Principles Of Pretty Good Privacy Information Technology Essay
data is so easily duplicated and shared. This is why more and more organizations are looking to encrypt all their information. A word of warning to beginners to encryption. The PGP program, notwithstanding its user-friendly graphical user interface, may take some getting used to here and there. At the USENIX Security Symposium in 1999, Alma Whitten & J. Tygar published a paper entitled “Why Johnny Can’t encrypt” in which they point out some of the usability problems associated with the software. The paper is available at www.sims.berkeley.edu/~alma
With this in mind, our tutorial aims to help you get over the initial hurdles at least so you can be up and running using the software without much difficulty. The features of PGP introduced in this tutorial are all you need to know to use the program to protect your privacy in the normal run of affairs. But bear in mind that to become a power user of PGP–one who takes advantage of the full suite of encryption protections–you will need to invest some time in reading the Manual that accompanies the program. The Manuals for each version of PGP can be downloaded from the PGP International web site at http://www.pgpi.org/doc/guide/.
II. Platforms:
PGP is available for many different platforms, including Windows, Unix,MS-DOS, OS/2, Macintosh, Amiga and Atari.
III. Latest versions:
The latest international freeware versions of PGP are 6.5.1i (Windows 95/98/NT and MacOS only) and 5.0i (other platforms). The older 2.6.3i is still available, but you may experience incompatibility problems if you are communicating with users of PGP 5.0 and later. You can download the most recent versions here. However, there are many other versions of PGP, both freeware and commercial.
IV. How Does It Works:
PGP uses a variation of the public key system. In this system, each user has a publicly known encryption key and a private key known only to that user. You encrypt a message you send to someone else using their public key. When they receive it, they decrypt it using their private key. Since encrypting an entire message can be time-consuming, PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Both the encrypted message and the short key are sent to the receiver who first uses the receiver’s private key to decrypt the short key and then uses that key to decrypt the message.
PGP comes in two public key versions - Rivest-Shamir-Adleman (RSA) and Diffie-Hellman. The RSA version, for which PGP must pay a license fee to RSA, uses the IDEA algorithm to generate a short key for the entire message and RSA to encrypt the short key. The Diffie-Hellman version uses the CAST algorithm for the short key to encrypt the message and the Diffie-Hellman algorithm to encrypt the short key.
For sending digital signatures, PGP uses an efficient algorithm that generates a hash (or mathematical summary) from the user’s name and other signature information. This hash code is then encrypted with the sender’s private key. The receiver uses the sender’s public key to decrypt the hash code. If it matches the hash code sent as the digital signature for the message, then the receiver is sure that the message has arrived securely from the stated sender. PGP’s RSA version uses the MD5 algorithm to generate the hash code. PGP’s Diffie-Hellman version uses the SHA-1 algorithm to generate the hash code.
To use PGP, you download or purchase it and install it on your computer system. Typically, it contains a user interface that works with your customary e-mail program. You may also need to register the public key that your PGP program gives you with a PGP public-key server so that people you exchange messages with will be able to find your public key.
Where Can You Use PGP?
Originally, the U.S. government restricted the exportation of PGP technology. Today, however, PGP encrypted e-mail can be exchanged with users outside the U.S if you have the correct versions of PGP at both ends. Unlike most other encryption products, the international version is just as secure as the domestic version.
There are several versions of PGP in use. Add-ons can be purchased that allow backwards compatibility for newer RSA versions with older versions. However, the Diffie-Hellman and RSA versions of PGP do not work with each other since they use different algorithms.
V. PGP Commands
PGP commands are installed with software that is designed specifically for generating the commands for data encryption. The command line is installed by running the setup and then installing the software into your preferred location.
After the command lines are installed it is necessary to configure the PGP before sending encrypted email. The configuration requires you to create a public and private key pair before extracting the public key and adding the public key for the email recipient.
Key Pair Generation:Â Key pair generation involves identifying the key type, the algorithm associated with the key type, the size of the key, a user ID, validation of the private key for signing the email, and a password.
Public Key Extraction:Â The public key for both the sender and the recipient can be extracted in the form of a text file and by using a PGP command. Once the key is extracted it should be exchanged between the sender and the recipient before communication commences.
Add the Recipient’s Key:Â The recipient’s key is added through the use of a PGP command line and is also added to the sender’s key ring. Once the recipient’s key is authenticated, the sender can encrypt the file using the recipient’s ID and the private key that is held by the sender to sign the email.
These are the basic methods for using PGP for encryption. There are additional strategies that are used depending upon the data privacy needs and the requirements of an organization when it comes to securing sensitive data during transmission.
VI. Where did it come from?
Rarely does anything of significance arise out of the blue.  PGP (Pretty Good Privacy) is the culmination of a long history of cryptographic discoveries. Cryptography is the science of writing messages in secret codes. It is nothing new. Since the human race became a species of its own, we have pondered the challenge of concealing our communications from others. Secrecy–stealth–is not a preserve of the human species. It is a matter of survival for all our brothers, sisters and cousins in the animal world from which we have evolved. Whether in times of peace or in times of war, we all harbor secret thoughts, feelings, desires, objectives, and so forth that we want to share only with those we absolutely trust, and that we want to carefully conceal from those who would take advantage of us if they knew what we had in mind.
Encryption makes this possible, and one of the strongest encryption tools available to us today is PGP.
Phil Zimmermann invented PGP because he recognized that cryptography “is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone.” You can read Phil Zimmermann’s fuller explanation as to why you need PGP. In the development of PGP, Zimmermann was greatly assisted by his knowledge of the long history of cryptography. Like Sir Isaac Newton, Zimmermann was able to achieve what he achieved because he “stood on the shoulders of giants” who went before him.
How does PGP work?
OK, here goes; put your thinking cap on… If this gets overly technical for you, and your eyes start to glaze over, don’t worry about it. It’s nice if you can understand what’s going on with Public and Private Key encryption, but it’s not necessary right away. You’ll understand it better as you start to use it and as you interact with others who use it and can explain what’s going on. For now, it’s sufficient to just follow the sets of numbered steps carefully in order to learn the skills required to use PGP. But read over what follows and understand it as best you can.
When you have successfully completed Step 3 of this tutorial, you’ll have created two keys to lock and unlock the secrets of your encoded information. A key is a block or string of alphanumeric text (letters and numbers and other characters such as !, ?, or %) that is generated by PGP at your request using special encryption algorithms.
The first of the two keys you’ll create is your Public Key, which you’ll share with anyone you wish (the tutorial also will show you how you can put your Public Key on an international server so that even strangers could send you encrypted data if they wanted). Your Public Key is used to encrypt–put into secret code–a message so that its meaning is concealed to everyone except you
Then there is your Private Key, which you’ll jealously guard by not sharing with anyone. The Private Key is used to decrypt–decode–the data (messages and so forth) that have been encrypted using your Public Key. This means that the message encrypted (encoded) using your Public Key can only be decrypted (decoded) by you, the owner of the corresponding Private Key.
The designation of one of the two keys (Key1, say) as Public and the other (Key2) as Private is purely arbitrary since there is no functional difference between the two. PGP chooses one to act as the Public Key and designates the other as the Private Key. If it chooses to designate them in the other order (Public=Key2 and Private=Key1), it would make no difference. This is because when either key is used to encrypt something, the other will act as the corresponding decrypting key to convert the encrypted data back into its original form. This capability is at the heart of the “Signing” process mentioned in Steps 8 through 10 below.
Public and Private Key encryption solves one of two major problems with older methods of encryption, namely that you had to somehow share the key with anyone you wanted to be able to read (decrypt) your secret message. The very act of sharing the key meant that some untrustworthy so-and-so could intercept it–and frequently did. Which meant your code was practically useless.
The second major problem with older methods of encryption was the relative ease with which the code could be broken. Codes have to be incredibly complex if they’re to foil the attempts of astute humans to crack them. This is all the more the case today when we have increasingly powerful computers to do the dirty, “brute force,” work of trying every conceivable combination of key possibilities for us. PGP, and other similar encryption systems, use a key that is really–well–astronomically large, meaning that the number of binary bits (1s and 0s) used to create it has an astronomically large number of possible combinations and the actual decimal (base 10) value they represent is–well–huge. Unlike earlier encryption methods, the security of PGP encryption lies entirely with the key. Earlier encryption methods relied on “security through obscurity” (ie: keeping secret the method used to do the encryption). The methods used to do PGP encryption are known and documented. It is PGP’s selection of the complex keys used to do an encryption that makes it next to impossible to crack.
The size of the key can be increased whenever necessary to stay one step ahead of advances in technology. Time alone will tell if PGP can stand the test of time, but for now it’s one of the best encryption technologies you’ll find.
If you would like to read the history of encryption and understand the origins of Zimmermann’s PGP program, an excellent account is given in Simon Singh’s CODE BOOK (Doubleday, New York, NY, 1999). Find out more about PGP at the International PGP home page. The Crypto Rights Foundation is another good website for information regarding privacy issues. You might also like to join the PGP-BASICS User group where you can find speedy and informed answers to questions that might arise as you get started using PGP. Once you’re more experienced with the program, you can join the PGP Users Mailing List so you can keep in touch with issues related to privacy.
VII. Compatibility
As PGP evolves, PGP systems that support newer features and algorithms are able to create encrypted messages that older PGP systems cannot decrypt, even with a valid private key. Thus, it is essential that partners in PGP communication understand each other’s capabilities or at least agree on PGP settings.
VIII. Confidentiality
PGP can be used to send messages confidentially. For this, PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key. The session key is protected by encrypting it with the receiver’s public key thus ensuring that only the receiver can decrypt the session key. The encrypted message along with the encrypted session key is sent to the recipient.
IX. Digital signatures
PGP supports message authentication and integrity checking. The former is used to detect whether a message has been altered since it was completed (the message integrity property), and the latter to determine whether it was actually sent by the person/entity claimed to be the sender (a digital signature). In PGP, these are used by default in conjunction with encryption, but can be applied to the plain text as well. The sender uses PGP to create a digital signature for the message with either the RSA or DSA signature algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext, and then creates the digital signature from that hash using the sender’s private key.
X. Web Of Trust:
Both when encrypting messages and when verifying signatures, it is critical that the public key used to send messages to someone or some entity actually does ‘belong’ to the intended recipient. Simply downloading a public key from somewhere is not overwhelming assurance of that association; deliberate (or accidental) impersonation is possible. PGP has, from its first versions, always included provisions for distributing a user’s public keys in an ‘identity certificate’ which is also constructed cryptographically so that any tampering (or accidental garble) is readily detectable. But merely making a certificate which is impossible to modify without being detected effectively is also insufficient. It can prevent corruption only after the certificate has been created, not before. Users must also ensure by some means that the public key in a certificate actually does belong to the person/entity claiming it. From its first release, PGP products have included an internal certificate ‘vetting scheme’ to assist with this; a trust model which has been called a web of trust. A given public key (or more specifically, information binding a user name to a key) may be digitally signed by a third party user to attest to the association between someone (actually a user name) and the key. There are several levels of confidence which can be included in such signatures. Although many programs read and write this information, few (if any) include this level of certification when calculating whether to trust a key.
The web of trust protocol was first described by Zimmermann in 1992 in the manual for PGP version 2.0:
As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.
The web of trust mechanism has advantages over a centrally managed public key infrastructure scheme such as that used by S/MIME but has not been universally used. Users have been willing to accept certificates and check their validity manually or to simply accept them. No satisfactory solution has been found for the underlying problem.
XI. Certificates:
In the (more recent) Open PGP specification, trust signatures can be used to support creation of certificate authorities. A trust signature indicates both that the key belongs to its claimed owner and that the owner of the key is trustworthy to sign other keys at one level below their own. A level 0 signature is comparable to a web of trust signature since only the validity of the key is certified. A level 1 signature is similar to the trust one has in a certificate authority because a key signed to level 1 is able to issue an unlimited number of level 0 signatures. A level-2 signature is highly analogous to the trust assumption users must rely on whenever they use the default certificate authority list (like those included in web browsers); it allows the owner of the key to make other keys certificate authorities.
PGP versions have always included a way to cancel (‘revoke’) identity certificates. A lost or compromised private key will require this if communication security is to be retained by that user. This is, more or less, equivalent to the certificate revocation lists of centralized PKI schemes. Recent PGP versions have also supported certificate expiration dates.
The problem of correctly identifying a public key as belonging to a particular user is not unique to PGP. All public key / private key cryptosystems have the same problem, if in slightly different guise, and no fully satisfactory solution is known. PGP’s original scheme, at least, leaves the decision whether or not to use its endorsement/vetting system to the user, while most other PKI schemes do not, requiring instead that every certificate attested to by a central certificate authority be accepted as correct.
XII. Criminal investigation:
Shortly after its release, PGP encryption found its way outside the United States, and in February 1993 Zimmermann became the formal target of a criminal investigation by the US Government for “munitions export without a license”. Cryptosystems using keys larger than 40 bits were then considered munitions within the definition of the US export regulations; PGP has never used keys smaller than 128 bits so it qualified at that time. Penalties for violation, if found guilty, were substantial. After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else.
Zimmermann challenged these regulations in a curious way. He published the entire source code of PGP in a hardback book, via MIT Press, which was distributed and sold widely. Anybody wishing to build their own copy of PGP could buy the $60 book, cut off the covers, separate the pages, and scan them using an OCR program, creating a set of source code text files. One could then build the application using the freely available GNU Compiler Collection. PGP would thus be available anywhere in the world. The claimed principle was simple: export of munitions-guns, bombs, planes, and software-was (and remains) restricted; but the export of books is protected by the First Amendment. The question was never tested in court with respect to PGP. In cases addressing other encryption software, however, two federal appeals courts have established the rule that cryptographic software source code is speech protected by the First Amendment (the Ninth Circuit Court of Appeals in theBernstein case and the Sixth Circuit Court of Appeals in the Junger case).
US export regulations regarding cryptography remain in force, but were liberalized substantially throughout the late 1990s. Since 2000, compliance with the regulations is also much easier. PGP encryption no longer meets the definition of a non-exportable weapon, and can be exported internationally except to 7 specific countries and a list of named groups and individuals[citation needed] (with whom substantially all US trade is prohibited under various US export controls).
XIII. PGP 3 and founding of PGP Inc.
During this turmoil, Zimmermann’s team worked on a new version of PGP encryption called PGP 3. This new version was to have considerable security improvements, including a new certificate structure which fixed small security flaws in the PGP 2.x certificates as well as permitting a certificate to include separate keys for signing and encryption. Furthermore, the experience with patent and export problems led them to eschew patents entirely. PGP 3 introduced use of the CAST-128 (a.k.a. CAST5) symmetric key algorithm, and the DSA and El Gamal asymmetric key algorithms, all of which were unencumbered by patents.
After the Federal criminal investigation ended in 1996, Zimmermann and his team started a company to produce new versions of PGP encryption. They merged with Viacrypt (to whom Zimmermann had sold commercial rights and who had licensed RSA directly from RSADSI) which then changed its name to PGP Incorporated. The newly combined Viacrypt/PGP team started work on new versions of PGP encryption based on the PGP 3 system. Unlike PGP 2, which was an exclusively command line program, PGP 3 was designed from the start as a software library allowing users to work from a command line or inside a GUI environment. The original agreement between Viacrypt and the Zimmermann team had been that Viacrypt would have even-numbered versions and Zimmermann odd-numbered versions. Viacrypt, thus, created a new version (based on PGP 2) that they called PGP 4. To remove confusion about how it could be that PGP 3 was the successor to PGP 4, PGP 3 was renamed and released as PGP 5 in May 1997.
XIV. Open PGP:
Inside PGP Inc., there was still concern about patent issues. RSADSI was challenging the continuation of the Viacrypt RSA license to the newly merged firm. The company adopted an informal internal standard called “Unencumbered PGP”: “use no algorithm with licensing difficulties”. Because of PGP encryption’s importance worldwide (it is thought to be the most widely chosen quality cryptographic system), many wanted to write their own software that would interoperate with PGP 5. Zimmermann became convinced that an open standard for PGP encryption was critical for them and for the cryptographic community as a whole. In July 1997, PGP Inc. proposed to the IETF that there be a standard called Open PGP. They gave the IETF permission to use the name Open PGP to describe this new standard as well as any program that supported the standard. The IETF accepted the proposal and started the Open PGP Working Group.
Open PGP is on the Internet Standards Track and is under active development. The current specification is RFC 4880 (November 2007), the successor to RFC 2440. Many e-mail clients provide Open PGP-compliant email security as described in RFC 3156.
The Free Software Foundation has developed its own Open PGP-compliant program called GNU Privacy Guard (abbreviated Gnu PG or GPG). Gnu PG is freely available together with all source code under the GNU General Public License (GPL) and is maintained separately from several Graphical User Interfaces (GUIs) that interact with the Gnu PG library for encryption, decryption and signing functions (see KGPG, Seahorse, Mac GPG). Several other vendors have also developed Open PGP-compliant software.
XV. Network Associates acquisition:
In December 1997, PGP Inc. was acquired by Network Associates, Inc. (“NAI”). Zimmermann and the PGP team became NAI employees. NAI was the first company to have a legal export strategy by publishing source code. Under NAI, the PGP team added disk encryption, desktop firewalls, intrusion detection, and IP sec VPNs to the PGP family. After the export regulation liberalizations of 2000 which no longer required publishing of source, NAI stopped releasing source code.
In early 2001, Zimmermann left NAI. He served as Chief Cryptographer for Hush Communications, who provide an Open PGP-based e-mail service, Hushmail. He has also worked with Veridis and other companies. In October, 2001, NAI announced that its PGP assets were for sale and that it was suspending further development of PGP encryption. The only remaining asset kept was the PGP E-Business Server (the original PGP Command line version). In February 2002, NAI cancelled all support for PGP products, with the exception of the re-named command line product. NAI (now McAfee) continues to sell and support the product under the name McAfee E-Business Server.
XVI. Applications:
Using the PGP encryption softwareto send (encrypt and sign) and receive (decrypt) secure E-Mails.
Using your Default Public key to save a backup, encrypted, decipherable copy of all your E-Mail messages.
PGP signing your own unencrypted E-Mails.
Weaving the Web of Trust-Signing someone else’s Key.
Usingh the PGP encryption software to protect(Encrypt) your documents.
Using PGP to Wipe files from your disk.
Obtaining and adding someone else’s Key to your key ring.
Making your public key available through a certificate server.
Changing your paraphrase.
Setting up(Creating) your public and private PGP keys.
XVII. What are the Disadvantages of PGP Encryption?
Pretty good privacy, or PGP, is a cryptography solution used to help protect sensitive data sent across a network. PGP works by compressing cleartext data first. It then creates a session key that is a random number. This random number is then run through the cryptography software to create the session key, which is public, and a private key for the sender. When the cleartext is encrypted, the public key is encrypted to the recipient’s private key. When the recipient receives the ciphertext, he uses his private key to decrypt the data so it can be read.
While PGP is considered a best practice among security professionals, it does have its disadvantages.
XVIII. Complexity:
PGP is considered to be a complex process by many people and, therefore, it is avoided in many cases. When people find a process too difficult to grasp, they often refuse to use it, even if the benefits are well known.
Properly training users in how PGP works and how to use PGP will help alleviate any issues related to the belief that it is too complex to use on a regular basis.
PGP is a Two-way Street
In order for some PGP encryption to work, both the sender and the recipient must be using it. If the sender emails a file to a recipient who is not using PGP, she will be unable to open the file to view it.
Using newer PGP software that is a self-decrypting archive (SDA) can alleviate this issue. In a case where a document is encrypted using PGP, the recipient can encrypt the file when he needs to open it.
Key Management
Managing keys can be challenging for users new to PGP. Keys that are lost or corrupted can be a security risk to users in a highly secure environment. Also, these problems can lead to recipients being unable to open encrypted files.
Implementing an SDA solution is one way to help mitigate issues related to key management. Another way to help prevent issues from arising in a PGP solution is to properly train new users in how PGP works.
Conclusion
Cryptography assumed a whole new significance with the development of e-commerce in the mid-1990s. Perhaps the biggest roadblocks to e-commerce were consumer fears over privacy and the security of their financial and personal information. Because of this, cryptography was of central importance to the growth of the Internet economy.
Encryption is the scrambling of text-based messages into unrecognizable code via a complex mathematical algorithm. Only those with the correct “key” are able to encrypt or decrypt such a message in a given cryptographic system. The key is a set of specific parameters, based on the algorithmic encryption formula, that act to lock and unlock the coded information. The formula typically consists of a long string of bits, sometimes more than 200 digits long. The more digits involved and the more complicated the algorithmic equation used to generate the code, the more difficult the hacker’s job in breaking it.
The two basic infrastructures used in cryptographic systems are public-key and private-key. While early computer systems used private-key cryptography almost exclusively, by the late 1990s and early 2000s the tide was shifting in favor of public-key cryptography. The dominant encryption standards were testament to the sea of change. The 25-year-old Data Encryption Standard (DES), a private-key algorithm developed by the NSA, was being phased out due to its lack of flexibility and a level of security that could no longer withstand sophisticated modern attacks, not to mention the limited use of private-key systems in e-commerce. In its place, the public-key Advanced Encryption Standard (AES) was preparing for international launch in the early 2000s.
Refrences
[1]. http://ecommerce.hostip.info/pages/271/Cryptography-Public-Private-Key.htmlÂ
[2]. www.cryptography.org/getpgp.htm
[3]. http://www.openpgp.org/
[4].https://supportimg.pgp.com/guides/Tech_Note_PGP_WDE_Recovering_Data_Mac_OS_X.pdf
[5]. http://www.wisegeek.com/what-is-pgp.htm
[6]. http://www.spamlaws.com/how-PGP-works.html
[7]. http://www.pitt.edu/~poole/PGP.htm
[8]. http://www.pgp.com/products/packages/desktop_pro/
[9]. http://searchsecurity.techtarget.com/definition/Pretty-Good-Privacy
[10].http://www.symantec.com/business/support/index?page=content&id=TECH149231&key=59279
[11]. http://home.clara.net/heureka/sunrise/pgp.htm
[12]. http://www.pgpi.org/doc/overview/
[13]. http://thegate.gamers.org/~tony/pgp.html
[14.] http://oreilly.com/catalog/9781565920989
[15]. http://www.slideshare.net/izacus/pretty-good-privacy
[16]. http://www.thenakedpc.com/articles/v04/18/0418-03.html
[17]. http://simple.wikipedia.org/wiki/Pretty_Good_Privacy
Order Now