Pretty Good Privacy

INTRODUCTION
Created by Philip Zimmermann in 1991, PGP is a freely available and redistributable program for [authentication] and cryptographic privacy. As the name itself is Pretty Good Privacy, its fundamental work is to grant privacy to e-mails and data files by signing, encrypting and decrypting them.
[Image]



Hashing, data compression and public key cryptography are used in a serial combination, with each step involving numerous algorithms. PGP is hence a hybrid cryptosystem as it combines some of the best features of both conventional and public key cryptography



[Image]

The initial version of PGP was generally known as Web of Trust (WOT). This protocol was first described by Zimmermann in 1992 in the manual for PGP version 2.0:


[Image]


WORKING
Its working is powered by public key cryptography and is able to run and perform on virtually every platform (MS-DOS, Amiga, Atari ST and UNIX).

[Image]

Once you have used a PGP key to “lock” a file or an electronic mail message, you, or the recipient of your message, must use a corresponding key to “unlock” it.


ENCRYPTION
When a user encrypts plaintext with PGP, PGP first compresses the plaintext. This saves modem transmission time, disk space and strengthens cryptographic security. Most cryptanalysis techniques exploit patterns found in the plaintext to crack the cipher. Compression reduces these patterns in the plaintext, thereby enhancing resistance to cryptanalysis.

PGP then creates a session key, which is a one-time-only secret key. It is a random number generated from the random movements of mouse and keystrokes. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is cipher text.

Once the data is encrypted, the session key is then encrypted to the recipient’s public key. This public key-encrypted session key is transmitted along with the cipher text to the recipient.

[Image]

How PGP encryption works


DECRYPTION
Decryption works in the reverse. The recipient’s copy of PGP uses his or her private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted cipher text.

The combination of the two encryption methods combines the convenience of public key encryption with the speed of conventional encryption.

Conventional encryption is about 1, 000 times faster than public key encryption. Public key encryption in turn provides a solution to key distribution and data transmission issues. Used together, performance and key distribution are improved without any sacrifice in security.

[Image]
How PGP decryption works


PGP Certificate Format
PGP recognizes two different certificate formats:
PGP certificates
X.509 certificates

PGP certificate format:
A PGP certificate includes (but is not limited to) the following information:
The PGP version numberthis identifies which version of PGP was used to create the key associated with the certificate.
The certificate holder’s public keythe public portion of your key pair, together with the algorithm of the key: RSA, DH (Diffie-Hellman), or DSA (Digital Signature Algorithm).
The certificate holder’s information this consists of “identity” information about the user, such as his or her name, user ID, photograph, and so on.
The digital signature of the certificate owner also called a self-signature, this is the signature using the corresponding private key of the public key associated with the certificate.
The certificate’s validity period the certificate’s start date/ time and expiration date/ time; indicates when the certificate will expire.
The preferred symmetric encryption algorithmfor the keyindicates the encryption algorithm to which the certificate owner prefers to have information encrypted. The supported algorithms are CAST, IDEA or Triple-DES.

X.509 certificate format:
X.509 is another very common certificate format. All X.509 certificates comply with the ITU-T X.509 international standard; thus (theoretically) X.509 certificates created for one application can be used by any application complying with X.509.
It is a collection of a standard set of fields containing information about a user or device and their corresponding public key. The X.509 standard defines what information goes into the certificate, and describes how to encode it (the data format). All X.509 certificates have the following data:
The X.509 version numberthis identifies which version of the X.509 standard applies to this certificate, which affects what information can be specified in it. The most current is version 3.
The certificate holder’s public keythe public key of the certificate holder, together with an algorithm identifier which specifies which cryptosystem the key belongs to and any associated key parameters.
The serial number of the certificatethe entity (application or person) that created the certificate is responsible for assigning it a unique serial number to distinguish it from other certificates it issues. This information is used in numerous ways; for example when a certificate is revoked, its serial number is placed in a Certificate Revocation List or CRL.
The certificate holder’s unique identifier(or DN — distinguished name). This name is intended to be unique across the Internet. This name is intended to be unique across the Internet.

A DN consists of multiple subsections and may look something like this:
The certificate’s validity periodthe certificate’s start date/ time and expiration date/ time; indicates when the certificate will expire.
The unique name of the certificate issuerthe unique name of the entity that signed the certificate. This is normally a CA. Using the certificate implies trusting the entity that signed this certificate. (Note that in some cases, such as root or top-level CA certificates, the issuer signs its own certificate.)
The digital signature of the issuerthe signature using the private key of the entity that issued the certificate.
The signature algorithm identifieridentifies the algorithm used by the CA to sign the certificate.


PGP Components
The PGP 8.0 setup routine will allow you to install PGP components such as PGPdisk and email plug-ins that are available only to licensed users of PGP 8.0 Personal, not to users of PGP 8.0 Freeware. If you installed those additional components but do not have a PGP 8.0 Personal license, those components will appear within PGP, but will not be available for use.
· PGPdisk
· Email Plug-ins
· Restricted Access to Components


Levels
A trust signature indicates both that the key belongs to its claimed owner and that the owner of the key is trustworthy to sign other keys at one level below their own.
A level 0 signature is comparable to a web of trust signature since only the validity of the key is certified.
A level 1 signature is similar to the trust one has in a certificate authority because a key signed to level 1 is able to issue an unlimited number of level 0 signatures.
A level 2 signature is highly analogous to the trust assumption users must rely on whenever they use the default certificate authority list (like those included in web browsers); it allows the owner of the key to make other keys certificate authorities.

PGP versions have always included a way to cancel (‘revoke’) identity certificates. A lost or compromised private key will require this if communication security is to be retained by that user. This is, more or less, equivalent to the certificate revocation lists of centralized PKI schemes. Recent PGP versions have also supported certificate expiration dates.

Security Quality
To the best of publicly available information, there is no known method which will allow a person or group to break PGP encryption by cryptographic or computational means.




Basic steps for using PGP (as seen here)
INSTALLING
Download and install PGP with the freeware license agreement, click ‘NO’ for the use of existing keyrings and finish the wizard. Now in the Key Generation Wizard, Click Next. Choose Custom and type in 4096 and click Next again. The only time you’d want a key smaller than that is if have a very old and very slow computer. Even then I still wouldn’t choose anything under 2048.
Choose whether to have the key expire or not (the normal way is to not expire) and click Next. Choose a passphrase (a password) then click Next.

It will generate a key pair. One is the public key that you can give to anybody. The other is the private key which is a secret with you. Click Next.
Check-mark “Send my key to the root server now” and then click Next. Click Finish. Installation is now complete!

Reboot the machine. Now open Outlook Express. Click on Tools menu. If you see PGP at the bottom of the menu, means it worked!

IMPLEMENTING
Exchange public keys with others. After you have created a key pair, you can begin corresponding with other PGP users. You will need a copy of their public key and they will need yours.

Validate public keys. Once you have a copy of someone’s public key, you can add it to your public keyring. You should then check to make sure that the key has not been tampered with and that it really belongs to the purported owner. You do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s original key. When you are sure that you have a valid public key, you sign it to indicate that you feel the key is safe to use. In addition, you can grant the owner of the key a level of trust indicating how much confidence you have in that person to vouch for the authenticity of someone else’s public key.

Encrypt and sign your email and files. After you have generated your key pair and have exchanged public keys, you can begin encrypting and signing email messages and files. PGP works on the data generated by other applications. Therefore the appropriate PGP functions are designed to be immediately available to you based on the task you are performing at any given moment. There are several ways to encrypt and sign with PGP:
• From the System tray (PGPtray). PGPtray includes utilities to perform cryptographic tasks on data on the Clipboard or in the current window.
• From within supported email applications (PGP email plug-ins). The plug-ins enable you to secure your email from within the supported email application.
• From PGPtools. PGPtools enables you to perform cryptographic tasks within applications not supported by plug-ins, plus other security tasks, such as wiping files from your disk.
• From the Windows Explorer File menu. You can encrypt and sign or decrypt and verify files such as word processing documents, spreadsheets and video clips directly from the Windows Explorer.

Decrypt and verify your email and files. When someone sends you encrypted data, you can unscramble the contents and verify any appended signature to make sure that the data originated with the alleged sender and that it has not been altered.
• If you are using an email application that is supported by the plug-ins, you can decrypt and verify your messages by selecting the appropriate options from your application’s tool bar.
• If your email application is not supported by the plug-ins, you can copy the message to the clipboard and perform the appropriate functions from there. If you want to decrypt and verify files, you can do so from the Clipboard, Windows Explorer, or by using PGPtools. You can also decrypt encrypted files stored on your computer, and verify signed files to ensure that they have not been tampered with.
Wipe files. When you need to permanently delete a file, you can use the Wipe feature to ensure that the file is unrecoverable. The file is immediately overwritten so that it cannot be retrieved using disk recovery software.



Some reference:
PGP International Homepage:
http://pgpi.org


The GNU project has published a PGP implementation compatible with the signatures posted on writelog.com:
The command line version for Microsoft Windows does everything necessary:
http://www.gnupg.org/download/index.en.html
Advertisements

One thought on “Pretty Good Privacy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s