Pretty Good Privacy

From Wikipedia, the free encyclopedia

PGP Encryption (Pretty Good Privacy) is a computer program that provides cryptographic privacy and authentication. It was originally created by Philip Zimmermann in 1991.

PGP and other similar products follow the OpenPGP standard (RFC 2440) for encrypting and decrypting data. Other such programs are Patrick Townsend & Associates, Authora Inc., EasyByte Cryptocx, Veridis, and the GNU Privacy Guard.

Contents

[edit] PGP encryption applications

While originally used primarily for encrypting the contents of email messages and attachments from a desktop client, PGP products have been diversified since 2002 into a set of encryption applications which can be managed by an optional central policy server. PGP encryption applications include email and attachments, digital signatures, laptop full disk encryption, file and folder security, protection for IM sessions, batch file transfer encryption, and protection for files and folders stored on network servers.

The PGP Desktop 9.x application includes desktop email, digital signatures, IM security, laptop whole disk encryption, file and folder security, self decrypting archives, and secure shredding of deleted files. Capabilities are licensed in different ways depending on features required.

The PGP Universal 2.x management server handles centralized deployment, security policy, policy enforcement and reporting. It is used for automated email encryption in the gateway and manages PGP Desktop 9.x clients. It works with the PGP public keyserver - called the PGP Global Directory - to find recipient keys. It has the capability of delivering email securely when no recipient key is found via a secure HTTPS browser session.

With PGP Desktop 9.0 managed by PGP Universal Server 2.0, released in 2005, all PGP encryption applications are based on a new proxy-based architecture. These newer versions of PGP software eliminate the use of email plug-ins and insulate the user from changes to other desktop applications. All desktop and server operations are now based on security policies and operate in an automated fashion. The PGP Universal server automates the creation, management, and expiration of keys, sharing these keys among all PGP encryption applications.

New versions of PGP applications use both OpenPGP and the S/MIME, allowing communications with any user of a NIST specified standard.

[edit] How PGP encryption works

PGP encryption uses public-key cryptography and includes a system which binds the public keys to user identities. The first version of this system was generally known as a web of trust to contrast with the later-developed X.509 system which uses a hierarchical approach based on certificate authority. Current versions of PGP encryption include both alternatives through an automated management server.

[edit] Encryption/decryption

GNU Privacy Assistant (GPA) a graphical user interface for GnuPG currently showing a list of public keys in a user's keyring
GNU Privacy Assistant (GPA) a graphical user interface for GnuPG currently showing a list of public keys in a user's keyring

PGP message encryption uses both asymmetric key encryption and symmetric key encryption algorithms.

When encrypting a message, the sender uses the public key half of the recipient's linked key pair to encrypt a session key. That session key is used, in turn, to encrypt the plaintext of the message using symmetric key encyption.

The recipient of a PGP-encrypted message first decrypts the session key using his private key (the session key was previously encrypted using his public key). Next, he decrypts the rest of the message using the session key.

Use of two ciphers in this way is sensible because of the very considerable difference in operating speed between asymmetric key and symmetric key ciphers (the difference is often a factor of 1000 or more). The entire encryption and decryption operations are completely automated in current PGP desktop products. Many PGP users' public keys are available to all from the many PGP key servers around the world which act as mirror sites for each other.

[edit] Digital signatures

A similar strategy is used to detect whether a message has been altered since it was completed, and whether it was actually sent by the person/entity claimed to be the sender. It is used by default in conjunction with encryption, but can be applied to plaintext as well. The sender uses PGP encryption to create a digital signature for the message with either the RSA or DSA signature algorithms. To do so, PGP products compute a hash (also called a message digest) from the plaintext, and then creates the digital signature from that hash using the sender's private key.

The message recipient uses the sender's public key and the digital signature to recover the original message digest. He compares this message digest with the message digest he computed himself from the (recovered) plaintext. If the signature matches the received plaintext's message digest, it must be presumed (to a very high degree of confidence) that the message received has not been tampered with, either deliberately or accidentally, since it was properly signed.

[edit] Web of Trust

Both when encrypting messages and when verifying signatures, it is critical that the public key one uses to send messages to some person or entity actually does 'belong' to the intended recipient. Simply downloading a public key from somewhere is not overwhelming assurance of that association; deliberate (or accidental) spoofing is possible. PGP products have always included provisions for distributing users' public keys in 'identity certificates' which are constructed cryptographically so that any tampering (or accidental garble) is readily detectable. But merely making a certificate effectively impossible to modify undetectably is also insufficient. It can prevent corruption only after the certificate has been created, not before. Users must also verify by some means that the public key in a certificate actually does belong to the person/entity claiming it. From its first release, PGP products have included an internal certificate 'vetting scheme' to assist with this; it has been called a web of trust. A given public key (or more specifically, information binding a person to a key) may be digitally signed by a third party to attest the association between the person and the key. There are several levels of confidence that can be expressed in this signature; although many programs read and write this information, few (if any) incorporate this level of certification when calculating whether to trust a key.

The web of trust concept was first put forth by Phil Zimmermann in the manual for PGP version 2.0:

As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.

[edit] Certificates

In the (more recent) OpenPGP specification, trust signatures can be used to support creation of certificate authorities. A trust signature indicates both that the key belongs to its claimed owner and that the owner of the key is trustworthy to sign other keys at one level below their own. A level 0 signature is comparable to a web of trust signature, since only the validity of the key is certified. A level 1 signature is similar to the trust one has in a certificate authority because a key signed to level 1 is able to issue an unlimited number of level 0 signatures. A level 2 signature is highly analogous to the trust assumption users must rely on whenever they use the default certificate authority list in Internet Explorer; it allows the owner of the key to make other keys certificate authorities.

PGP products have always included a way to cancel ('revoke') identity certificates which may have become invalid; this is, more or less, equivalent to the certificate revocation lists of more centralized PKI schemes. Recent PGP versions have also supported certificate expiration dates.

The problem of correctly identifying a public key as belonging to some other user is not unique to PGP encryption. All public key and private key cryptosystems have the same problem, if in slightly different guise, and no fully satisfactory solution is known. PGP's original scheme, at least, leaves the decision whether or not to use its endorsement/vetting system to the user, while most other PKI schemes do not, requiring instead that every certificate attested to by a central certificate authority be accepted as correct.

[edit] Security quality

To the best of publicly available information, there is no known method for any entity to break PGP encryption by cryptographic, computational means regardless of the version being employed. In 1996, cryptographer Bruce Schneier characterized an early version as being "the closest you're likely to get to military-grade encryption" (Applied Cryptography, 2nd ed., p587). In contrast to security systems/protocols like SSL which only protect data in transit over a network, PGP encryption can also be used to protect data in long-term data storage such as disk files.

The cryptographic security of PGP encryption depends on the assumption that the algorithms used are unbreakable by direct cryptanalysis with current equipment and techniques. For instance, in the original version, the RSA algorithm was used to encrypt session keys; RSA's security depends upon the (generally presumed) one-way function nature of mathematical integer factoring. New unknown integer factorization techniques have the potential, therefore, to make breaking RSA easier than now, or perhaps even trivially easy. Likewise the secret key algorithm originally used in PGP was IDEA, which might, at some future time, be found to have a previously unsuspected cryptanalytic flaw. Specific instances of PGP or IDEA insecurities -- if they exist -- are not publicly known. As current versions of PGP have added additional encryption algorithms, the degree of their cryptographic vulnerability varies.

[edit] History

[edit] Early history

Phil Zimmermann created the first version of PGP encryption in 1991. The ironic name, "Pretty Good Privacy", was inspired by the name of the grocery store featured in radio host Garrison Keillor's fictional town, Lake Wobegon. The grocery was "Ralph's Pretty Good Grocery". Zimmermann had been a long-time anti-nuclear activist, and created PGP encryption so that like-minded people could securely use BBSs and securely store messages and files. No license was required for non-commercial use. There was not even a nominal charge, and the complete source code was included with all copies. PGP encryption found its way onto Usenet and from there onto the Internet, and it rapidly acquired a considerable following around the world. Users and supporters included dissidents in totalitarian countries (some affecting letters to Zimmermann have been published, and some have been included in testimony before the US Congress), civil libertarians in other parts of the world (see Zimmermann's published testimony in various hearings), and the 'free communications' activists who call themselves cypherpunks (who provided both publicity and distribution).

[edit] Criminal investigation

Shortly after its release, PGP encryption found its way outside the US, and in February 1993 Zimmermann became the formal target of a criminal investigation by the US Government for "munitions export without a license". Cryptosystems using keys larger than 40 bits were then considered munitions within the definition of the US export regulations; PGP has never used keys smaller than 128 bits so it qualified at that time. Penalties for violation, if found guilty, were substantial. The investigation of Zimmermann was eventually closed without filing criminal charges against him or anyone else.

US export regulations regarding cryptography remain in force, but were liberalized substantially throughout the late 1990s. Since 2000, compliance with the regulations is also much easier. PGP encryption no longer meets the definition of a non-exportable weapon, and can be exported internationally except to 7 specific countries and a named list of groups and individuals.

[edit] PGP 3

During this turmoil, Zimmermann's team worked on a new version of PGP encryption called PGP 3. This new version was to have considerable security improvements, including a new certificate structure which fixed small security flaws in the PGP 2.x certificates as well as permitting a certificate to include separate keys for signing and encryption. Furthermore, the experience with patent and export problems led them to eschew patents entirely. PGP 3 introduced use of the CAST-128 (a.k.a. CAST5) symmetric key algorithm, and the DSA and ElGamal asymmetric key algorithms, all of which were unencumbered by patents.

After the US Government criminal investigation ended in 1996, Zimmermann and his team started a company to produce new versions of PGP encryption. They merged with Viacrypt (to whom Zimmermann had sold commercial rights and who had licensed RSA directly from RSADSI) which then changed its name to PGP Incorporated. The newly combined Viacrypt/PGP team started work on new versions of PGP encryption based on the PGP 3 system. Unlike PGP 2, which was an exclusively command line program, PGP 3 was designed from the start as a software library allowing users to work from a command line or inside a GUI environment. The original agreement between Viacrypt and the Zimmermann team had been that Viacrypt would have even-numbered versions and Zimmermann odd-numbered versions. Viacrypt, thus, created a new version (based on PGP 2) that they called PGP 4. To remove confusion about how it could be that PGP 3 was the successor to PGP 4, PGP 3 was renamed and released as PGP 5 in May 1997.

[edit] OpenPGP

Inside PGP Inc., there was still concern about patent issues. RSADSI was challenging the continuation of the Viacrypt RSA license to the newly merged firm. PGP Inc adopted an informal internal standard called "Unencumbered PGP": "use no algorithm with licensing difficulties". Because of PGP encryption's importance worldwide (it is thought to be the most widely chosen quality cryptographic system), many wanted to write their own software that would interoperate with PGP 5. Zimmermann became convinced that an open standard for PGP encryption was critical for them and for the cryptographic community as a whole. In July 1997, PGP Inc. proposed to the IETF that there be a standard called OpenPGP. They gave the IETF permission to use the name OpenPGP to describe this new standard as well as any program that supported the standard. The IETF accepted the proposal and started the OpenPGP Working Group.

OpenPGP is on the Internet Standards Track; the current specification is RFC 2440 (July 1998). OpenPGP is still under active development and a follow-on to RFC 2440 is being actively finalized by the OpenPGP working group as of January 2006.

The Free Software Foundation has developed its own OpenPGP-compliant program called GNU Privacy Guard (GnuPG). GnuPG is freely available together with all source code under the GNU General Public License (GPL) and is maintained separate from several GUIs. Several other vendors have also developed OpenPGP-compliant software.

[edit] Network Associates acquisition

In December, 1997 PGP Inc. was acquired by Network Associates, Inc. Zimmermann and the PGP team became NAI employees. NAI continued to pioneer export through software publishing, being the first company to have a legal export strategy by publishing source code. Under its aegis, the PGP team added disk encryption, desktop firewalls, intrusion detection, and IPsec VPNs to the PGP family. After the export regulation liberalizations of 2000 which no longer required publishing of source, NAI stopped releasing source code, over the PGP team's objection. There was consternation amongst PGP users worldwide at this and, inevitably, some conspiracy theories as well.

In early 2001, Zimmermann left NAI. He served as Chief Cryptographer for Hush Communications, who provide an OpenPGP-based email service, Hushmail. He has also worked with Veridis and other companies. In October, 2001, NAI announced that its PGP assets were for sale and that it was suspending further development of PGP encryption. The only remaining asset kept was the PGP E-Business Server (the original PGP Commandline). In February 2002, NAI cancelled all support for PGP products, with the exception of the re-named commandline product. NAI (now McAfee) continues to sell and support the product under the name McAfee E-Business Server.

[edit] Current situation

In August 2002, several ex-PGP team members formed a new company, PGP Corporation, and bought the PGP assets (except for the command line version) from NAI. PGP Corporation is supporting existing PGP users and honoring NAI support contracts. Zimmermann now serves as a special advisor and consultant to PGP Corporation, as well as continuing to run his own consulting company. In 2003 PGP Corporation created a new server-based product offering called PGP Universal. In mid-2004, PGP Corporation shipped its own command line version called PGP Command Line, which integrates with the other PGP Encryption Platform applications. In 2005 PGP Corporation made its first acquisition - the German software company Glueck and Kanja Technology AG which is now the German headquarters in Frankfurt (PGP Deutschland AG [1]). Since the 2002 purchase of NAI PGP assets, PGP Corporation has offered worldwide PGP technical support from their office in Draper, Utah.

[edit] OpenPGP implementations

[edit] See also

[edit] External links and references