Pretty Good Privacy (PGP)

views updated May 17 2018

Pretty Good Privacy (PGP)

█ LEE W. LERNER

PGP, or Pretty Good Privacy, is a security software application used for the encryption and decryption of data. In 1991, Philip R. Zimmermann wrote PGP for the purpose of sending secured data across an insecure network, such as the internet. Individuals, businesses, and governments use strong cryptography programs such as PGP to secure networks, emails, documents, and stored data.

PGP was originally designed as a combination of RSA encryption and a symmetric key cipher known as Bass-OMatic. RSA is a public key cryptographic algorithm named after its designers Ronald Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm, developed in 1977 (earlier versions of which were partially developed by intelligence agencies), quickly became a major advancement in cryptology. The RSA algorithm depends upon the difficulty in factoring very large composite numbers and is currently the most commonly used encryption and authentication algorithm in the world. The RSA algorithm forms were used in the development of modern Internet web browsers, spreadsheets, email, and word processing programs.

Bass-O-Matic is a conventional (often referred to as symmetric) key algorithm. Bass-O-Matic was later replaced by another conventional key algorithm known as IDEA, which enabled more powerful encryption technology.

Conventional cryptology is based on the concept that one key is used in both the encryption and decryption process. The major benefit of conventional cryptology is the speed in which the encryption process takes place. Conventional encryption can be up to one thousand times faster than public key encryption. However, secure key distribution is a major problem in this form of cryptology.

In 1975, Whitfield Diffie and Martin Hellman developed public key cryptology to increase the security of exchanging keys. Each user of a public key based system has a public and private key. First, the user publishes the public key to a server or contact. Next, the contact encrypts the message to the user's public key. Finally, the user employs the private key to decrypt the cipher text (encoded message) received. The combination of both public and conventional key cryptology makes PGP a hybrid cryptosystem. This allows for users of PGP to be able to securely exchange keys and still have a speedy transaction of secured data.

PGP follows a simple process when encrypting plaintext into cipher text. PGP first compresses the document desired for encryption. This saves modem transmission time and strengthens the cryptographic security of the plaintext. Next, PGP creates a session key. The key is a number correlating to the random movements of the user's mouse and the keys that are typed. The key then works with a cryptographic algorithm to encrypt the plaintext. A cryptographic algorithm is a mathematical function in which a computable set of steps must be followed to achieve a desired result. The strength of this encryption is dependent on the strength of the algorithm.

After the data has been encrypted into cipher text, PGP encrypts the session key. The session key is encrypted to the recipient's public key. PGP uses digital certificates to prove the identity of a public key. The cipher text and encrypted session key are then transmitted to the recipient. When the recipient receives the data, PGP uses the user's private key to decrypt the session key. When PGP has recovered the session key, it can be used to decrypt the cipher text.

Though the plaintext has been recovered, there is still a question of authentication. PGP uses digital signatures to provide the recipient of an encryption with an origin and identification. Digital signatures are created in the opposite way a public cryptography system works. The sender encrypts a digital signature with their private key and attaches it to the rest of the data transmitted. When the digital signature is received, PGP decrypts it with the sender's public key. Through this process, PGP is able to determine the authenticity of the signature.

Digital signatures produce large amounts of data, slowing transmission and processing speeds. PGP uses a hash function to regulate the amount of data sent. The hash function takes variable amounts of data (the size of the plaintext) and produces a fixed amount called a message digest. PGP then creates a digital signature with the message digest and the user's private key. The hash function also helps to prove the authenticity of the encryption. If the encryption is changed after this process takes place, an entirely new message digest is created. This allows for PGP to detect encryption tampering.

Although PGP encryption has been available to the general public for several years, debate regarding encryption technologies and national security issues, especially in the United States, has ensued. Many government officials argue that strong cryptography programs should not be exported outside the United States. Security algorithms used in PGP type programs were classified as munitions by the United States government. As such, they remained subject to severe export control and restrictions that inhibited their widespread distribution and use. Due to these concerns, there are presently two available PGP applications: PGP and PGPi (international). Any user out-side of the United States is currently required to utilize PGPi.

The National Institute of Standards and Technology (NIST), oversees the development of many cryptography standards. One such standard, developed by commercial entities and the United States National Security Agency (NSA) in the 1970s was termed the Data Encryption Standard (DES). In anticipation of increasing security needs, in the late 1990s, NIST began to work toward the implementation of the Advanced Encryption Standard AES to replace DES.

█ FURTHER READING:

BOOKS:

Kaufman, Charles, et. el. Network Security: Private Communication in a Public World, 2nd. ed. Upper Saddle River, NJ: Prentice Hall, 2002.

Stallings, William. Cryptography and Network Security: Principles and Practice, 3rd. ed. Upper Saddle River, NJ: Prentice Hall, 2002.

Zimmerman, Phillip. The Official PGP User's Guide Cambridge, MA: MIT Press, 1995.

Pretty Good Privacy (PGP)

views updated May 11 2018

PRETTY GOOD PRIVACY (PGP)

Pretty Good Privacy (PGP), one of the leading data encryption protocols, was launched in 1991 by cryptographer Philip Zimmerman, who founded Pretty Good Privacy Inc. around his encryption algorithm in 1996. PGP was designed to protect the civil liberties of those communicating over the Internet by utilizing a mathematical code, or algorithm, to scramble information in such a way that only authorized parties could decode it. Not only was PGP widely used in e-mail transactions in the United States and other relatively stable countries for the purpose of securing day-to-day communications, it was also employed in highly sensitive areas, such as Sarajevo, Kosovo, and Guatemala, for the protection of data from hostile governmental or police forces. In a way, such uses fulfilled the original intentions of Zimmerman and PGP: to safeguard information from governmental intrusion.

Since World War II, the U.S. government, particularly the National Security Agency (NSA), has been at the forefront in developing encryption schemes, primarily to safeguard sensitive government-and security-related information, including secrets procured by U.S. spies. As private cryptographers pursued their own encryption schemes for use in the private sector, however, the U.S. government protested, and fought for years to keep advanced encryption algorithms under wraps. Zimmerman was among the cryptographers leading the fight against the NSA to open up the field of cryptography to the public. Zimmerman began work on what would become PGP in 1984, and spent the late 1980s perfecting his mathematical algorithm.

The U.S. government didn't take kindly to PGP at first. Zimmerman spent the early 1990s locking horns with the United States Department of Justice to open up the field of e-mail encryption, as part of a broader effort by cryptographers to force the government to open the doors to greater use and trade of encryption tools and schemes. In 1993 the Justice Department began investigating Zimmerman for violation of export restrictions on encryption technologies. After much bitter fighting, the government backed off three years later, signaling a shifting mood in the government toward a realization that encryption schemes were going to proliferate and were in fact important for the development of e-commerce.

The first personal-security software designed for the personal computer, PGP employed 56-bit encryption, which was at the time the strongest encryption available to the private sector. PGP not only boasted message encryption capability, but also featured digital signatures and data compression. PGP utilizes public-key cryptography, in which a private key, or source code for encrypting messages, is held by the PGP user, and a public key is openly available for anyone who wishes to send an encrypted message to that user. To broadcast the public key, the user simply sends it to one of PGP's servers. To send a message to a PGP user, one encrypts it with that user's public key; then, using the unique private key, the user decrypts the message to read it. Only when the public key interacts with the private key through the use of a password will the message unlock. PGP was available as freeware to noncommercial users, while the program itself usually had to be installed on individual computers, although it was increasingly accessible on a central PGP server.

Zimmerman sold the rights to PGP in 1997 to Network Associates, Inc., which he then joined as a consultant, and continued to play a role in PGP's development. Following NAI's acquisition, PGP Inc. was renamed PGP Security and branched out into constructing enterprise applications around the code, which the company continued to revise and release to the public as freeware. By the early 2000s, however, Zimmerman was concerned that the future of PGP as a freeware program may be limited, his concern sparked particularly by NAI's decision in 2001 to withhold the source code of its latest PGP version 7.0.3 from the public; the source code of all previous versions were freely available. For its part, NAI insisted it had no plans to discontinue its PGP freeware. At any rate, Zimmerman chose to leave NAI in February 2001 to join a rival firm, the Irish company Hush, convinced that NAI wouldn't continue to develop PGP in the manner Zimmerman most desired.