Pretty Good Privacy (PGP)

4. Pretty Good Privacy (PGP)

Pretty Good Privacy is a computer program that provides cryptographic privacy and authentication created by Phillip Zimmermann in 1991. PGP is a windows tools commonly used to encrypt files, apply digital signature and enforce integrity. PGP and other similar products follow the OpenPGP standard for encrypting and decrypting data.

PGP encryption uses public key cryptography and includes a system which binds the public keys. Web of trust has made PGP widespread because easy, fast and inexpensive to use. Web of trust differs from trust chain. While trust chain is hierarchical, the web of trust looks like a web.

PGP supports message authentication an d integrity check. The model works as long as we are sure that the public key used to send the message belongs effectively to the intended addressee. We have to put trust in that binding because there's no CA confirming that.

OpenPGP is a set of standards which describes the formats for encrypted messages, keys, and digital signatures. GnuPG (PGP) is an open-source GPL implementation of the standards, and is the usual implementation found on GNU/Linux systems. Most of what you read about PGP applies also to GnuPG.

A PGPkey has several parts:

  1. Name of its owner

  2. Numerical value(s) comprising the key

  3. What the is to be used for (e.g. signing, encryption)

  4. The algorithm the key is to be used with (e.g. ElGamal, DSA, RSA)

  5. An expiration date (possibly)

Those fields are similar to those of an X.509 certificate. But a PGP key is not a certificate (no-one has signed it yet).

When using PGP, you will need to store:

  • Your own secret key (this will be stored encrypted with a passphrase)

  • You own public key and the public keys of your friends and associates (stored in clear)

The PGP software puts them in a file, called your keyring. Your private keys are in a file and stored encrypted with a passphrase. The public key don't have to be protected. The keyring also contains copies of other people's public keys which are trusted by you.

PGP can digitally sign a document, or actually a digest (e.g. SHA1) version of the document.

This is because:

  • It is more efficient; it only has to sign 160 bits instead of your while message, for remember that PK crypto is expensive

  • It means that the signature is a manageable length (160 bits can be represented easily in HEX)

If you want to encrypt a message, PGP will first generate a symmetric key and then encrypt the symmetric key with the public key. The actual message is then encrypted with the symmetric key. This is much more efficient and allows to have many addresses for the same message by encrypting different symmetric keys with the addresses public keys.

Thus, PGP puts together the ideas of the symmetric-key encryption, public-key encryption, and hash functions, and also text compression, in a practical and usable way to enable you to sign and/or encrypt email.

The algorithms PGP uses are:

  • RSA, DSS, Diffie-Hellman for public-key encryption

  • 3DES, IDEA, CAST-128 for symmetric-key encryption

  • SHA-1 for hashing

  • ZIP for compression

PreviousPublic Key InfrastructureNextSecure Shell (SSH)

Last updated