What is PGP?
The abbreviation PGP stands for the English term “Pretty Good Privacy” and means “pretty good privacy”. PGP is a program originally developed by Phil Zimmermann that can be used to both encrypt and sign messages. One of the most important uses of the program is secure communication via email.
Users who use PGP to send email messages have the choice of encrypting only, signing only, or signing and encrypting the message. While encrypting prevents messages from being readable by unauthorized parties, signing serves to prove the authenticity and integrity of the message.
A signed e-mail ensures that it comes from the named sender and that no alteration has taken place. Based on PGP, the OpenPGP standard was developed as a free alternative.
In the meantime, the OpenPGP standard contains many additional functions that were not originally intended in PGP. PGP is based on the so-called public key method with asymmetric encryption. However, PGP also uses symmetric keys, which is why the encryption method can be classified as a hybrid method.
How does PGP encrypt messages?
PGP encryption uses private and public keys. With the public key, anyone can encrypt messages for a recipient. Decryption is only possible with the private key, which must only be known to the recipient. If a message is to be encrypted, the sender uses the recipient’s public key for this purpose.
However, the entire message is not encrypted with the public key because the asymmetric encryption method is very resource-intensive. The actual message is encrypted with a symmetric session key that has been randomly generated beforehand and is regenerated each time. The public key is used to asymmetrically encrypt the symmetric session key, which is then appended to the message.
Thanks to this procedure, the computational effort required for encryption and decryption is reduced and it is easier to send a message to several recipients at the same time.
How can messages be signed with PGP?
To ensure the authenticity and integrity of a message, the sender adds a signature to the message. For this purpose, Pretty Good Privacy generates a digital, unique fingerprint from the plaintext of the message using cryptographic hash procedures. The fingerprint is significantly shorter than the actual message. Using his private key, the sender encrypts this digital fingerprint and adds it to the message.
How are messages decrypted?
To turn encrypted and signed messages back into plaintext, several steps have to be gone through.
First, the symmetric key generated for this session is decrypted using the recipient’s private key. The recipient then uses the symmetric key to decrypt the message.
Once this is done, the message is in plain text with a digital signature. In the next step, PGP verifies the signature to ensure the integrity of the message and the authenticity of the sender. For this purpose, PGP generates the digital fingerprint from the message’s plaintext using the same cryptographic hash method as the sender used.
In addition, PGP decrypts the signature using the sender’s public key. The result is compared with the previously determined digital fingerprint. If both strings match, the recipient can assume that the signature actually comes from the named recipient and that no change has been made to the original message.
Web of Trust
To exchange the public keys in a secure manner, Pretty Good Privacy can use a so-called Web of Trust. In this network, users trust that the keys actually come from the named individuals. The Web of Trust is a decentralized alternative to hierarchical PKI (Public Key Infrastructure) systems. The authenticity of the keys is based on mutual trust and confirmations from the participants in the Web of Trust.