PGP -- Pretty Good Protocol In Detail

PGP -- Pretty Good Protocol In Detail

PGP Pretty Good Protocol PGP stands for “Pretty Good Protocol or Privacy,” and it’s most often used for sending encrypted messa... 13:49:00

PGP

Pretty Good Protocol

PGP stands for “Pretty Good Protocol or Privacy,” and it’s most often used for sending encrypted messages between two people. PGP works by encrypting a message using a public key that’s tied to a specific user; when that user receives the message, they use a private key that’s known only to them to decrypt it.

This system ensures that it’s easy to send encrypted communications, because the only thing needed to encrypt a message is a public key and the proper PGP program. But it’s also quite safe, as messages can only be decrypted with privately known keys that are password-protected.

In addition to encryption, PGP also allows for digital signatures. By signing your encrypted message with your private key, you provide a way for the recipient of the message to see if the content of the message has been changed. If even a single letter in the message is changed before it’s decrypted, the signature will be invalidated, alerting the recipient to foul play.

The mathematical mechanics of PGP are extremely complicated, but the diagram below will give you a general idea of how the system works.

Throughout this article, I’ll be discussing both PGP and Gnu Protocol Guard (GnuPG, or GPG). GPG is an open-source implementation of PGP, and works on the same principles. Unless you’re going to be buying a PGP-enabled product from Symantec, the company that currently owns the PGP copyright and company, you’ll likely be using GPG.

How Secure Is PGP?

While it’s impossible to say that any particular encryption method is 100% secure, PGP is generally regarded as being extremely safe. The two-key system, digital signatures, and the fact that PGP is open-source and has been heavily vetted by the public all contribute to its reputation as one of the best encryption protocols. Bruce Schneier once called PGP “the closest you’re likely to get to military-grade encryption,” and PGP.net says that there are “no practical weaknesses.”

Edward Snowden used PGP to send files to Glenn Greenwald when he broke the story that kicked off a lot of interest in encryption. And if it’s good enough for Snowden, it’s good enough for most—if not all—of the other people who need to encrypt things.

Different types of encryption algorithms can be used with PGP, though the RSA algorithm is quite common. If you’ve never heard of RSA encryption, rest assured that it’s really, really strong. According to DigiCert, it would take a standard desktop computer a number of quadrillions of years to crack a 2048-bit RSA SSL certificate. That means that if you’d started trying to crack that certificate at the time of the Big Bang, you wouldn’t finish before the end of the universe (check out The Strength of an SSL Certificate for some awesome visualizations of these facts). 2048-bit RSA is commonly use as a standard algorithm for PGP.

Gnu Protocol Guard often uses the CAST5 algorithm. Although the key size of CAST5 is 128 bits, which is significantly smaller than that of some of the stronger RSA algorithms, it’s still approved for governmental use in Canada by the Communications Security Establishment. Nothing to sneeze at.

While cryptoanalysts and cryptoenthusiasts could argue all day over the best algorithm to use, GnuPG says that “GnuPG’s algorithms are so well-designed for what they do that there is no single ‘best.’ There’s just a lot of personal, subjective choice.”

Pretty Good Protocol or PGP is a popular program used to encrypt and decrypt emailover the Internet, as well as authenticate messages with digital signatures and encrypted stored files.

Previously available as freeware and now only available as a low-cost commercial version, PGP was once the most widely used privacy-ensuring program by individuals and is also used by many corporations. It was developed by Philip R. Zimmermann in 1991 and has become a de facto standard for email security.

How PGP works?

Pretty Good Privacy uses a variation of the public key system. In this system, each user has an encryption key that is publicly known and a private key that is known only to that user. You encrypt a message you send to someone else using their public key. When they receive it, they decrypt it using their private key. Since encrypting an entire message can be time-consuming, PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Both the encrypted message and the short key are sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses that key to decrypt the message.

PGP comes in two public key versions -- Rivest-Shamir-Adleman (RSA) and Diffie-Hellman. The RSA version, for which PGP must pay a license fee to RSA, uses the IDEAalgorithm to generate a short key for the entire message and RSA to encrypt the short key. The Diffie-Hellman version uses the CAST algorithm for the short key to encrypt the message and the Diffie-Hellman algorithm to encrypt the short key.

When sending digital signatures, PGP uses an efficient algorithm that generates a hash(a mathematical summary) from the user's name and other signature information. This hash code is then encrypted with the sender's private key. The receiver uses the sender's public key to decrypt the hash code. If it matches the hash code sent as the digital signature for the message, the receiver is sure that the message has arrived securely from the stated sender. PGP's RSA version uses the MD5 algorithm to generate the hash code. PGP's Diffie-Hellman version uses the SHA-1 algorithm to generate the hash code.