{"id":4951,"date":"2019-06-03T22:35:48","date_gmt":"2019-06-03T21:35:48","guid":{"rendered":"https:\/\/www.n-able.com\/?p=4951"},"modified":"2021-03-30T22:39:48","modified_gmt":"2021-03-30T21:39:48","slug":"pgp-encryption","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/de\/blog\/pgp-encryption","title":{"rendered":"Understanding PGP Encryption"},"content":{"rendered":"

PGP (Pretty Good Privacy) is an encryption program used to send highly sensitive information over the internet. It relies on a mix of public key encryption methods as well as more traditional encryption methods to protect against attackers. Generally PGP encryption, along with\u00a0other forms of data protection<\/a>, can be a valuable part of your customers\u2019 security strategy.<\/p>\n

In the early days of encryption, a user would craft a code, or key, and use that key to encrypt whatever sensitive information they were trying to send. The same key that was used to encrypt the key was also used to decrypt it. The use of one key to encrypt and decrypt is known as traditional, symmetric-key encryption. It\u2019s great, except for one not-so-small factor\u2014you can send the encrypted message, but for the receiver to understand the message they need the key. This is where risk comes into play. A key in transit is at the mercy of attackers looking to intercept the message, snag the key, and subsequently, gain access to highly sensitive data and information.<\/p>\n

What is a PGP encryption key?<\/b><\/h3>\n

If you\u2019re wondering what a PGP key is, in fact, it\u2019s more than a single key\u2014it\u2019s a term used to describe a pair of public and private keys that work together to encrypt and decrypt information. PGP was developed by Phil Zimmerman in 1991. Phil, an antinuclear activist, believed the world needed a better way to store and send sensitive information. He launched PGP as a free service and it quickly gained attention and popularity.<\/p>\n

How PGP works is that the encryption relies primarily on a form of public key encryption. Public key encryption requires the use of two keys\u2014a public key and a private key\u2014and is considered an asymmetric encryption approach. Public keys are large, numerical values used to encrypt emails, texts, and files. Private keys are algorithms used to decrypt that information.<\/p>\n

To put it simply, a user creates a public key and shares it with whoever they please. This key does not need to be a secret. In fact, a user can even post their public key openly, allowing anyone to access their key and use it to send them information. It\u2019s the private key that needs to be protected. A user leverages the private key to decrypt information that has been encrypted using their public key. No one else should have access to their private key except for them.<\/p>\n

There are several widely approved public key cryptography algorithms out there. PGP programs utilize the two most popular algorithms\u2014Diffie\u2013Hellman (DH) and Rivest\u2013Shamir\u2013Adleman (RSA), named after their investors and inventors, respectively. DH was one of the first public key algorithms and was originally used by the British intelligence agency in 1969, but it didn\u2019t become a published algorithm until 1975. Two years later, MIT computer scientists Ron Rivest, Adi Shamir, and Leonard Adleman announced RSA.<\/p>\n

The start of OpenPGP<\/b><\/h3>\n

PGP\u2019s effectiveness and popularity led it to gain some negative attention from the U.S. government. Why? Because PGP didn\u2019t just catch on with Americans, it also spread to countries across the globe. The government believed PGP was a powerful cryptographic software that should be treated as a form of military equipment, thus requiring a license to be exported.<\/p>\n

With so many eyes on the program, licensing and patenting issues began to abound\u2014the use of the RSA algorithm was a particularly hot topic. There were also many companies that wanted to develop their own PGP-compatible software. Zimmerman put an end to all of this in 1997 when he asked the Internet Engineering Task Force (IETF) to turn PGP into a defined internet standard. They agreed, and OpenPGP was born, thus allowing anyone to implement the PGP encryption methodology into their software.<\/p>\n

How do PGP keys work?<\/b><\/h3>\n

While public key cryptography is the backbone of PGP, the program also relies on traditional symmetric key cryptography, hashing, compression, and digital signatures. So how does PGP work as a whole? The process looks like this:<\/p>\n

    \n
  1. Compression:\u00a0<\/b>Plaintext is large and takes up an unnecessary amount of modem transmission time and disc space. A PGP program will compress the user\u2019s plaintext to make the entire process more efficient. This also reduces patterns found in plaintext, making it harder for hackers to decipher.<\/li>\n
  2. Session Key:\u00a0<\/b>A session key is a one-time only key used to encrypt the compressed plaintext. Encrypted plaintext is known as ciphertext. Session keys rely on traditional, symmetric-key cryptography to encrypt the message because of its speed and efficiency.<\/li>\n
  3. Public Key Encryption:\u00a0<\/b>This session key, which was used to encrypt the entire message, is then encrypted by the PGP software using the recipient\u2019s public key.\u00a0<\/b>Next, the public key-encrypted session key and ciphertext are sent to the recipient.<\/li>\n
  4. Private Key Decryption:\u00a0<\/b>The recipient\u2019s PGP software relies on their private key to decrypt the session key, and then uses the decrypted session key to decrypt the ciphertext. Once decrypted, the recipient can clearly read the sensitive information sent to them.<\/li>\n<\/ol>\n

    There are a few ways to take PGP a step further for those looking to add extra layers of security:<\/p>\n