PGP, fully known as Pretty Good Privacy, is an encryption program developed in 1991 by Cryptographer Phil Zimmermann. PGP is used to provide cryptographic privacy and
authentication for online communication. Because it is a free tool, Pretty Good Privacy can be any individual, company, or organization who values their own privacy, and only wants their messages read and responded to by trusted sources can benefit from Pretty Good Privacy. Typically, PGP is used for signing, encrypting, and decrypting emails so that senders can make sure that only the recipients they trust are able to read their emails, and recipients can safely know that the email is being sent from the legitimate sender. The way Pretty Good Privacy works is through a mix of data compression, encryption algorithms, and the use of both symmetric and asymmetric keys to both encrypt and decrypt the messages being sent and received. PGP has been praised by many for its intuitive encryption and decryption process. It is even said to be beneficial over other encryption programs such as Advanced Encryption System because of its use of multiple keys. However, Pretty Good Privacy isn’t without its problems. It has often been criticized for having issues that can put email senders at potential risk for having their information lost, cause delays in communications over minor simple software updates, and even user emails be intercepted by unwanted parties due to simple flaw in the encryption process.
Pretty Good Privacy works in a rather complex way. In a broad sense, PGP encryption works by having the email sender download the recipients public key and use it to encrypt both the email message they wish to send, along with their own personal public key. Before they send the email, the sender can use their personal private key to “sign” the email. Signing the email allows for the recipient to know that the email is coming from a trusted source, and that it wasn’t maliciously altered while it was en route. The recipient then can use their own public key to decrypt the email. If they wish to send a reply to the original message, they can do so easily since the original email sender had sent them their own public key along with the encrypted message.
(The Privacy Guide, 2019) Chris Brook, an author for the digital computer science magazine, Digital Guardian examines PGP on a closer, technical level and adds more details to the aforementioned PGP process. According to Brook,
“Pretty Good Privacy Encryption is done through the mix of data compression, encryption algorithms, and the use of both symmetric and asymmetric keys. When plaintext is encrypted with PGP, it is first compressed in order to save transmission time and disk space. Data compression also allows for an increase in cryptographic security. This is because data compression reduces the amount of patterns that can be seen in the plaintext that can potentially be found through the use of cryptanalysis.” (Brook, 2018)
Once the data compression is complete, Pretty Good Privacy then creates a randomly generated key known as the session key. According to Computer Scientists at Carnegie Mellon University, “The session key uses an encryption algorithm to encrypt the plaintext. The resulting text is now known as ciphertext. Once the data is fully encrypted, the session key is then also encrypted to the recipient’s public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.” (Carnegie Mellon University, 2019) Once this is done, the recipient using their own PGP encryption program to decrypt the email. The recipient uses their own private key to decrypt the sender’s session key. After the session key is decrypted, it is then used to decrypt the ciphertext- allowing for the recipient to read the contents of the email.
PGP has been praised by many for it’s intuitive encryption and decryption process. PGP can even be argued to be one of, if not the best encryption service when it comes to sending and receiving messages online. However, similar encryption programs do in fact exist, such as Advanced Encryption Services, or AES for short. The cybersecurity blog Syncsort defines AES as an encryption program which uses “symmetric key encryption algorithm, which essentially means that the same key is used to encrypt and decrypt the data. A computer program takes clear text and processes it through an encryption key and returns ciphertext. If the data needs to be decrypted, the program processes it again with the same key and is able to reproduce the clear text.” Right off the bat, it’s clear that AES and PGP are significantly different from one another, since PGP uses both symmetric, and asymmetric keys for the encryption and decryption process. The use of both keys, unlike AES, provides an extra layer of security for the parties communication online with one another. An example from Syncsort points out an example of how if someone were to share sensitive financial information with their trading partners or transferring information across networks, using Advanced Encryption Standard would leave your data vulnerable because you would need to share your encryption key with your trading partners. This means that not only would they be able to decrypt the information you sent them, they could also decrypt anything else you encrypted using the same key- regardless if it was meant for their eyes or not. With PGP, users benefit from the fact that the private key that is used to encrypt a message is different than the key that is used to encrypt the response to the initial message.
Despite all the advantages of Pretty Good Privacy, it is not without its issues. One issue that PGP users have to keep in mind is the fact that the PGP has no ability to recover lost passwords for public or private keys. According to John Papiewski of the Computer Science journalism website, It Still Works:
“Computer administrators frequently face emergencies involving lost or forgotten passwords. For some types of security software, an administrator can use special programs to retrieve passwords. For example, a technician who has physical access to a PC can recover forgotten log-in passwords to Microsoft Windows. PGP however, offers no such workaround.” (It Still Works, 2018)
Because of how strong the encryption methods are in Pretty Good Encryption, nobody except for the PGP user themselves can retrieve such information. Papiewski further goes on to claim that forgotten passwords can result in lost messages, lost files or inaccessible hard drives. While remembering a password is a fairly lightweight responsibility to bear, the fact that PGP provides no option to retrieve forgotten information can be seen as unnecessary trouble for some. In this instance, Advanced Encryption Standard’s simplistic one-key approach to encryption and decryption would be much easier because AES users can just send request to former contacts they’ve sent encrypted filed to, for a “spare” of their key.
A second disadvantage when it comes to Pretty Good Privacy is that Both the email sender and the email recipient must have compatible versions of PGP software or the information either will not be decrypted at all or will be decrypted by only one person, with a response being impossible to send. The previously mentioned website, It Still Works points out how
“Evolving versions of PGP use different methods of encryption. If you encrypt an email using PGP with one type of encryption, a recipient using PGP with a different version cannot read your message, although you may be able to decode messages sent to you. To avoid this conflict, both the sender and receiver must check and compare their PGP versions before exchanging encrypted data. (It Still Works, 2018)
If the two PGP users were on a time crunch and it’s discovered that one of them has a different software version of PGP, the two of them have to put a pause on all communication and wait for however long it would for the application to update, which would also be uncertain given internet speeds and computer models. Many communication based technologies, such as emails themselves, allow for some leeway regarding software versions between the two communicating devices, so PGP applications will have to provide some leeway as well. If the method of encryption isn’t changing in between software updates themselves, then there should be no reason as to why PGP requires both the email sender and the email receiver to be on the exact same software version.
Another concern regarding PGP, and arguably more major compared to the preceding two, is a newly discovered flaw in PGP’s encryption method in late 2018. The flaw was dubbed ‘EFail’ by its discoverers. The flaw was covered by Amit Katwala of the online technology magazine, Wired who stated:
“PGP Users have a public key and a private key — senders use the former to encrypt messages, which can only be decoded by someone who has access to the latter. But,
on May 14, 2018, researchers from Munster University of Applied Sciences released details of what’s been reported as a “serious flaw” in PGP. The exploit, dubbed ‘EFail’,’ uses a piece of HTML code to trick certain email clients, including Apple Mail, Outlook 2007 and Thunderbird, into sending a decrypted text file of an encrypted message to the attacker.” (Katwala, 2018)
Efail put many PGP users in a panic, with Katwala even saying “it’s time to let PGP die” after the exploitation. Organizations such as the Electronic Frontier Foundation, or EFF, have even encouraged users avoid using PGP until the situation is fixed. The EFF has said to minimize the chance of the HTML in one’s emails being compromised when it is sent via PGP, people should disable the option to view HTML emails indefinitely.
Ever since it was created in 1991 by Cryptographer Phil Zimmermann, Pretty Good Privacy has been one of the most useful tools in network security when it comes to encrypting, signing, and decrypting emails. Through the use of data compression, encryption algorithms, and both symmetric and asymmetric keys, users can both encrypt and decrypt the messages being sent and received easily. Pretty Good Privacy has even been praised by many for how secure it is, despite being relatively dated. It is even said to be beneficial over other encryption programs such as Advanced Encryption Standard in some cases because of its use of separate keys for the encryption and decryption process. That being said, Pretty Good Privacy is not without its faults like user-convenience issues such as a lack of password recovery for keys, and the requirement of both senders and recipients having the same version number of PGP, to having attackers potentially gain access to encrypted messages due to a flaw in the encryption process of PGP.
References
AES vs PGP: Which data encryption method should I be using? (2019, April 6). Retrieved from https://blog.syncsort.com/2018/07/data-security/comparing-aes-pgp-encryption/.
Brook, C. (2018, December 5). What is PGP Encryption? Defining and Outlining the Uses of PGP Encryption. Retrieved from https://digitalguardian.com/blog/what-pgp-encryption-defining-and-outlining-uses-pgp-encryption
How PGP Works. (n.d.). Retrieved from https://users.ece.cmu.edu/~adrian/630-f04/PGP-intro.html
Katwala, A. (2018, May 17). We’re calling it: PGP is dead. Retrieved from https://www.wired.co.uk/article/efail-pgp-vulnerability-outlook-thunderbird-smime.
Malten, E. (n.d.). Encryption for beginners 2: PGP and hashing. Retrieved from https://www.zivver.eu/en/blog/encryption-for-beginners-2-pgp-and-hashing
Papiewski, J. (2019, January 10). What are the Disadvantages of PGP Encryption? Retrieved from https://itstillworks.com/disadvantages-pgp-encryption-2300.html
Portnoy, E., O’Brien, D., & Cardozo, N. (2018, December 7). Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw. Retrieved from https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0.
Syncsort. (0AD). Retrieved September 26, 2019, from https://blog.syncsort.com/2018/07/data-security/comparing-aes-pgp-encryption/.
