PGP (Pretty Good Privacy) is an encryption program used to send highly sensitive information over the internet. It relies on a mix of public key encryption methods as well as more traditional encryption methods to protect against attackers. Generally PGP encryption, along with other forms of data protection, can be a valuable part of your customers’ security strategy.
In the early days of encryption, a user would craft a code, or key, and use that key to encrypt whatever sensitive information they were trying to send. The same key that was used to encrypt the key was also used to decrypt it. The use of one key to encrypt and decrypt is known as traditional, symmetric-key encryption. It’s great, except for one not-so-small factor—you can send the encrypted message, but for the receiver to understand the message they need the key. This is where risk comes into play. A key in transit is at the mercy of attackers looking to intercept the message, snag the key, and subsequently, gain access to highly sensitive data and information.
What is a PGP encryption key?
If you’re wondering what a PGP key is, in fact, it’s more than a single key—it’s a term used to describe a pair of public and private keys that work together to encrypt and decrypt information. PGP was developed by Phil Zimmerman in 1991. Phil, an antinuclear activist, believed the world needed a better way to store and send sensitive information. He launched PGP as a free service and it quickly gained attention and popularity.
How PGP works is that the encryption relies primarily on a form of public key encryption. Public key encryption requires the use of two keys—a public key and a private key—and is considered an asymmetric encryption approach. Public keys are large, numerical values used to encrypt emails, texts, and files. Private keys are algorithms used to decrypt that information.
To put it simply, a user creates a public key and shares it with whoever they please. This key does not need to be a secret. In fact, a user can even post their public key openly, allowing anyone to access their key and use it to send them information. It’s the private key that needs to be protected. A user leverages the private key to decrypt information that has been encrypted using their public key. No one else should have access to their private key except for them.
There are several widely approved public key cryptography algorithms out there. PGP programs utilize the two most popular algorithms—Diffie–Hellman (DH) and Rivest–Shamir–Adleman (RSA), named after their investors and inventors, respectively. DH was one of the first public key algorithms and was originally used by the British intelligence agency in 1969, but it didn’t become a published algorithm until 1975. Two years later, MIT computer scientists Ron Rivest, Adi Shamir, and Leonard Adleman announced RSA.
The start of OpenPGP
PGP’s effectiveness and popularity led it to gain some negative attention from the U.S. government. Why? Because PGP didn’t just catch on with Americans, it also spread to countries across the globe. The government believed PGP was a powerful cryptographic software that should be treated as a form of military equipment, thus requiring a license to be exported.
With so many eyes on the program, licensing and patenting issues began to abound—the use of the RSA algorithm was a particularly hot topic. There were also many companies that wanted to develop their own PGP-compatible software. Zimmerman put an end to all of this in 1997 when he asked the Internet Engineering Task Force (IETF) to turn PGP into a defined internet standard. They agreed, and OpenPGP was born, thus allowing anyone to implement the PGP encryption methodology into their software.
How do PGP keys work?
While public key cryptography is the backbone of PGP, the program also relies on traditional symmetric key cryptography, hashing, compression, and digital signatures. So how does PGP work as a whole? The process looks like this:
- Compression: Plaintext is large and takes up an unnecessary amount of modem transmission time and disc space. A PGP program will compress the user’s plaintext to make the entire process more efficient. This also reduces patterns found in plaintext, making it harder for hackers to decipher.
- Session Key: A session key is a one-time only key used to encrypt the compressed plaintext. Encrypted plaintext is known as ciphertext. Session keys rely on traditional, symmetric-key cryptography to encrypt the message because of its speed and efficiency.
- Public Key Encryption: This session key, which was used to encrypt the entire message, is then encrypted by the PGP software using the recipient’s public key. Next, the public key-encrypted session key and ciphertext are sent to the recipient.
- Private Key Decryption: The recipient’s PGP software relies on their private key to decrypt the session key, and then uses the decrypted session key to decrypt the ciphertext. Once decrypted, the recipient can clearly read the sensitive information sent to them.
There are a few ways to take PGP a step further for those looking to add extra layers of security:
- Digital Signatures: Think of digital signatures as harder-to-forge traditional signatures. To create a digital signature, a hash function must first take your plain text and compress it into a message digest. The digest is then encrypted with the sender’s private key. This private key-encrypted digest is the “digital signature” and can be sent along with the encrypted message. The recipient can then use the sender’s public key to decrypt the digital signature and verify the sender is who they say they are.
- Digital Certificates: A digital certificate contains the certificate holder’s public key and other identifying information, including their digital signature. These are third-party credentials and verify the credibility of the certificate holder to confirm a public key is linked to the person you think it is.
How do I get my PGP public key?
To get a PGP public key you must first download PGP software. Zimmerman’s original PGP Corporation is now owned by Symantec. There are several Symantec products on the market that use PGP encryption practices. These products come with a variety of bells and whistles, and a price tag.
The good news is, you’re not limited to Symantec products if you want an authentic PGP experience. Since the birth of the OpenPGP standard we discussed earlier, a number of products that capitalize on PGP have come on the market. The GNU Privacy Guard (GPG) is by far the most common and comprehensive free option out there.
To get your public key you must first select which PGP program you want to download. Each program will have its own process, but generally speaking you will follow this brief PGP tutorial:
- Download a PGP program onto your PC or Mac to get started.
- Then click “generate new key pair” to open the key generation function.
- When prompted to select “key type” choose the program’s default—your options will be HD or RSA, the two most common types of public key encryption methods.
- You will then be prompted to add your email and a passphrase. A passphrase is a password comprised of numbers, letters, and characters. The longer the passphrase, the more secure it is. Note that you have the opportunity to change this passphrase at any time.
- Once your passphrase is submitted, the program will begin generating your key pair. During this process, the program may prompt you to click your mouse and keys randomly. The goal of this is to create entropy, a form of randomness that can help the software make your key more secure.
- Your keys will be ready in just a few seconds. The PGP software will add these keys to your keyrings. Keyrings are files located on your hard drive. You should have one keyring for your private key and another keyring for your public key.
Now that you have your public key, how do you share it with others so they can send you sensitive information? There are a few ways to accomplish this. One is to send it directly via email. To do this, simply open your PGP program and either export the key and attach it as a file or copy and paste it into the body of your email.
You can also upload your key to one, or both, of the two public PGP key servers—the PGP Server and the MIT Server. To do this, open your PGP program and select your key. Next find the server menu and hit “Send To.” You will then be prompted to select either PGP or MIT. Choose whichever server you’d like to upload your key to. Remember—anyone can access your public key when its posted on a public server, but that’s OK. In fact, that’s actually the point of the server. What matters is that you keep your private key safe at all times.
In addition to sharing your key with others, it’s good practice to add the public keys of the individuals you send sensitive data to onto your keyring. To do this, import the key—whether it’s been sent to you directly or you’ve found it on one of the public servers—and save it to your keyring (remember, this is simply a file containing public keys).
How do I encrypt a file using PGP?
Once you have your pair of keys, you can begin sending and receiving encrypted files. This will involve the same process we outlined above:
- Plain text is compressed
- A one-time only session key is generated
- Session key turns email message into cipher text
- Session key is encrypted with the recipient’s public key
- Cipher text and encrypted session key are sent to the recipient
This sounds complicated, but a PGP software will do the work for you. The exact steps you take will vary depending on your PGP software, but they should look something like this:
- Start by crafting the message you’d like to encrypt.
- Once you’re finished, place the cursor in the body of your email and open your PGP software from the toolbar.
- In the menu of the PGP software, select “Current Window” and then “Encrypt.”
- You will now be prompted to select the public key of the individual you would like to send your email to—if you’ve saved their public key to your public keyring, it should be here.
- Next you’ll enter your passphrase and hit “OK,” thus allowing the program to turn your message into ciphertext within the body of your email. All you need to do now is hit “Send.”
The decryption process is similar, only this time you’re using your private key to decrypt a message that has been encrypted by a sender with your public key. Here’s an approximate outline of the decryption process:
- Highlight the ciphertext within the email you’ve received.
- Open your PCP software from the toolbar.
- In the menu of the PGP software, select “Current Window” and then “Decrypt.”
- Enter your passphrase when prompted and hit “OK.” Decrypted text will appear in your email.
While you can’t physically see the inner calculations of your PCP software, rest assured it’s implementing session, public, and private keys to keep your messages secure.
Will PGP protect me from hackers?
PGP’s unique combination of public key cryptography, traditional cryptography methods, digital signatures, and certificates all help safeguard sensitive information you send over the internet. But despite its best efforts, there’s still opportunity for hackers.
The transaction of metadata—email address, subject line, message size—is one of the biggest areas of concern. This metadata is transferred as plaintext and can be leveraged by hackers to analyze information about the encryption software and identify the recipient/sender, allowing them to perform targeted attacks on any system weaknesses they discover. There’s also the possibility of stolen private keys. With a stolen private key in hand, a hacker can decrypt sensitive files sent to the owner of the private key.
For MSPs looking to safeguard their customers from security breaches, implementing a threat monitoring software can help. These tools are designed to keep watch over your managed networks and can help you monitor for threats, respond to them, and generate reports that help you stay compliant with the latest security standards. Here’s how SolarWinds Threat Monitor [https://www.solarwinds.com/threat-monitor] can complement PGP encryption for more comprehensive security:
- Log Correlation & Analysis: Gathering and correlating log data is time consuming. Threat Monitor is designed to automate this process, collecting logs and data feeds in near real-time from your managed networks. It then correlates and normalizes this information so you can identify relationships between ongoing events.
- Intrusion Detection: Threat Monitor is designed to pinpoint unwanted traffic and software across your managed networks and systems. It offers 24/7 monitoring and will alert you as soon as suspicious activity occurs. You can even set alert thresholds so your time isn’t consumed with benign events.
- Security Automation: Security automation can help you increase threat detection capabilities and reduce response time by automating complex, repetitive, and error-prone security tasks that may otherwise be performed manually. It’s a great way to protect against any human errors that can lead to cybersecurity breaches.