Pretty Good Privacy (PGP)
█ LEE W. LERNER
PGP, or Pretty Good Privacy, is a security software application used for the encryption and decryption of data. In 1991, Philip R. Zimmermann wrote PGP for the purpose of sending secured data across an insecure network, such as the internet. Individuals, businesses, and governments use strong cryptography programs such as PGP to secure networks, emails, documents, and stored data.
PGP was originally designed as a combination of RSA encryption and a symmetric key cipher known as Bass-OMatic. RSA is a public key cryptographic algorithm named after its designers Ronald Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm, developed in 1977 (earlier versions of which were partially developed by intelligence agencies), quickly became a major advancement in cryptology. The RSA algorithm depends upon the difficulty in factoring very large composite numbers and is currently the most commonly used encryption and authentication algorithm in the world. The RSA algorithm forms were used in the development of modern Internet web browsers, spreadsheets, email, and word processing programs.
Bass-O-Matic is a conventional (often referred to as symmetric) key algorithm. Bass-O-Matic was later replaced by another conventional key algorithm known as IDEA, which enabled more powerful encryption technology.
Conventional cryptology is based on the concept that one key is used in both the encryption and decryption process. The major benefit of conventional cryptology is the speed in which the encryption process takes place. Conventional encryption can be up to one thousand times faster than public key encryption. However, secure key distribution is a major problem in this form of cryptology.
In 1975, Whitfield Diffie and Martin Hellman developed public key cryptology to increase the security of exchanging keys. Each user of a public key based system has a public and private key. First, the user publishes the public key to a server or contact. Next, the contact encrypts the message to the user's public key. Finally, the user employs the private key to decrypt the cipher text (encoded message) received. The combination of both public and conventional key cryptology makes PGP a hybrid cryptosystem. This allows for users of PGP to be able to securely exchange keys and still have a speedy transaction of secured data.
PGP follows a simple process when encrypting plaintext into cipher text. PGP first compresses the document desired for encryption. This saves modem transmission time and strengthens the cryptographic security of the plaintext. Next, PGP creates a session key. The key is a number correlating to the random movements of the user's mouse and the keys that are typed. The key then works with a cryptographic algorithm to encrypt the plaintext. A cryptographic algorithm is a mathematical function in which a computable set of steps must be followed to achieve a desired result. The strength of this encryption is dependent on the strength of the algorithm.
After the data has been encrypted into cipher text, PGP encrypts the session key. The session key is encrypted to the recipient's public key. PGP uses digital certificates to prove the identity of a public key. The cipher text and encrypted session key are then transmitted to the recipient. When the recipient receives the data, PGP uses the user's private key to decrypt the session key. When PGP has recovered the session key, it can be used to decrypt the cipher text.
Though the plaintext has been recovered, there is still a question of authentication. PGP uses digital signatures to provide the recipient of an encryption with an origin and identification. Digital signatures are created in the opposite way a public cryptography system works. The sender encrypts a digital signature with their private key and attaches it to the rest of the data transmitted. When the digital signature is received, PGP decrypts it with the sender's public key. Through this process, PGP is able to determine the authenticity of the signature.
Digital signatures produce large amounts of data, slowing transmission and processing speeds. PGP uses a hash function to regulate the amount of data sent. The hash function takes variable amounts of data (the size of the plaintext) and produces a fixed amount called a message digest. PGP then creates a digital signature with the message digest and the user's private key. The hash function also helps to prove the authenticity of the encryption. If the encryption is changed after this process takes place, an entirely new message digest is created. This allows for PGP to detect encryption tampering.
Although PGP encryption has been available to the general public for several years, debate regarding encryption technologies and national security issues, especially in the United States, has ensued. Many government officials argue that strong cryptography programs should not be exported outside the United States. Security algorithms used in PGP type programs were classified as munitions by the United States government. As such, they remained subject to severe export control and restrictions that inhibited their widespread distribution and use. Due to these concerns, there are presently two available PGP applications: PGP and PGPi (international). Any user out-side of the United States is currently required to utilize PGPi.
The National Institute of Standards and Technology (NIST), oversees the development of many cryptography standards. One such standard, developed by commercial entities and the United States National Security Agency (NSA) in the 1970s was termed the Data Encryption Standard (DES). In anticipation of increasing security needs, in the late 1990s, NIST began to work toward the implementation of the Advanced Encryption Standard AES to replace DES.
█ FURTHER READING:
Kaufman, Charles, et. el. Network Security: Private Communication in a Public World, 2nd. ed. Upper Saddle River, NJ: Prentice Hall, 2002.
Stallings, William. Cryptography and Network Security: Principles and Practice, 3rd. ed. Upper Saddle River, NJ: Prentice Hall, 2002.
Zimmerman, Phillip. The Official PGP User's Guide Cambridge, MA: MIT Press, 1995.
Computer and Electronic Data, Destruction
Computer Fraud and Abuse Act of 1986
Computer Hardware Security
Computer Security Act (1987)
Computer Software Security
Cryptology and Number Theory
Encryption of Data