What is PGP ?
PGP stands for 'Pretty Good Privacy.' Pretty Good Privacy (PGP) is an encryption system used for both sending encrypted emails and encrypting sensitive files. Since its invention back in 1991, PGP has become the de facto standard for email security.
PGP is a protocol used for encrypting, decrypting and signing messages or files using a key pair. PGP is primarily used for encrypting communications at the Application layer, typically used for one-on-one encrypted messaging.
The popularity of PGP is based on two factors. The first is that the system was originally available as freeware, and so spread rapidly among users who wanted an extra level of security for their email messages. The second is that since PGP uses both symmetric encryption and public-key encryption, it allows users who have never met to send encrypted messages to each other without exchanging private encryption keys.
You may want to use PGP if you want to be certain that only the intended receiver can access your private message, thwarting the efforts of intercepting parties, or if you just want to verify the sender’s identity.
In fact, PGP is the most widely used email encryption system in the world. When you send messages using PGP encryption, no one can intercept and read your message in transit. PGP has been thoroughly field tested over its decades of use, its few vulnerabilities are well understood, and it has broad compatibility with other encryption clients.
-
There are different variations of PGP: OpenPGP, PGP and GPG, but they generally all do the same thing. Here is the quick introduction to these:
• PGP: Pretty Good Privacy, original proprietary protocol. It was released in 1991.
• OpenPGP: Pretty Good Privacy, but it is an open-source version, and it has become the universally-accepted PGP standard. It was released in 1997.
• GPG: GNU Privacy Guard, another popular solution that follows OpenPGP standards. It was released in 1999.
When someone says PGP, it is generally safe to assume that they are referring to the OpenPGP standard.
PGP shares some features with other encryption systems you may have heard of, like Kerberos encryption (which is used to authenticate network users) and SSL encryption (which is used to secure websites).
-
How does PGP work?
The first thing PGP does is generate a random session key. This key is an enormous number that is used to encrypt and decrypt the contents of the message. Your message is encrypted using this session key. Only someone who knows the session key can read the message, and it is much too large to guess. The session key is also never used again for other messages.
Next, the session key itself, is encrypted using the recipient’s public key. The public key is unique to each person and meant to be shared. Since it doesn’t change, your public key is like an email address. It is tied to you, and anyone can use it to send you an encrypted message.
Each person’s public key corresponds to their private key, which is secret. In PGP, when the recipient receives an encrypted message, they decrypt the session key using their private key. The plaintext session key then decrypts the message which can be read by the recipient.
-
You should understand what information you are sharing, how you can ensure integrity through signing and identity verification, and the confidentiality of said information. From a more administrative perspective, you also need to ensure the availability of information and operational resources. Right?
Let us now examine the CIA Triad, and related PGP characteristics:
Confidentiality: ensuring the confidentiality of information, such that only the rightful parties can examine view information
• PGP ensures confidentiality for messages, using encryption
• PGP ensures confidentiality for files, using encryption
Integrity: ensuring the legitimacy and completeness of a message, such that the information can be validated as legitimate
• PGP ensures integrity for messages, using message signing
• PGP ensures integrity for files and software packages, also using signatures
Availability: ensuring the accessibility of information, such that information is readily available to the appropriate parties
• PGP ensures availability by providing a globally-sharable public key
• PGP ensures availability with short-and-long key IDs
• PGP ensures availability of key information for verification purposes through public key servers
With respect to 'Availability,' PGP causes some issues:
1. PGP is slow; manually encrypting and decrypting messages with a client is slow
2. PGP is awkward; the fact of the matter is that PGP is awkward and clunky to use
3. Due to PGP availability being awkward and slow, many people choose to not use PGP
4. Despite being awkward and slow, PGP is still a universally-accepted standard for email encryption
In a real-life operational environment, you have no choice but to trade-offs between confidentiality, integrity, and availability. By assessing your needs and adversaries, you can create a threat model to meet your personalized circumstantial needs.
Well, there will be some overlap between confidentiality and integrity, so let’s clear this up:
• By encrypting a message or file, you increase the level of confidentiality
• By signing a message or file, you increase the level of integrity
• You can either encrypt a message or sign a message, or you can sign and encrypt a message.
Confidentiality is achieved when you are assured that your message is kept private, such that only the sender and receiver can read the message. In a PGP-encrypted conversation, no others can intercept the message in plaintext (provided you practice good OPSEC).
PGP allows you to encrypt/decrypt messages in the comfort of increased privacy and confidentiality, such that only the intended parties can view the messages.
-
PGP can be used for encrypting, decrypting and signing messages and files. We can use command flags and carefully craft our messages to mitigate unnecessary information sharing. Less information is better; we should do what we can to limit the accessibility of our keys and identity on a need-to-know basis.
To use PGP safely, we should have clear operational goals, understand the protocol itself, know our personalized threats and risk, build a threat model, and practice operational security accordingly. It can be easy to “mess up” when it comes to operational security, PGP rollout should be done with caution.
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM