Pretty good privacy email system

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

1. Introduction

PGP is a widely used secure email-system. Consider when an email-message is sent between two distant sites, it will generally transit dozens of machines on the way. Any of these can read and record the message for future use. In practice, privacy is nonexistent, despite what many people think. Nevertheless, many people would like to send e-mail that can be read by the intended recipient and no one else: not their boss and not even their government. This desire has stimulated several people and groups to apply the cryptographic principles to e-mail to produce secure e-mail. These PGP systems will provide secure email. In this essay we will study about PGP system.

Before seeing about PGP system, we will see about the main principle behind this system called "Cryptography"

2. Cryptography

Cryptography comes from the Greek words for "secret writing". It is an art and science of creating messages that have some combination of being private, signed, and unmodified with non-repudiation. It is also known as practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce.

Importance of Cryptography

In the information age, cryptography has become one of the major methods for protection in all applications.

Cryptography allows people to carry over the confidence found in the physical world to the electronic world. It allows people to do business electronically without worries of deceit and deception. In the distant past, cryptography was used to assure only secrecy. Wax seals, signatures, and other physical mechanisms were typically used to assure integrity of the message and authenticity of the sender.

When people started doing business online and needed to transfer funds electronically, the applications of cryptography for integrity began to surpass its use for secrecy. Hundreds of thousands of people interact electronically every day, whether it is through e-mail, e-commerce (business conducted over the Internet), ATM machines, or cellular phones. The constant increase of information transmitted electronically has lead to an increased reliance on cryptography and authentication.

During and before World War II, the main applications of cryptography were military. Both coding theory and cryptography originated with the seminal work of Claude Shannon in 1948. With the spread of computers and electronic communications after the war, the use of cryptographic schemes for passwords, banking transactions and various aspects of computer security proliferated. So did the uses of error-correcting codes in radio based communication systems and satellite communications. These uses and the evolving theory of codes generated much mathematical activity.

3. PGP- Pretty Good Privacy

PGP is an application and protocol (RFC 2440) for secure email and file encryptions, is essentially the brainchild of one person, Phil R. Zimmermann. Released in 1991, PGP is a complete e-mail security package that provides privacy, authentication, digital signatures, and compression, all in an easy-to-use form. Originally published as freeware, the source code has always been available for public review. PGP encryption uses a variety of algorithms such as IDEA, RSA, DSA, MD5 and SHA-1 for providing encryption, authentication, message integrity, and key management. PGP encryption is based on the "Web-of-Trust" model and has worldwide deployment.

3.1 PGP - Working

PGP combines some of the best features of both conventional and public key cryptography. PGP is a hybrid cryptosystem. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. Most cryptanalysis techniques exploit patterns found in the plaintext to crack the cipher. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis. (Files that are too short to compress or which don't compress well aren't compressed.)

PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.

Decryption works in the reverse. The recipient's copy of PGP uses his or her private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext.

The combination of the two encryption methods combines the convenience of public key encryption with the speed of conventional encryption. Conventional encryption is about 1, 000 times faster than public key encryption. Public key encryption in turn provides a solution to key distribution and data transmission issues. Used together, performance and key distribution are improved without any sacrifice in security.

3.2 PGP- Security

Used in the right context, PGP, GnuPG, and other modern OpenPGP implementations can be considered military strength. That context includes:

Lengthy public/private key pair: Larger keys require more processing time for encryption and decryption, but offer better security. For most purposes, 1,024 bits should be sufficient.

Proper private key management: It's safest not to store your private key on a shared file system, but rather to keep it on a removable storage device (e.g., floppy, CD-R, keychain external drive) that you can take with you. If you must keep your private key on a shared system (such as a central system at IU):

Make sure the private key file (e.g., .pgp/secring.pgp) is read/writable only by the owner. To do so on a Unix system, issue the shell command chmod go-wr secring.pgp.

Connect to the remote system only via an encrypted connection, such as SSH or SSH2. SSH2 is more secure than SSH, so if it is available, use SSH2. An encrypted shell will prevent your passphrase from going out in plaintext via telnet.

Good passphrase choice: The passphrase "locks" your private key as a safety measure. A bad passphrase makes your private key easier to crack.

Proper passphrase usage: You should type your private key passphrase (required for decrypting mail messages for example, or digitally signing them) only on machine consoles, or over encrypted network links (e.g., via SSH).

While PGP is installed on UITS shared computers, using it on them violates the second and possibly the fourth points above. Therefore, it's not nearly as secure as it would be if it were locally installed on a workstation.

3.3 PGP- Applications

While originally used primarily for encrypting the contents of e-mail messages and attachments from a desktop client, PGP products have been diversified since 2002 into a set of encryption applications which can be managed by an optional central policy server. PGP encryption applications include e-mail and attachments, digital signatures, laptop full disk encryption, file and folder security, protection for IM sessions, batch file transfer encryption, and protection for files and folders stored on network servers and, more recently, encrypted and/or signed HTTP request/responses by means of a client side (Enigform) and a server side (mod openpgp) module. There is also a Wordpress plugin available, called wp-enigform-authentication that takes advantage of the session management features of Enigform with mod_openpgp.

The PGP Desktop 9.x family includes PGP Desktop Email, PGP Whole Disk Encryption, and PGP NetShare. Additionally, a number of Desktop bundles are also available. Depending on application, the products feature desktop e-mail, digital signatures, IM security, whole disk encryption, file and folder security, self decrypting archives, and secure shredding of deleted files. Capabilities are licensed in different ways depending on features required.

The PGP Universal Server 2.x management console handles centralized deployment, security policy, policy enforcement, key management, and reporting. It is used for automated e-mail encryption in the gateway and manages PGP Desktop 9.x clients. In addition to its local keyserver, PGP Universal Server works with the PGP public keyserverâ€"called the PGP Global Directoryâ€"to find recipient keys. It has the capability of delivering e-mail securely when no recipient key is found via a secure HTTPS browser session.

With PGP Desktop 9.x managed by PGP Universal Server 2.x, first released in 2005, all PGP encryption applications are based on a new proxy-based architecture. These newer versions of PGP software eliminate the use of e-mail plug-ins and insulate the user from changes to other desktop applications. All desktop and server operations are now based on security policies and operate in an automated fashion. The PGP Universal server automates the creation, management, and expiration of keys, sharing these keys among all PGP encryption applications.

The current shipping versions are PGP Desktop 9.10 and PGP Universal 2.10

Also available are PGP Command Line, which enables command line-based encryption and signing of information for storage, transfer, and backup, as well as the PGP Support Package for BlackBerry which enables RIM BlackBerry devices to enjoy sender-to-recipient messaging encryption.

New versions of PGP applications use both OpenPGP and the S/MIME, allowing communications with any user of a NIST specified standard.

3.4 PGP- Legal Issues

PGP has also been embroiled in controversy since day 1 (Levy, 1993). People often claim that PGP is illegal. There are two separate reasons why they might claim so.

Issue 1: Export Law

Zimmermann did nothing to stop other people from placing PGP on the internet, where people all over the world could get it, the U.S government claimed that Zimmermann had violated U.s laws prohibiting the export of munitions. The U.S Government investigation of Zimmermann went for 5 years, but was eventually dropped, because of two reasons. First, Zimmermann did not place PGP on the Internet himself, so his lawyer claimed that he never exported anything. Second, the government negative publicity probably did not help much either.

Issue 2: Crypto Legality

In some countries, the use of cryptography is restricted by law. For example, in UK it is illegal to transmit encrypted data by radio communication. This is generally the case in other countries, where Amateur Radio frequencies are concerned.

In some countries, it is outright illegal to encrypt data at all. In other countries, they're working on it.

PGP has also been embroiled in controversy since day 1 (Levy,1993).

Issue 3: Patent Stupidity

Another problem PGP ran into involved patent infringement. The company holding the RSA patent, RSA Security, Inc., alleged that PGP's use of RSA algorithm Infringed on its patent, but this problem was solved with releases starting at 2.6.

PGP - Current Situation

Several ex-PGP team members formed a new company, PGP Corporation, and bought the PGP assets (except for the command line version) from NAI. The newly formed company, PGP was funded by Rob Theis of Doll Capital Management (DCM) and Terry Garnett of Venrock Associates. PGP Corporation is supporting existing PGP users and honoring NAI support contracts. Zimmermann now serves as a special advisor and consultant to PGP Corporation, as well as continuing to run his own consulting company. In 2003 PGP Corporation created a new server-based product offering called PGP Universal. In mid-2004, PGP Corporation shipped its own command line version called PGP Command Line, which integrates with the other PGP Encryption Platform applications. In 2005 PGP Corporation made its first acquisitionâ€"the German software company Glueck and Kanja Technology AG, which is now PGP Deutschland AG. Since the 2002 purchase of NAI PGP assets, PGP Corporation has offered worldwide PGP technical support from their office in Draper, Utah and Offenbach, Germany and as well Tokyo, Japan.

Advantages and Disadvantages of PGP

The main advantage of using PGP is it supports text compression, secrecy, and digital signatures and also provides extensive key-management facilities. It is more of a preprocessor that takes plaintext as input and produce signed chipertext in base64 as output.

The disadvantage of using PGP is that it uses existing cryptographic algorithms rather than inventing new ones. It is largely based on algorithms that have withstood extensive peer review and were not designed or influenced by any government agency trying to weaken them. For people who tend to distrust government, this property is a big plus.


Thus this essay has explained about growth of PGP, importance of it for providing secured email and issues surrounding it.







6.] Computer Networks (Fourth Edition) by Andrew S. Tanenbaum published by Prentice-Hall of India pvt. Limited [Page Numbers: 725 to 727 and 799 to 802]