One night in one of my security classes we were discussing what PGP was. There was some confusion on the issue so this is a short paper I wrote and sent to the class to help clear up how PGP works.

In the early days of the Internet there was no such thing as privacy. In fact all communication was essentially done using what would be a post card in the real world. Everything was open for others to read. PGP was created to allow private citizens an ability to encrypt E-Mail messages. It was developed by Philip R. Zimmermann in 1991 and has become the de facto standard for E-Mail security. (Pretty Good Privacy (PGP)) The main reason for the creation of PGP was:

Zimmermann’s commitment to privacy also lead him down a path in which the U.S. government tried for three years to prosecute him for his creation. In the long run the government dropped the case and he was never charged with a crime.

A system or product that provides encryption and decryption is referred to as a cryptosystem and can be created through hardware components or program code in an application. (Harris 2012) A cryptosystem can include symmetrical and asymmetrical encryption (or public key encryption). This definition shows that many applications today can also be called a cryptosystems. PGP is no different. Zimmermann create a complete cryptosystem in that PGP can encrypt information and decrypt information.

At the heart of any cryptosystem is cryptography, because without it there is no way to encrypt or decrypt data. When looking at cryptography it can be stated that there are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. (Schneier) PGP is considered one of the types that will stop major governments from reading your files. This is because of the way the system handles all data.

In symmetric cryptography all data, to be exchanged, is between trusted participants. Each participant uses the same key to encrypt and decrypt data. This is also referred to secret-key ciphers. The issue is that the key must be kept secret otherwise confidentiality can be compromised. (IBM)

Asymmetric cryptography, or public key cryptography, allows data to be encrypted, or decrypted, using mathematical related keys. These keys are referred to as public and private keys. If one key is used to encrypt then the other key is required to decrypt. The private key is intended to be kept secret by one user and the public key is intended to be use by one or more users. A public key is used to send data to the user with the private key. This allows data to be confidential to the user with the private key. Anyone with the public can only encrypt data and sent to the user with the private key. Data encrypted with the public key cannot be decrypted with the public key; data encrypted with the private key can only be decrypted with the public key. In this case a user with the private key can encrypt data and send it to a user with the public key and that user can decrypt the data. Asymmetric cryptography will guarantee that the data decrypted with the public key came from the user with the private key. (TechTarget) This provides both authentication and nonrepudiation.

PGP works very similar fashion as many other cryptosystems, it just has a focus on E-Mail. Currently PGP supports public key infrastructure (PKI) provided by multiple vendors, including X.509 certificates, Lightweight Directory Access Protocol (LDAP) key sources such as Microsoft’s Active Directory, and Novell’s NDS, now called eDirectory. (Conklin 434) This gives PGP a very flexible approach in interfacing with most systems. PGP creates a “web of trust” for authentication. (Harris)

PGP starts when a user has completed creating an E-Mail message and is ready to send that message. The PGP client will first compresses the message. This is done so that the compressed data will have less likely chance for patterns in the encrypted output. Patterns are avoided in encryption so that it is harder to break the encryption. After the compression is complete, then the PGP client creates a random session key. A session key is a onetime symmetric key that will be used to encrypt data for this particular session. After the session is complete the session key is thrown out. For the actual encryption of the E-Mail content, PGP supports International Data Encryption Algorithm (IDEA), 3DES, and Carlisle Adams and Stafford Tavares (CAST) for symmetric encryption. (Conklin 434)

Once the data is encrypted with the session key the session key is encrypted with the recipient’s public key and the E-Mail is sent to the recipient. The recipient uses the sender’s public key to decrypt the session key then uses the session key to decrypt the data.

Another way the sender can chose to send the E-Mail is as a signed E-Mail. If this option is selected the sender will user their private key to encrypt the session key. The recipient will then use the sender’s public key to decrypt the session key. In this case the recipient will know for sure the message is from the sender because the message was authenticated by using the sender’s public key to decrypt the session key. There is no way any key other than the sender’s private can be used to encrypt the session key if the sender’s public key can decrypt the session key. (PGPI)

PGP can also use certificates for a signature. This entails using a third party for authenticating the sender’s identity. (PGPI) Using this method for authentication PGP will use either a PGP certificate or a X.509 certificate. A PGP certificate is basically a self-signed certificate. This is where users can provide authentication to other users. This is a more informal certificate than a traditional certificate in that these are validated by other users and not a formal certificate provider. A X.509 certificate is based off the ITU standard. These certificate comes from a Certificate Authority, CA, and is normally reviewed and issued by a third party.

PGP is a very common and popular tool for sending encrypted E-Mail. It uses a symmetrical session key to encrypt data and for transport as well as it can use asymmetrical encryption for authentication and nonrepudiation. Its cryptosystem is of a common design to many other application cryptosystems and it was create to give private citizens a chance to have private communications like government private communications.

Pretty Good Privacy (PGP). (n.d.). Retrieved February 10, 2016, from http://searchsecurity.techtarget.com/definition/Pretty-Good-Privacy

Zimmermann, P. (1999). Why I Wrote PGP. Retrieved February 11, 2016, from https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html

Harris, S. (2012). CISSP All-in-One Exam Guide (6th ed.). McGraw-Hill Education.

Conklin, Wm. A. Principles of Computer Security: Security+ and Beyond, 2nd Edition. McGraw-Hill Learning Solutions, 2010. VitalBook file.

Schneier, B (n.d). Preface to the Second Edition. Retrieved February 10, 2016 from https://www.schneier.com/books/applied_cryptography/2preface.html

IBM (n.d.). Symmetric cryptography. Retrieved February 10, 2016 from https://www-01.ibm.com/support/knowledgecenter/SSB23S_1.1.0.12/gtps7/s7symm.html

TechTarget (n.d.) asymmetric cryptography (public-key cryptography). Retrieved February 11, 2016 http://searchsecurity.techtarget.com/definition/asymmetric-cryptography

PGPI (n.d.) How PGP works. Retrieved February 10, 2016 from http://www.pgpi.org/doc/pgpintro/