You are on page 1of 21


What is PGP ?

Pretty Good Privacy(PGP)encryptionprogramprovidescryptographicprivacyand

developed by Phil Zimmermann, who
selected best available cryptographic algorithms :

RSA, DSS, and Diffie-Hellman for public-key encryption;

CAST-128, IDEA, and 3DES for symmetric encryption; and
SHA-1 for hash coding
integrated into a general-purpose application

using simple and small commands (independent of OS and processors)

that can be implemented on Unix, PC, Macintosh and other systems
made the package and its documentation, including the source code, freely
did agreement with a company (PGP Inc., Network Associates, PGP Corp.

and now Symantec) to provide a fully compatible, low-cost commercial version

of PGP.
Some PGP compliant free products are Open PGP, Gnu Privacy Guard
(GPG) etc.
PGP Services
entire PGP operation provides four services - authentication, confidentiality,
compression, and e-mail compatibility.
PGP Authentication
1. sender creates message
2. make SHA-1 160-bit hash of message
3. attached RSA signed hash to message
4. receiver decrypts & recovers hash code
5. receiver verifies received message hash
PGP Confidentiality
1. sender forms 128-bit random session key
2. encrypts message with session key
3. attaches session key encrypted with RSA
4. receiver decrypts & recovers session key
5. session key is used to decrypt message
Confidentiality & Authentication
can use both services on the same message
create signature & attach to message
encrypt both message & signature
attach RSA/ElGamal encrypted session key
PGP Compression
by default PGP compresses message after signing but before encrypting
o so can store uncompressed message & signature for later verification
o & because compression is non deterministic
uses ZIP compression algorithm
ZIP Example
The example text is 53 octets (= 424) bits long.
each character is mapped into a 9-bit pattern (a binary 1 + 8-bit ASCII)
look for repeated sequences; continue scanning until the repetition ends.
the first such sequence is the brown fox, it is replaced by
a pointer to the prior sequence (26 character positions earlier) and
length of the sequence (13 characters).
Encoding options;
an 8-bit pointer and a 4-bit length (denoted by header 00), or
a 12-bit pointer and a 6-bit length (denoted by 01).
the second the brown fox is encoded as <00b> <26d> <13d> , or 0000011010 1101, and the
sequence jump is encoded as <00b ><27d ><5d >.
The compressed message consists of 35 9-bit characters and 2 14-bit codes totalling 343 bits,
hence a compression ratio of 1.24 is achieved.
PGP Email Compatibility
when using PGP, emails have binary data to send (encrypted message etc)
however email was designed only for text
hence PGP must encode raw binary data into printable ASCII characters
uses radix-64 algorithm
maps 3 bytes to 4 printable chars
also appends a CRC

PGP also segments messages if too big

PGP Operation Summary
Pretty Good Privacy (PGP)
What is PGP?

Pretty Good Privacy or PGP is a popular program

used toencryptand decryptemailover the
Internet, as well as authenticate messages with
digital signaturesand encrypted stored files.
Previously available asfreewareand now only
available as a low-cost commercial version, PGP
was once the most widely used privacy-ensuring
program by individuals and is also used by many
corporations. It was developed by Philip R.
Zimmermann in 1991 and has become a de facto
standard for email security.
How PGP works
Pretty Good Privacy uses a variation of thepublic keysystem. In this system, each user has an
encryptionkeythat is publicly known and aprivate keythat is known only to that user. You encrypt a
message you send to someone else using their public key. When they receive it, they decrypt it using
their private key. Since encrypting an entire message can be time-consuming, PGP uses a faster
encryptionalgorithmto encrypt the message and then uses the public key to encrypt the shorter key
that was used to encrypt the entire message. Both the encrypted message and the short key are
sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses
that key to decrypt the message.
PGP comes in two public key versions --Rivest-Shamir-Adleman(RSA) andDiffie-Hellman. The RSA
version, for which PGP must pay a license fee to RSA, uses theIDEAalgorithm to generate a short
key for the entire message and RSA to encrypt the short key. The Diffie-Hellman version uses the
CAST algorithm for the short key to encrypt the message and the Diffie-Hellman algorithm to encrypt
the short key.
When sending digital signatures, PGP uses an efficient algorithm that generates ahash(a
mathematical summary) from the user's name and other signature information. This hash code is
then encrypted with the sender's private key. The receiver uses the sender's public key to decrypt
the hash code. If it matches the hash code sent as the digital signature for the message, the receiver
is sure that the message has arrived securely from the stated sender. PGP's RSA version uses the
MD5algorithm to generate the hash code. PGP's Diffie-Hellman version uses the SHA-1 algorithm to
generate the hash code.
Getting PGP
To use Pretty Good Privacy, download or purchase it and install it on your computer
system. It typically contains auser interfacethat works with your customary email
program. You may also need to register the public key that your PGP program gives you
with a PGP public-key server so that people you exchange messages with will be able to
find your public key.
PGP freeware is available for older versions of Windows, Mac, DOS, Unix and other
operating systems. In 2010, Symantec Corp. acquired PGP Corp., which held the rights to
the PGP code, and soon stopped offering a freeware version of the technology. The vendor
currently offers PGP technology in a variety of its encryption products, such as Symantec
Encryption Desktop, Symantec Desktop Email Encryption and Symantec Encryption
Desktop Storage. Symantec also makes the Symantec Encryption Desktopsource code
available for peer review.
Though Symantec ended PGP freeware, there are other non-proprietary versions of the
technology that are available. OpenPGP is an open source version of PGP that's supported
by theInternet Engineering Task Force(IETF). OpenPGP is used by several software
vendors, including as Coviant Software, which offers a free tool for OpenPGP encryption,
and HushMail, which offers a Web-based encrypted email service powered by OpenPGP. In
addition, the Free Software Foundation developed GNU Privacy Guard (GPG), an
OpenPGG-compliant encryption software.
Where can you use PGP?
Pretty Good Privacy can be used to authenticate digital certificates and
encrypt/decrypt texts, emails, files, directories and whole disk partitions.
Symantec, for example, offers PGP-based products such as Symantec
File Share Encryption for encrypting files shared across a network and
Symantec Endpoint Encryption for full disk encryption on desktops,
mobile devices and removable storage. In the case of using PGP
technology for files and drives instead of messages, the Symantec
products allows users to decrypt and re-encrypt data via asingle sign-on
Originally, the U.S. government restricted the exportation of PGP technology and
even launched a criminal investigation against Zimmermann for putting the
technology in the public domain (the investigation was later dropped). Network
Associates Inc. (NAI) acquired Zimmermann's company, PGP Inc., in 1997 and was
able to legally publish the source code (NAI later sold the PGP assets and IP to ex-PGP
developers that joined together to form PGP Corp. in 2002, which was acquired by
Symantec in 2010).
Today, PGP encrypted email can be exchanged with users outside the U.S if you have
the correct versions of PGP at both ends.
There are several versions of PGP in use. Add-ons can be purchased that allow
backwards compatibility for newer RSA versions with older versions. However, the
Diffie-Hellman and RSA versions of PGP do not work with each other since they use
different algorithms. There are also a number of technology companies that have
released tools or services supporting PGP. Google this year introduced an OpenPGP
email encryption plug-in for Chrome, while Yahoo also began offering PGP encryption
for its email service.