Pretty Good Privacy

(PGP)
Security for Electronic Email

1
There are two main schemes which are especially
designed to provide confidentiality and
authentication for electronic mail systems. These
are:

PGP
(Pretty Good Privacy)

S/MIME
(Secure/Multipurpose Internet Mail Extension)

2
 S/MIME
S/MIME uses public key certificates
conforming to standard X.509 and signed
by a certification agency. In other respects,
S/MIME is quite similar to PGP.
S/MIME is not studied in any detail on this
course and is not examinable.
Details of the scheme are available in
Chapter 5 of Stalling if you are interested.

3
 PGP
• Developed by Phil Zimmerman in 1995.
• Documentation and source code is freely
available.
• The package is independent of operating
system and processor.
• PGP does not rely on the “establishment”
and it’s popularity and use have grown
extensively since 1995.
4
• PGP combines the best available
cryptographic algorithms to achieve
secure e-mail communication.
• It is assumed that all users are using
public key cryptography and have
generated a private/public key pair.
• Either RSA (with RSA digital signatures)
or El Gamel (with DSA) can be used.
• All users also use a symmetric key system
such as triple DES or Rijndael.
5
 What does PGP do?

PGP offers 5 services:

1. Authentication
2. Confidentiality
3. Compression
4. E-mail compatibility
5. Segmentation

6
 PGP Authentication
This is a digital signature scheme with
hashing.
1. Alice has (private/public) key pair (Ad/Ae)
and she wants to send a digitally signed
message m to Bob.
2. Alice hashes the message using SHA-1 to
obtain SHA(m).

7
3. Alice encrypts the hash using her private
key Ad to obtain ciphertext c given by
c=pk.encryptAd(SHA(m))

4. Alice sends Bob the pair (m,c)

5. Bob receives (m,c) and decrypts c using

Alice's public key Ae to obtain signature s
s=pk.decryptAe(c)

8
6. He computes the hash of m using SHA-1
and if this hash value is equal to s then the
message is authenticated.

Bob is sure that the message is correct and

that is does come from Alice. Furthermore
Alice cannot later deny sending the
message since only Alice has access to her
private key Ad which works in conjunction
with the public key Ae.
9
 PGP Confidentiality
1. Alice wishes to send Bob a confidential
message m.
2. Alice generates a random session key k for
a symmetric cryptosystem.
3. Alice encrypts k using Bob’s public key
Be to get
k’ = pk.encryptBe(k)

10
4. Alice encrypts the message m with the
session key k to get ciphertext c
c=sk.encryptk(m)

5. Alice sends Bob the values (k’,c)

6. Bob receives the values (k’,c) and
decrypts k’ using his private key Bd to
obtain k
k=pk.decryptBd(k’)

11
7. Bob uses the session key k to decrypt the
ciphertext c and recover the message m
m=sk.decryptk(c)

Public and symmetric key cryptosystems

are combined in this way to provide
security for key exchange and then
efficiency for encryption. The session key
k is used only to encrypt message m and is
not stored for any length of time.
12
 PGP Authenticaton and Confidentiality
(at the same time)
The schemes for authentication and
confidentiality can be combined so that
Alice can sign a confidential message
which is encrypted before transmission.
The steps required are as follows:
1. Alice generates a signature c for her
message m as in the Authentication scheme
c=pk.encryptAd(SHA(m))

13
2. Alice generates a random session key k
and encrypts the message m and the
signature c using a symmetric
cryptosystem to obtain ciphertext C
C=sk.encryptk(m,c)
4. She encrypts the session key k using Bob’s
public key
k’ = pk.encryptBe(k)

5. Alice sends Bob the values (k’,C)

14
6. Bob recieves k’ and C and decrypts k’
using his private key Bd to obtain the
session key k
k=pk.decryptBd(k’)

7. Bob decrypts the ciphertext C using the

session key k to obtain m and c
(m,c) = sk.decryptk(C)

15
8. Bob now has the message m. In order to
authenticate it he uses Alice’s public key
Ae to decrypt the signature c and hashes
the message m using SHA-1.
If SHA(m) = pk.decryptAe(c)
Then the message is authenticated.

16
 PGP Compression
PGP can also compress the message if
desired. The compression algorithm is ZIP
and the decompression algorithm is
UNZIP.

1. The original message m is signed as

before to obtain
c=pk.encryptAd(SHA(m))
17
2. Now the original message m is
compressed to obtain
M=ZIP(m)

3. Alice generates a session key k and

encrypts the compressed message and the
signature using the session key
C=sk.encryptk(M,c)
4. The session key is encrypted using Bob’s
public key as before.
18
5. Alice sends Bob the encrypted session key
and ciphertext C.
6. Bob decrypts the session key using his
private key and then uses the session key
to decrypt the ciphertext C to obtain M
and c
(M,c) = sk.decryptk(C)
7. Bob decompresses the message M to
obtain the original message m
m=UNZIP(M)

19
8. Now Bob has the original message m and
signature c. He verifies the signature using
SHA-1 and Alice’s public key as before.

Note that the compression is applied after

signing (due to implementation of ZIP)
but before encryption (this strengthens
the security of the scheme since the
message has less redundancy after
compression)

20
 PGP E-Mail Compatibility
Many electronic mail systems can only
transmit blocks of ASCII text. This can
cause a problem when sending encrypted
data since ciphertext blocks might not
correspond to ASCII characters which can
be transmitted.
PGP overcomes this problem by using
radix-64 conversion.
21
 Radix-64 conversion
Suppose the text to be encrypted has been
converted into binary using ASCII coding
and encrypted to give a ciphertext stream of
binary.
Radix-64 conversion maps arbitrary binary
into printable characters as follows:

22
 Radix-64 conversion
1. The binary input is split into blocks of 24
bits (3 bytes).
2. Each 24 block is then split into four sets
each of 6-bits.
3. Each 6-bit set will then have a value
between 0 and 26-1 (=63).
4. This value is encoded into a printable
character.
23
6 bit Character 6 bit Character 6 bit Character 6 bit Character
value encoding value encoding value encoding value encoding
0 A 16 Q 32 g 48 w
1 B 17 R 33 h 49 x
2 C 18 S 34 i 50 y
3 D 19 T 35 j 51 z
4 E 20 U 36 k 52 0
5 F 21 V 37 l 53 1
6 G 22 W 38 m 54 2
7 H 23 X 39 n 55 3
8 I 24 Y 40 o 56 4
9 J 25 Z 41 p 57 5
10 K 26 a 42 q 58 6
11 L 27 b 43 r 59 7
12 M 28 c 44 s 60 8
13 N 29 d 45 t 61 9
14 O 30 e 46 u 62 +
15 P 31 f 47 v 63 /
(pad) =

24
 PGP Segmentation
Another constraint of e-mail is that there is
usually a maximum message length.
PGP automatically blocks an encrypted
message into segments of an appropriate
length.
On receipt, the segments must be re-
assembled before the decryption process.

25
 Key Issues
1. Key Generation
Recall that a new session key is required
each time a message is encrypted. How
are these keys generated?

PGP uses the timing of key strokes and

key patterns to generate random numbers.
26
2. Key Identifiers

PGP allows users to have more than

one public/private key pair
 To increase security
 To ease the key changeover period
So how does Bob know which set of
keys he should be using?

27
• In the case of encryption, (Alice uses Bob’s
public key) Alice can send Bob the public
key with the message since this is not secret
(in fact Alice only sends the 64 least
significant bits so that Bob can identify the
key).
• In the case of digital signatures Alice uses
her private key and Bob uses Alice’s
corresponding public key. Alice cannot
send Bob her private key, but she can look
up the corresponding public key and send
the 64 least significant bits of that.
28
 So a PGP message might consist of:

• Message component – the actual data to be

transmitted + a filename + a timestamp;
• Signature component – timestamp + hash of
message and timestamp + first part of
message (so user can check that they are
decrypting correctly) + Key ID of sender’s
public key
• Session Key component – session key + key
ID of recipient’s public key
29