Pretty Good Privacy(PGP)encryptionprogramprovidescryptographicprivacyand
authenticationfordatacommunication.PGPisusedforsigning,encrypting,and decryptingtexts,e-mails,files,directories,andwholediskpartitionsandtoincreasethe securityofe-mailcommunications. developed by Phil Zimmermann, who selected best available cryptographic algorithms :
RSA, DSS, and Diffie-Hellman for public-key encryption;
CAST-128, IDEA, and 3DES for symmetric encryption; and SHA-1 for hash coding integrated into a general-purpose application
using simple and small commands (independent of OS and processors)
that can be implemented on Unix, PC, Macintosh and other systems made the package and its documentation, including the source code, freely available. did agreement with a company (PGP Inc., Network Associates, PGP Corp.
and now Symantec) to provide a fully compatible, low-cost commercial version
of PGP. Some PGP compliant free products are Open PGP, Gnu Privacy Guard (GPG) etc. PGP Services entire PGP operation provides four services - authentication, confidentiality, The compression, and e-mail compatibility. PGP Authentication 1. sender creates message 2. make SHA-1 160-bit hash of message 3. attached RSA signed hash to message 4. receiver decrypts & recovers hash code 5. receiver verifies received message hash PGP Confidentiality 1. sender forms 128-bit random session key 2. encrypts message with session key 3. attaches session key encrypted with RSA 4. receiver decrypts & recovers session key 5. session key is used to decrypt message Confidentiality & Authentication can use both services on the same message create signature & attach to message encrypt both message & signature attach RSA/ElGamal encrypted session key PGP Compression by default PGP compresses message after signing but before encrypting o so can store uncompressed message & signature for later verification o & because compression is non deterministic uses ZIP compression algorithm ZIP Example The example text is 53 octets (= 424) bits long. each character is mapped into a 9-bit pattern (a binary 1 + 8-bit ASCII) look for repeated sequences; continue scanning until the repetition ends. the first such sequence is the brown fox, it is replaced by a pointer to the prior sequence (26 character positions earlier) and length of the sequence (13 characters). Encoding options; an 8-bit pointer and a 4-bit length (denoted by header 00), or a 12-bit pointer and a 6-bit length (denoted by 01). the second the brown fox is encoded as <00b> <26d> <13d> , or 0000011010 1101, and the sequence jump is encoded as <00b ><27d ><5d >. The compressed message consists of 35 9-bit characters and 2 14-bit codes totalling 343 bits, hence a compression ratio of 1.24 is achieved. PGP Email Compatibility when using PGP, emails have binary data to send (encrypted message etc) however email was designed only for text hence PGP must encode raw binary data into printable ASCII characters uses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC
PGP also segments messages if too big
PGP Operation Summary Pretty Good Privacy (PGP) What is PGP?
Pretty Good Privacy or PGP is a popular program
used toencryptand decryptemailover the Internet, as well as authenticate messages with digital signaturesand encrypted stored files. Previously available asfreewareand now only available as a low-cost commercial version, PGP was once the most widely used privacy-ensuring program by individuals and is also used by many corporations. It was developed by Philip R. Zimmermann in 1991 and has become a de facto standard for email security. How PGP works Pretty Good Privacy uses a variation of thepublic keysystem. In this system, each user has an encryptionkeythat is publicly known and aprivate keythat is known only to that user. You encrypt a message you send to someone else using their public key. When they receive it, they decrypt it using their private key. Since encrypting an entire message can be time-consuming, PGP uses a faster encryptionalgorithmto encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Both the encrypted message and the short key are sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses that key to decrypt the message. PGP comes in two public key versions --Rivest-Shamir-Adleman(RSA) andDiffie-Hellman. The RSA version, for which PGP must pay a license fee to RSA, uses theIDEAalgorithm to generate a short key for the entire message and RSA to encrypt the short key. The Diffie-Hellman version uses the CAST algorithm for the short key to encrypt the message and the Diffie-Hellman algorithm to encrypt the short key. When sending digital signatures, PGP uses an efficient algorithm that generates ahash(a mathematical summary) from the user's name and other signature information. This hash code is then encrypted with the sender's private key. The receiver uses the sender's public key to decrypt the hash code. If it matches the hash code sent as the digital signature for the message, the receiver is sure that the message has arrived securely from the stated sender. PGP's RSA version uses the MD5algorithm to generate the hash code. PGP's Diffie-Hellman version uses the SHA-1 algorithm to generate the hash code. Getting PGP To use Pretty Good Privacy, download or purchase it and install it on your computer system. It typically contains auser interfacethat works with your customary email program. You may also need to register the public key that your PGP program gives you with a PGP public-key server so that people you exchange messages with will be able to find your public key. PGP freeware is available for older versions of Windows, Mac, DOS, Unix and other operating systems. In 2010, Symantec Corp. acquired PGP Corp., which held the rights to the PGP code, and soon stopped offering a freeware version of the technology. The vendor currently offers PGP technology in a variety of its encryption products, such as Symantec Encryption Desktop, Symantec Desktop Email Encryption and Symantec Encryption Desktop Storage. Symantec also makes the Symantec Encryption Desktopsource code available for peer review. Though Symantec ended PGP freeware, there are other non-proprietary versions of the technology that are available. OpenPGP is an open source version of PGP that's supported by theInternet Engineering Task Force(IETF). OpenPGP is used by several software vendors, including as Coviant Software, which offers a free tool for OpenPGP encryption, and HushMail, which offers a Web-based encrypted email service powered by OpenPGP. In addition, the Free Software Foundation developed GNU Privacy Guard (GPG), an OpenPGG-compliant encryption software. Where can you use PGP? Pretty Good Privacy can be used to authenticate digital certificates and encrypt/decrypt texts, emails, files, directories and whole disk partitions. Symantec, for example, offers PGP-based products such as Symantec File Share Encryption for encrypting files shared across a network and Symantec Endpoint Encryption for full disk encryption on desktops, mobile devices and removable storage. In the case of using PGP technology for files and drives instead of messages, the Symantec products allows users to decrypt and re-encrypt data via asingle sign-on . Originally, the U.S. government restricted the exportation of PGP technology and even launched a criminal investigation against Zimmermann for putting the technology in the public domain (the investigation was later dropped). Network Associates Inc. (NAI) acquired Zimmermann's company, PGP Inc., in 1997 and was able to legally publish the source code (NAI later sold the PGP assets and IP to ex-PGP developers that joined together to form PGP Corp. in 2002, which was acquired by Symantec in 2010). Today, PGP encrypted email can be exchanged with users outside the U.S if you have the correct versions of PGP at both ends. There are several versions of PGP in use. Add-ons can be purchased that allow backwards compatibility for newer RSA versions with older versions. However, the Diffie-Hellman and RSA versions of PGP do not work with each other since they use different algorithms. There are also a number of technology companies that have released tools or services supporting PGP. Google this year introduced an OpenPGP email encryption plug-in for Chrome, while Yahoo also began offering PGP encryption for its email service.