it.
Usage
PGP is commonly used to provide security to emails by converting them into ciphertext that requires a corresponding decryption key. The same process is used for securing text messages and can also be implemented on other apps. Apart from securing internet communications, PGP can be used to encrypt individual devices such as computer and mobile device disk partitions. By encrypting the hard disk, the system requires a password every time it boots up.
Pros of Using PGP
Privacy Without Speed Loss
Using both symmetric and asymmetric encryption, PGP is a powerful tool for secure communication that ensures the protection of sensitive information. With PGP, users can encrypt data and cryptographic keys and safely share them over the internet. This hybrid system offers the best of both worlds: the strong security of asymmetric cryptography and the fast speed of symmetric encryption. Furthermore, PGP provides digital signatures that guarantee data integrity and sender authenticity, adding an extra layer of protection to the communication process.
OpenPGP Standard
Multiple companies and organizations offer PGP solutions that comply with the OpenPGP protocol, creating a standardized competitive environment. The good news is that all PGP programs that follow the OpenPGP standards are interoperable. Therefore, files and keys created in one program can be used in another program without any compatibility issues.
Cons of Using PGP
Entry Threshold
PGP systems have some disadvantages that users should be aware of. One of them is that they can be difficult to use and understand, particularly for those with limited technical knowledge. Additionally, many people find the lengthy public keys to be inconvenient.
EFAIL Vulnerability
The Electronic Frontier Foundation (EFF) published a significant vulnerability named EFAIL in 2018. The vulnerability allowed attackers to gain access to plaintext versions of messages through active HTML content in encrypted emails. However, some of the issues raised by EFAIL were already known to the PGP community since the late 1990s, and the vulnerabilities were related to the different implementations of email clients and not PGP itself. Thus, despite the headlines that caused alarm, PGP remains highly secure and is not broken.
Conclusion
PGP has been a vital tool for data protection since its inception in 1991. It is now utilized across various applications, providing security, authentication, and privacy for digital services and communication systems. Despite the EFAIL flaw discovery in 2018, which raised concerns about its viability, PGP's core technology remains robust and cryptographically secure. However, the security levels of different PGP implementations can vary.