Pretty Good Privacy (PGP) is a data encryption and decryption program that provides cryptographic privacy and authentication. This guide explores the principles of PGP encryption, its applications in securing emails and files, and how it enhances data confidentiality.
Learn about the key management process and best practices for implementing PGP in your communications. Understanding PGP encryption is essential for individuals and organizations looking to protect sensitive information from unauthorized access.
How Does PGP Encryption Work?
PGP encryption uses public-key cryptography, symmetric-key cryptography, and hashing to obscure and verify data between sender and receiver. First, let’s define a few terms that can then be put together to form a picture of what is going on:
- Public-key cryptography – The receiver of a message generates a private key that is kept secret, and a public key that can be shared with the world. When someone encrypts a message with this public key, only the receiver’s private key can decrypt it. To be clear: a public key can only encrypt a message but cannot decrypt that same message. This mathematical one-way concept is known as a trapdoor function.
- Symmetric-key cryptography – Both the sender and receiver of a message have the same (i.e., symmetric) key that is used to encrypt and decrypt a message. This is a simpler and much faster methodology than its public-key counterpart. However, public keys must be generated and then exchanged for use. Doing so on the public Internet is unacceptable, akin to a spy posting his encryption key on a public (physical) bulletin board rather than surreptitiously handing it off.
- Hashing, or Hash Function – PGP creates a hash, or message digest, from an email, then creates a digital signature using the sender’s private key. This can then be used to verify that the message is from the correct sender.
How Does PGP Encryption Work?
- The Receiver first generates a public-private key pair. The private key is kept private, while the public key is shared with the sender, with the implicit assumption that anyone else can and may intercept it.
- The sender generates a random symmetric encryption key and uses it to encrypt the to-be-sent data.
- The symmetric encryption key is encrypted using the receiver’s public key and sent (encrypted) to the receiver. The public key is never shared on the open Internet.
- The data, encrypted using the symmetric key, is sent to the receiver.
- The receiver receives both the (symmetrically) encrypted data and the (asymmetrically) public-private encrypted symmetric key. In this way, both the data and symmetric key are shared without any usable data on the public Internet.
- The receiver then decrypts the encryption key using his private key and the data using the sender-generated symmetric encryption key.
While the process may seem convoluted, it is necessary to allow for private data to be transmitted in public spaces without some initial offline exchange of codes. Notably, the symmetric key, also known as a session key, is used once for encryption/decryption and discarded in order to avert future security issues.
Examples of PGP Encryption in Action: Today’s PGP Encryption Tools
While the PGP encryption process may seem daunting, the good news is that there are a number of services and programs that make things much easier. A few notable examples include:
- Multiple mail clients – Windows, MacOS, Android, iOS, Linux
- Webmail browser plugins – Gmail, GMX, Outlook.com, mailbox.org
- Webmail providers (with no plugin required) – ProtonMail, Mailfence
Using ProtonMail, for example, emails between two users of that service are automatically end-to-end encrypted. You can also send password-protected emails to those who use other mail services.
If current offerings don’t suit your needs, consider that as an open standard, it’s theoretically possible to develop your own email service or encryption “thing” using OpenPGP. At the same time, this would take significant time and effort, so hopefully an existing service today can work for you.
At 33 Years Old, Can PGP Encryption be Hacked?
While PGP encryption is well-established and ancient even in Internet terms, it has been revised and updated constantly over its history. One could argue that its open-source heritage and refinement make it more trustworthy than perhaps any other encryption method publicly available today.
At the same time, general hacking tools, such as keyloggers and malware, can compromise a computing system at the point of encryption. While the encrypted messaging may be secure, one must also consider how secure a computing system is from outside attacks, as well as your communication partner or partners.
Some have also theorized that the development of practical quantum computing will render traditional encryption obsolete. While there are theoretical ways to combat this (theoretical) problem, secure encryption today may not be secure tomorrow, whether via quantum computing, unknown vulnerabilities, or simply by stealing or compelling someone to release a private encryption key.
PGP encryption is, therefore, a reasonable security measure today. Whether transmitted data will be secure for all time, however, is an open question.
PGP, OpenPGP Standard for Increased Internet Security
For the transport of messages from point A to B, PGP and the OpenPGP standard offer a reasonable amount of protection that messages cannot be read if intercepted (barring the advent of quantum computing decryption). At the same time, the security of messages in transport is only one part of the story.
If a device is compromised at either end of the communication through any number of routes, then messages may also be compromised. Consider a situation where a keylogger or other malware is installed on your device. Even though OpenPGP could encrypt communications between the source and destination, if the message has already been compromised then it offers incomplete security at the very best. To secure your network and devices, SentinelOne provides a platform to protect your organization from threats, using the world’s most advanced AI-powered cybersecurity platform.
FAQ
What Is the Difference Between RSA and PGP?
While PGP was originally an encryption program (and is now a set of principles underlying an encryption system), RSA, the Rivest-Shamir-Adleman algorithm, is a mathematical function used for public-private key encryption and signature verification. RSA is the underlying core of many encryption systems, including the original version of PGP and SSH.
What Is the Difference Between PGP and OpenPGP?
PGP, developed in 1991 by Phil Zimmerman, is an encryption program originally used for encrypting messages sent on bulletin board systems (BBSes). It has since been used to encrypt emails, texts, and files and is a subsidiary of Broadcom.
OpenPGP, however, is an open encryption standard, defined by the IETF’s (Internet Engineering Task Force) RFC 4880 (Request for Comment). PGP, as well as other similar encryption software packages, follow the OpenPGP encryption standard. However, not all OpenPGP-based programs are compatible.
Is PGP Encryption Still Used?
Yes, PGP Encryption is still very much in use, having evolved over three decades to meet new challenges.
What Is the Best PGP Software?
There are a wide range of PGP software packages and services available today, including those listed in the section: Examples of PGP Encryption in Action: Today’s PGP Encryption Tools. Ultimately, the best tool will be the one that fits a particular situation, balancing security and usability.
Do I Need Encryption Software?
For email communications that absolutely must be kept private, an encryption program/standard like PGP is a very good tool. At the same time, sending encrypted messages can cause some (hopefully minor) hassle on both the sender’s and receiver’s end. At the end of the day, consider both convenience and the need for privacy.
Conclusion
PGP encryption has been in use for over thirty years, both as a software program and as a standard set of encryption practices. It uses public-key cryptography and symmetric-key cryptography to transfer secure messages over the internet, along with hashing to verify that a message is authentic and unaltered. PGP encryption has evolved with changing technology to meet new threats, allowing it to still be considered secure today.