Pretty Good Privacy is a program developed by Phil Zimmermann for encrypting and signing data. PGP uses a so-called public key method, in which there is a uniquely assigned key pair.
It uses a public key, which anyone can use to encrypt data for the recipient and verify their signatures, and a private secret key, which only the recipient owns and is usually protected by a password. Messages to a recipient are encrypted with their public key and can then only be decrypted using their private key. These methods are also called asymmetric methods because the sender and receiver use two different keys. The first version was written in 1991 and used an RSA algorithm to encrypt the data. Later versions used the Elgamal algorithm.
However, PGP does not encrypt the entire message asymmetrically, because this would be far too computationally intensive and it would not be practical to send the same message to multiple recipients. Instead, the actual message is encrypted symmetrically and only the key used is encrypted asymmetrically (hybrid encryption). To do this, a symmetric key (session key) is randomly generated each time.
---
This symmetric key is then encrypted with the recipient’s public key, for example, via RSA or Elgamal cryptosystem and added to the message. This makes it possible to encrypt a message for multiple recipients at the same time. PGP is based on the so-called Web of Trust, in which there is no central certification authority, but trust is managed by the users themselves.
Because PGP is designed to permanently decrypt messages, if an attacker manages to obtain a private key, the entire communication history of that key will be compromised. For instant messaging, Off-the-Record Messaging (OTR) has been developed as an alternative to PGP; even if the private key is compromised at a later date, the encrypted communication remains unreadable for the attacker (but also for the legitimate key owner).
The GNU GPL program GnuPG was the first implementation of OpenPGP and was developed as a free alternative to PGP. There are now many extensions of the OpenPGP standard that go beyond the functionality of PGP, so that the smooth exchange of data and keys is not always guaranteed.
How PGP Works
You can use PGP to sign a message only, encrypt it only, or both sign and encrypt it. The signature serves to guarantee the authenticity of the message, i.e. that it is from the claimed sender (authenticity) and has not been altered after signing (integrity). In practice, if you encrypt messages, you will usually sign them.
Creating a digital signature
In order to be able to be sure later that a received message has not been tampered with or replaced (integrity) and also comes from the claimed sender (authenticity), the sender must generate a digital signature for the message (or parts of it). A cryptographic hash function is applied to the plaintext message (often SHA-1 in the past, but now obsolete and replaced by SHA-256, among others). This creates a message digest (unique fingerprint) of the message that is much shorter than the message itself, which simplifies the generation of the digital signature. A signature is then generated from the message digest using the sender’s private key.
Encryption
As a second step (or first, if you don’t want to sign), the sender can now encrypt the message. Here, the plaintext message and the digital signature from the first step are combined into a data set and compressed, reducing the size and complicating the cryptanalysis. This compressed data is now symmetrically encrypted into ciphertext using the randomly generated session key KM. Since it is a randomly generated one-time key, it must be communicated to the recipient. To do this, the KM key is asymmetrically encrypted with the recipient’s public key and prefixed to the encrypted message. An encrypted message is therefore only as secure as the weaker element consisting of the asymmetric key for which encryption is performed and the session key. Finally, the bytes of the ciphertext and the encrypted key need to be made email-friendly. For this purpose, these (just like other binary data in e-mails) are encoded into certain printable ASCII characters using a Base64 variant (Radix-64). Now the PGP message can be sent to the recipient. In addition to being used for e-mail, PGP can also be used for other messaging channels by signing and/or encrypting files or text (there is a separate signature procedure for this due to the inconsistent end-of-line encoding between operating systems).
Decryption
At the beginning, the receiver has to decode the existing ASCII characters with Base64 in order to get to the ciphertext and the encrypted session key. Now the session key can be decrypted by the recipient’s private key and the ciphertext can then be decrypted back into the compressed combination of plaintext message and digital signature. To finally get to the message, all you have to do is decompress it.
However, the authenticity of the sender and the integrity of the message must also be ensured. To do this, the same hash function is applied to the plaintext as the sender, and the digital signature is decrypted with the sender’s public key. If the corresponding private key was actually used to create the signature, the two plaintexts of the message digest match; and it can be assumed that the message has not been altered. It can be assumed that it also comes from a specific sender if the signing key can be securely assigned to a sender, which is independent of the processing of individual messages.
Security
A possible attack results from the procedure of first signing messages and then encrypting them. The recipient can forward the signed message to a third person after decryption with a spoofed sender. If the addressee is not named in the message, the valid signature may give the impression that it was sent directly from the original sender to that third party.
In addition, there was criticism that the public keys are often stored on servers to which each person has read and write access. This is how it came about that wrong keys were stored there.
