What is PGP? Pretty Good Privacy Definition

Pretty Good Privacy (PGP) is a security program used to decrypt and encrypt email and authenticate email messages through digital signatures and file encryption. 

PGP was first designed and developed in 1991 by Paul Zimmerman, a political activist. PGP software was owned and sold by a company called PGP Corporation, which was founded in 2002 then sold to Symantec in 2010. 

Email is a prime attack method for cyber criminals who can easily forge messages using a victim’s name or identity. PGP aims to solve this and enhance email security by encrypting the data to make the communication method more private. 

PGP was one of the first public-key cryptography software publicly available for free. Originally, it was used to enable individual users to communicate on bulletin board system computer servers. Later, it was standardized and supported by other applications such as email. It has now become a core standard in email security and has been widely used to protect individuals and organizations. 

The data encryption program provides cryptographic authentication and privacy for data used in online communication. This allows PGP to be used for encrypting and decrypting text messages, emails, and files.

How Does PGP Encryption Work?

PGP works through a combination of cryptography, data compression, and hashing techniques. It is similar to other popular encryption methods such as Kerberos, which authenticates network users, secure sockets layer (SSL), which secures websites, and the Secure File Transfer Protocol (SFTP), which protects data in motion. 

PGP uses the public key system in which every user has a unique encryption key known publicly and a private key that only they know. A message is encrypted when a user sends it to someone using their public key, then decrypted when the recipient opens it with their private key. It combines private-key and public-key cryptography and the use of symmetric and asymmetric key technology to encrypt data as it travels across networks.

PGP follows a three-step process:

  1. Step 1: PGP generates a huge, one-time-use public encryption algorithm that cannot be guessed, which becomes the random session key.
  2. Step 2: The session key is then encrypted using the recipient’s public key, which protects the message while being transmitted. The recipient shares that key with anyone they want to receive messages from.
  3. Step 3: The message sender submits their session key, then the recipient can decrypt the message using their private key.

Encrypting entire messages can take a long time, but PGP encrypts it using a faster algorithm. PGP compresses plaintext data, which saves on disk space and transmission time, as well as reinforces cryptographic security. The public key is used to encrypt the shorter version that encrypted the full message. Both are sent to the recipient, who uses their private key to unlock the shorter key, then decrypt the full message.

PGP uses efficient algorithms that create a mathematical summary known as a hash to send digital signatures. The hash code, which can be usernames and other digital data, is encrypted by the message sender’s private key. The recipient uses the message sender’s public key to decrypt the hash, and if it matches that sent by the sender, then it confirms that the message was securely received.

There are two public key versions of PGP:

Rivest-Shamir-Adleman (RSA): RSA is one of the first public-key cryptosystems, which encrypts a short key created using the International Data Encryption Algorithm (IDEA). This sees users create and publish public keys based on two prime numbers, which are required for anyone to decode, and use the message-digest algorithm (MD5) to create a hash code.

The RSA algorithm is effectively considered unbreakable, to the point where it has been used in highly sophisticated malware strands such as CryptoLocker. However, it is a fairly slow algorithm, which means it is not appropriate for encrypting user data.

Diffie-Hellman: The Diffie-Hellman version enables two users to generate shared private keys through which they can exchange data on insecure channels. It encrypts the message with a short key using the CAST algorithm and the Secure Hash Algorithm (SHA-1) to create a hash code.

Uses of PGP Encryption

The most common reason for PGP encryption use is to enable people to confidentially send messages and data to each other using a combination of their public and private keys. It is often used to encrypt and decrypt emails, files, text messages, and entire disk partitions, and to authenticate digital certificates. 

PGP is also used to authenticate messages and for integrity checking, which detects whether a message is altered after it was written and sent by the person who claims to have sent it. PGP creates a digital signature for private and public keys to prove that a sender is the rightful owner of the message.

PGP can also be used to confirm that a message reaches the intended recipient. A user’s public key can be distributed in an identity certificate, which is constructed to ensure that tampering is easily detected. PGP products can also confirm whether a certificate belongs to someone, also known as the web of trust concept.

Encrypting Emails

PGP is most commonly used to encrypt email messages. It was initially used by anyone wanting to share sensitive information, such as activists and journalists. But its popularity has increased significantly in the face of organizations and government agencies collecting user data, as people look to keep their personal and sensitive information private.

Digital Signature Verification

PGP can be used for email verification. For example, if an email recipient is not sure about the identity of the people sending them an email, they can use a digital signature in conjunction with PGP to verify their identity.

A digital signature works through algorithms that combine a sender’s key with the data they try to send in an email message. This creates a hash function, which is an algorithm that converts the email message into a fixed-size block of data. That data is then encrypted using the email sender's private key, and the recipient can decrypt the message using the sender's public key.

As a result, the recipient will know whether any character in the message has been amended in transit. This tells them whether the sender is who they claim to be, whether a fake digital signature has been used, or if the email message has been tampered with or hacked.

Encrypting Files

The algorithm that PGP uses, which is typically the RSA algorithm, is largely considered unbreakable, which makes it ideal for encrypting files. It is particularly effective when used with a threat detection and response tool. File encryption software enables users to encrypt all of their files while removing the complexity of the encryption-decryption process.

Advantages and Disadvantages of PGP Encryption

PGP encryption usage is typically dependent on how secure an individual or organization needs their communication and files to be. It requires users to put more work into sending and receiving messages from trusted contacts but hugely increases the security of their communications. PGP also allows organizations to make their systems, resources, and users more secure and enhances the resilience of their systems against cyberattacks.

There are benefits and challenges with using PGP encryption, depending on what it is being used for.

Advantages of PGP Encryption

The biggest advantage of PGP encryption is that the algorithm is unbreakable. It is widely used by people who need to secure their private communications and is considered a leading method for enhancing cloud security. That is because PGP makes it impossible for a hacker, nation-states, or government agencies to break into files or emails protected by PGP encryption. 

However, there have been stories that note security failings in some PGP implementations like EFAIL, which was a vulnerability in OpenPGP and S/MIME end-to-end encryption technologies.

Disadvantages of PGP Encryption

  1. Complexity of use: PGP encryption’s biggest downside is that it is typically not user-friendly. Encrypting data and files using PGP takes time and effort, which can complicate message sending for users. Organizations must provide employee training if they are considering implementing PGP.
  2. Key management: Users need to fully understand how the PGP system works to ensure they do not inadvertently create holes in their security defenses. This can either be through the incorrect usage of PGP or losing or corrupting keys, which puts their fellow users at risk in highly secure environments.
  3. Lack of anonymity: PGP will encrypt messages that users send, but it does not anonymize them. As a result, senders and recipients of emails sent through a PGP solution can be traced. The subject line of the message is also not encrypted, so avoid including sensitive data or information. Users who want to hide their location can use anonymous browsers through proxy servers or virtual private networks (VPNs). They can also use encrypted messaging applications, such as Signal, that provide simple-to-use encryption or anonymization, which is a more efficient alternative to encrypting stored data.
  4. Compatibility: It is impossible to use PGP unless both the sender and recipient of the communication are using the same version of the software. 

How Fortinet Can Help

The Fortinet FortiMail service is a secure email gateway solution that protects users’ inboxes, detects and prevents inbound threats and outbound traffic, and enforces policies that ensure compliance and protect valuable data. It works with on-premises and cloud infrastructures, such as Exchange, Microsoft 365, and G Suite. FortiMail is backed by FortiGuard Labs, which provides real-time visibility into threat-intelligence feeds and global traffic patterns from the evolving threat landscape. 

The FortiMail email system incorporates antispam and antivirus systems that protect businesses from threats within messages and prevent their email systems from delivering threats. They block spam and malware before either can affect networks and users. FortiMail also takes a multilayered approach to securing email to help ensure organizations identify and prevent malware, phishing attacks, and spam. It also enables them to secure their defenses against advanced attacks like business email compromise (BEC), spoofing, and whaling.

Further, FortiMail provides identity-based encryption (IBE), which is a public-key cryptography format that uses unique user information to generate a public key. The Fortinet IBE enforces policy-based encryption so content is delivered securely. 

FortiMail is easy to use and provides simple certificate and key management tools for users without installing additional hardware or software. It also does not require user provisioning, which means businesses do not have to provide training. Plus, it reduces maintenance costs. FortiMail is also one of the few products that offer push-and-pull IBE delivery, which sends encrypted email either directly to users or on the FortiMail platform.

FAQs

What is PGP and how does it work?

PGP is short for Pretty Good Privacy, a security program that enables users to communicate securely by decrypting and encrypting messages, authenticating messages through digital signatures, and encrypting files. It was one of the first freely available forms of public-key cryptography software.

PGP works by combining cryptography, data compression, and hashing techniques. It encrypts data so that users can share messages securely using private-key and public-key cryptography, as well as symmetric and asymmetric keys.

Is PGP the same as GPG?

No, PGP and Gnu Privacy Guard (GPG) are two separate programs designed to protect user communication. PGP began as freeware, which was copyrighted under the Gnu Public License. It was later upgraded and became a proprietary program using the RSA and IDEA encryption algorithms. A free version of PGP is still available for personal use but cannot be used by organizations.

GPG is a rewrite and upgrade of PGP. It uses the Advanced Encryption Standard (AES) algorithm of the National Institute of Standards and Technology (NIST) rather than IDEA. This, combined with all algorithm data being documented and stored publicly by the OpenPGP Alliance, makes GPG royalty-free and free to use for both individuals and businesses.

How do I get a PGP key?

You can get a PGP key using a PGP program like GPG4WIN or through vendors that provide tools through the open-source solution OpenPGP, which is supported by the Internet Engineering Task Force (IETF). Download and run the application, then select the "Generate key now" button in the pop-up box. 

The software will ask for a name and email address, then enables the user to create a backup of their key and select a location to store the key. You may then need to register your public key, which enables other people to exchange messages with you.

How safe is PGP?

PGP is extremely safe, if used correctly and securely by individuals and organizations’ employees. The encryption method uses algorithms that are considered unbreakable and is one of the most secure ways to protect data and cloud systems. Protecting data with PGP makes it effectively impossible to be intercepted by hackers.