Results for Pretty Good Privacy
On this page:
 
Dictionary:

PGP


abbr.

pretty good privacy


 
 
Computer Desktop Encyclopedia: PGP

(Pretty Good Privacy) A data encryption program from PGP Corporation, Palo Alto, CA www.pgp.com). Published as freeware in 1991 and widely used around the world for encrypting e-mail messages and securing files, PGP is available for commercial use and as freeware for personal use. Freeware versions are also available from www.pgpi.org.

For e-mail, PGP sends the key and the encrypted message at the same time. It encrypts the key using a public key algorithm such as RSA and encrypts the message using a secret key algorithm such as IDEA (the original), CAST5, Triple DES and AES. On the receiving side, the secret key (using the public key method) is decrypted first so it can be used to decrypt the message. PGP also supports digital signatures and PKI.

PGP was developed by Phil Zimmermann, founder of Pretty Good Privacy, Inc., San Mateo, CA. For his pioneering work in cryptography, Zimmermann received numerous awards (his personal Web site is www.philzimmermann.com). In 1997, Network Associates acquired his company. Also in that year, the IETF formed the OpenPGP working group to support an open standard based on PGP. In 2002, the PGP assets from Network Associates were acquired by the newly formed PGP Corporation, and Zimmermann became a consultant to the company. See cryptography, digital signature and web of trust.


 
Intelligence Encyclopedia: Pretty Good Privacy (PGP)

PGP, or Pretty Good Privacy, is a security software application used for the encryption and decryption of data. In 1991, Philip R. Zimmermann wrote PGP for the purpose of sending secured data across an insecure network, such as the internet. Individuals, businesses, and governments use strong cryptography programs such as PGP to secure networks, emails, documents, and stored data.

PGP was originally designed as a combination of RSA encryption and a symmetric key cipher known as Bass-OMatic. RSA is a public key cryptographic algorithm named after its designers Ronald Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm, developed in 1977 (earlier versions of which were partially developed by intelligence agencies), quickly became a major advancement in cryptology. The RSA algorithm depends upon the difficulty in factoring very large composite numbers and is currently the most commonly used encryption and authentication algorithm in the world. The RSA algorithm forms were used in the development of modern Internet web browsers, spreadsheets, email, and word processing programs.

Bass-O-Matic is a conventional (often referred to as symmetric) key algorithm. Bass-O-Matic was later replaced by another conventional key algorithm known as IDEA, which enabled more powerful encryption technology.

Conventional cryptology is based on the concept that one key is used in both the encryption and decryption process. The major benefit of conventional cryptology is the speed in which the encryption process takes place. Conventional encryption can be up to one thousand times faster than public key encryption. However, secure key distribution is a major problem in this form of cryptology.

In 1975, Whitfield Diffie and Martin Hellman developed public key cryptology to increase the security of exchanging keys. Each user of a public key based system has a public and private key. First, the user publishes the public key to a server or contact. Next, the contact encrypts the message to the user's public key. Finally, the user employs the private key to decrypt the cipher text (encoded message) received. The combination of both public and conventional key cryptology makes PGP a hybrid cryptosystem. This allows for users of PGP to be able to securely exchange keys and still have a speedy transaction of secured data.

PGP follows a simple process when encrypting plaintext into cipher text. PGP first compresses the document desired for encryption. This saves modem transmission time and strengthens the cryptographic security of the plaintext. Next, PGP creates a session key. The key is a number correlating to the random movements of the user's mouse and the keys that are typed. The key then works with a cryptographic algorithm to encrypt the plaintext. A cryptographic algorithm is a mathematical function in which a computable set of steps must be followed to achieve a desired result. The strength of this encryption is dependent on the strength of the algorithm.

After the data has been encrypted into cipher text, PGP encrypts the session key. The session key is encrypted to the recipient's public key. PGP uses digital certificates to prove the identity of a public key. The cipher text and encrypted session key are then transmitted to the recipient. When the recipient receives the data, PGP uses the user's private key to decrypt the session key. When PGP has recovered the session key, it can be used to decrypt the cipher text.

Though the plaintext has been recovered, there is still a question of authentication. PGP uses digital signatures to provide the recipient of an encryption with an origin and identification. Digital signatures are created in the opposite way a public cryptography system works. The sender encrypts a digital signature with their private key and attaches it to the rest of the data transmitted. When the digital signature is received, PGP decrypts it with the sender's public key. Through this process, PGP is able to determine the authenticity of the signature.

Digital signatures produce large amounts of data, slowing transmission and processing speeds. PGP uses a hash function to regulate the amount of data sent. The hash function takes variable amounts of data (the size of the plaintext) and produces a fixed amount called a message digest. PGP then creates a digital signature with the message digest and the user's private key. The hash function also helps to prove the authenticity of the encryption. If the encryption is changed after this process takes place, an entirely new message digest is created. This allows for PGP to detect encryption tampering.

Although PGP encryption has been available to the general public for several years, debate regarding encryption technologies and national security issues, especially in the United States, has ensued. Many government officials argue that strong cryptography programs should not be exported outside the United States. Security algorithms used in PGP type programs were classified as munitions by the United States government. As such, they remained subject to severe export control and restrictions that inhibited their widespread distribution and use. Due to these concerns, there are presently two available PGP applications: PGP and PGPi (international). Any user out-side of the United States is currently required to utilize PGPi.

The National Institute of Standards and Technology (NIST), oversees the development of many cryptography standards. One such standard, developed by commercial entities and the United States National Security Agency (NSA) in the 1970s was termed the Data Encryption Standard (DES). In anticipation of increasing security needs, in the late 1990s, NIST began to work toward the implementation of the Advanced Encryption Standard AES to replace DES.

Further Reading

Books

Kaufman, Charles, et. el. Network Security: Private Communication in a Public World, 2nd. ed. Upper Saddle River, NJ: Prentice Hall, 2002.

Stallings, William. Cryptography and Network Security: Principles and Practice, 3rd. ed. Upper Saddle River, NJ: Prentice Hall, 2002.

Zimmerman, Phillip. The Official PGP User's Guide Cambridge, MA: MIT Press, 1995.

 
Abbreviations: PGP
is short for:

Meaning Category
Encrypted file ( Pretty Good Privacy)Computing->File Extensions
Gnu Privacy GuardComputing->Security
P-GlycoProteinMedical->Laboratory
Pacific Gateway Properties, Inc., of MarylandBusiness->AMEX Symbols
Partido Galego do ProletariadoGovernmental->Politics
Pecan Grove PlantationBusiness->Firms
Population Growth RateGovernmental->US Government
Pretty Good PosterInternet->Chat
Pretty Good PrivacyComputing->Security
Computing->Software
Governmental->Military
Pretty Good ProtectionCommunity->Law
Prince George's PrisonCommunity->Law
Progressive general paralysisMedical->Physiology
Pursuit Game PumpCommunity->Sports

Click here to submit an acronym.


 
Wikipedia: Pretty Good Privacy

Pretty Good Privacy is a computer program that provides cryptographic privacy and authentication. It was originally created by Philip Zimmermann in 1991.

PGP and other similar products follow the OpenPGP standard (RFC 2440) for encrypting and decrypting data.

How PGP encryption works

PGP encryption uses public-key cryptography and includes a system which binds the public keys to a user name. The first version of this system was generally known as a web of trust to contrast with the X.509 system which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both alternatives through an automated key management server.

Encryption/decryption

PGP message encryption normally uses both asymmetric key encryption and symmetric key encryption algorithms.

Commonly, when encrypting a message, the sender uses the public key half of the recipient's key pair to encrypt a symmetric cipher session key. That session key is used, in turn, to encrypt the plaintext of the message. There are several other operational modes (eg, symmetric key operation only), but these are less commonly used.

The recipient of a PGP-encrypted message decrypts the session key using his private key (the session key was encrypted by the sender using his public key). Next, he decrypts the ciphertext of the message using the session key.

Use of two ciphers in this way was chosen, despite higher complication, in part because of the very considerable difference in operating speed between asymmetric key and symmetric key ciphers (the difference is often a factor of 1000 or more). This approach also makes it easily possible to send the same encrypted message to two or more recipients.

The entire encryption and decryption operations are completely automated in current PGP desktop versions. Many PGP users' public keys are available to all from the many PGP key servers around the world, most of which coordinate their records so as to act as mirror sites for each other.

Digital signatures

A similar strategy is used to detect whether a message has been altered since it was completed (the message integrity property), and whether it was actually sent by the person/entity claimed to be the sender (a digital signature). In PGP, it is used by default in conjunction with encryption, but can be applied to plaintext as well. The sender uses PGP to create a digital signature for the message with either the RSA or DSA signature algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext, and then creates the digital signature from that hash using the sender's private key.

The message recipient uses the sender's public key and the digital signature to recover the original message digest. He compares this message digest with the message digest he computed himself from the (recovered) plaintext. If the signature matches the received plaintext's message digest, it must be presumed (to a very high degree of confidence) that the message received has not been tampered with, either deliberately or accidentally. As well, since it was properly signed, it is very likely (to a very high degree of confidence) that the claimed sender actually did send it.

Web of trust

Both when encrypting messages and when verifying signatures, it is critical that the public key one uses to send messages to someone or some entity actually does 'belong' to the intended recipient. Simply downloading a public key from somewhere is not overwhelming assurance of that association; deliberate (or accidental) spoofing is possible. PGP has, from its first versions, always included provisions for distributing a user's public keys in an 'identity certificate' which is so constructed cryptographically that any tampering (or accidental garble) is readily detectable. But merely making a certificate effectively impossible to modify undetectably is also insufficient. It can prevent corruption only after the certificate has been created, not before. Users must also ensure by some means that the public key in a certificate actually does belong to the person/entity claiming it. From its first release, PGP products have included an internal certificate 'vetting scheme' to assist with this; it has been called a web of trust. A given public key (or more specifically, information binding a user name to a key) may be digitally signed by a third party user to attest to the association between someone (actually a user name) and the key. There are several levels of confidence which can be included in such signatures. Although many programs read and write this information, few (if any) include this level of certification when calculating whether to trust a key.

The web of trust protocol was first described by Zimmermann in the manual for PGP version 2.0:

As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.

The web of trust mechanism has advantages over a centrally managed PKI scheme such as that used by S/MIME, but has not been universally used. Users have been willing to accept certificates and check their validity manually, or to simply accept them. The underlying problem has found no satisfactory solution.

Certificates

In the (more recent) OpenPGP specification, trust signatures can be used to support creation of certificate authorities. A trust signature indicates both that the key belongs to its claimed owner and that the owner of the key is trustworthy to sign other keys at one level below their own. A level 0 signature is comparable to a web of trust signature, since only the validity of the key is certified. A level 1 signature is similar to the trust one has in a certificate authority because a key signed to level 1 is able to issue an unlimited number of level 0 signatures. A level 2 signature is highly analogous to the trust assumption users must rely on whenever they use the default certificate authority list (like those included in web browsers); it allows the owner of the key to make other keys certificate authorities.

PGP versions have always included a way to cancel ('revoke') identity certificates. A lost or compromised private key will require this if communication security is to be retained by that user. This is, more or less, equivalent to the certificate revocation lists of centralized PKI schemes. Recent PGP versions have also supported certificate expiration dates.

The problem of correctly identifying a public key as belonging to a particular user is not unique to PGP. All public key / private key cryptosystems have the same problem, if in slightly different guise, and no fully satisfactory solution is known. PGP's original scheme, at least, leaves the decision whether or not to use its endorsement/vetting system to the user, while most other PKI schemes do not, requiring instead that every certificate attested to by a central certificate authority be accepted as correct.

Security quality

To the best of publicly available information, there is no known method which will allow a person or group to break PGP encryption by cryptographic, or computational means. Early versions of PGP have been found to have theoretical vulnerabilities and so current versions are recommended. Indeed, in 1996, cryptographer Bruce Schneier characterized an early version as being "the closest you're likely to get to military-grade encryption."[1] In contrast to security systems/protocols like SSL which only protect data in transit over a network, PGP encryption can also be used to protect data in long-term data storage such as disk files.

The cryptographic security of PGP encryption depends on the assumption that the algorithms used are unbreakable by direct cryptanalysis with current equipment and techniques. For instance, in the original version, the RSA algorithm was used to encrypt session keys; RSA's security depends upon the one-way function nature of mathematical integer factoring. New, now unknown, integer factorization techniques might, therefore, make breaking RSA easier than now, or perhaps even trivially easy. However, it is generally presumed by informed observers that this is an intractable problem, and likely to remain so. Likewise, the secret key algorithm used in PGP version 2 was IDEA, which might, at some future time, be found to have a previously unsuspected cryptanalytic flaw. Specific instances of current PGP, or IDEA, insecurities -— if they exist -— are not publicly known. As current versions of PGP have added additional encryption algorithms, the degree of their cryptographic vulnerability varies with the algorithm used. In practice, each of the algorithms in current use is not publicly known to have cryptanalytic weaknesses.

A government agency wanting to read PGP messages would probably use easier means than cryptanalysis eg Rubber-hose cryptanalysis or by installing some form of trojan horse or keystroke logging software/hardware on the target computer to capture encrypted keyrings and their passwords. The FBI have already used this attack against PGP [1] [2] in their investigations. However, it is important to note that any such vulnerabilities apply not just to PGP, but to all encryption software.

History

Early history

Phil Zimmermann created the first version of PGP encryption in 1991. The name, "Pretty Good Privacy", is humorously ironic and was inspired by the name of a grocery store, "Ralph's Pretty Good Grocery," featured in radio host Garrison Keillor's fictional town, Lake Wobegon. Of course, the irony is that PGP's security was intended to be not merely pretty good, but excellent. This first version included a symmetric-key algorithm that Zimmermann had designed himself, named BassOmatic after a Saturday Night Live skit. Zimmermann had been a long-time anti-nuclear activist, and created PGP encryption so that similarly inclined people might securely use BBSs and securely store messages and files. No license was required for its non-commercial use. There was not even a nominal charge, and the complete source code was included with all copies. PGP found its way onto Usenet and from there onto the Internet, and it very rapidly acquired a considerable following around the world. Users and supporters included dissidents in totalitarian countries (some affecting letters to Zimmermann have been published, and some have been included in testimony before the US Congress), civil libertarians in other parts of the world (see Zimmermann's published testimony in various hearings), and the 'free communications' activists who call themselves cypherpunks (who provided both publicity and distribution).

Criminal investigation

Shortly after its release, PGP encryption found its way outside the United States, and in February 1993 Zimmermann became the formal target of a criminal investigation by the US Government for "munitions export without a license". Cryptosystems using keys larger than 40 bits were then considered munitions within the definition of the US export regulations; PGP has never used keys smaller than 128 bits so it qualified at that time. Penalties for violation, if found guilty, were substantial. After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else.

Zimmermann challenged these regulations in a curious way. He published the entire source code of PGP in a hardback book, via MIT Press, which was distributed and sold widely. Anybody wishing to build their own copy of PGP could buy the $60 book, cut off the covers , separate the pages, scan them using an OCR program, creating a set of source code text files. One could then build the application using the freely available GNU C Compiler. PGP would thus be available anywhere in the world. The claimed principle was simple: export of munitions—guns, bombs, planes, and software—was (and remains) restricted; but the export of books is protected by the First Amendment. The question was never tested in court in respect to PGP, but had been established by the Supreme Court in the Bernstein case.

US export regulations regarding cryptography remain in force, but were liberalized substantially throughout the late 1990s. Since 2000, compliance with the regulations is also much easier. PGP encryption no longer meets the definition of a non-exportable weapon, and can be exported internationally except to 7 specific countries and a named list of groups and individuals.

PGP 3

During this turmoil, Zimmermann's team worked on a new version of PGP encryption called PGP 3. This new version was to have considerable security improvements, including a new certificate structure which fixed small security flaws in the PGP 2.x certificates as well as permitting a certificate to include separate keys for signing and encryption. Furthermore, the experience with patent and export problems led them to eschew patents entirely. PGP 3 introduced use of the CAST-128 (a.k.a. CAST5) symmetric key algorithm, and the DSA and ElGamal asymmetric key algorithms, all of which were unencumbered by patents.

After the Federal criminal investigation ended in 1996, Zimmermann and his team started a company to produce new versions of PGP encryption. They merged with Viacrypt (to whom Zimmermann had sold commercial rights and who had licensed RSA directly from RSADSI) which then changed its name to PGP Incorporated. The newly combined Viacrypt/PGP team started work on new versions of PGP encryption based on the PGP 3 system. Unlike PGP 2, which was an exclusively command line program, PGP 3 was designed from the start as a software library allowing users to work from a command line or inside a GUI environment. The original agreement between Viacrypt and the Zimmermann team had been that Viacrypt would have even-numbered versions and Zimmermann odd-numbered versions. Viacrypt, thus, created a new version (based on PGP 2) that they called PGP 4. To remove confusion about how it could be that PGP 3 was the successor to PGP 4, PGP 3 was renamed and released as PGP 5 in May 1997.

OpenPGP

Inside PGP Inc., there was still concern about patent issues. RSADSI was challenging the continuation of the Viacrypt RSA license to the newly merged firm. The company adopted an informal internal standard called "Unencumbered PGP": "use no algorithm with licensing difficulties". Because of PGP encryption's importance worldwide (it is thought to be the most widely chosen quality cryptographic system), many wanted to write their own software that would interoperate with PGP 5. Zimmermann became convinced that an open standard for PGP encryption was critical for them and for the cryptographic community as a whole. In July 1997, PGP Inc. proposed to the IETF that there be a standard called OpenPGP. They gave the IETF permission to use the name OpenPGP to describe this new standard as well as any program that supported the standard. The IETF accepted the proposal and started the OpenPGP Working Group.

OpenPGP is on the Internet Standards Track; the current specification is RFC 2440 (July 1998). OpenPGP is still under active development and a follow-on to RFC 2440 was being actively finalized by the OpenPGP working group in 2006.

The Free Software Foundation has developed its own OpenPGP-compliant program called GNU Privacy Guard (abbreviated GnuPG or GPG). GnuPG is freely available together with all source code under the GNU General Public License (GPL) and is maintained separate from several GUIs. Several other vendors have also developed OpenPGP-compliant software.

Network Associates acquisition

In December, 1997 PGP Inc. was acquired by Network Associates, Inc. Zimmermann and the PGP team became NAI employees. NAI continued to pioneer export through software publishing, being the first company to have a legal export strategy by publishing source code. Under its aegis, the PGP team added disk encryption, desktop firewalls, intrusion detection, and IPsec VPNs to the PGP family. After the export regulation liberalizations of 2000 which no longer required publishing of source, NAI stopped releasing source code, over the PGP team's objection. There was consternation amongst PGP users worldwide at this and, inevitably, some conspiracy theories as well.

In early 2001, Zimmermann left NAI. He served as Chief Cryptographer for Hush Communications, who provide an OpenPGP-based email service, Hushmail. He has also worked with Veridis and other companies. In October, 2001, NAI announced that its PGP assets were for sale and that it was suspending further development of PGP encryption. The only remaining asset kept was the PGP E-Business Server (the original PGP Commandline version). In February 2002, NAI cancelled all support for PGP products, with the exception of the re-named commandline product. NAI (now McAfee) continues to sell and support the product under the name McAfee E-Business Server.

Current situation

In August 2002, several ex-PGP team members formed a new company, PGP Corporation, and bought the PGP assets (except for the command line version) from NAI. PGP Corporation is supporting existing PGP users and honoring NAI support contracts. Zimmermann now serves as a special advisor and consultant to PGP Corporation, as well as continuing to run his own consulting company. In 2003 PGP Corporation created a new server-based product offering called PGP Universal. In mid-2004, PGP Corporation shipped its own command line version called PGP Command Line, which integrates with the other PGP Encryption Platform applications. In 2005 PGP Corporation made its first acquisition—the German software company Glueck and Kanja Technology AG, which is now PGP Deutschland AG. Since the 2002 purchase of NAI PGP assets, PGP Corporation has offered worldwide PGP technical support from their office in Draper, Utah.

PGP.com encryption applications

This section describes commercial programs available from PGP Corporation. For information on other programs compatible with the OpenPGP specification, see OpenPGP implementations below.

While originally used primarily for encrypting the contents of email messages and attachments from a desktop client, PGP products have been diversified since 2002 into a set of encryption applications which can be managed by an optional central policy server. PGP encryption applications include email and attachments, digital signatures, laptop full disk encryption, file and folder security, protection for IM sessions, batch file transfer encryption, and protection for files and folders stored on network servers and, more recently, HTTP traffic without TLS/OpenPGP.

The PGP Desktop 9.x application includes desktop email, digital signatures, IM security, laptop whole disk encryption, file and folder security, self decrypting archives, and secure shredding of deleted files. Capabilities are licensed in different ways depending on features required.

The PGP Universal 2.x management server handles centralized deployment, security policy, policy enforcement and reporting. It is used for automated email encryption in the gateway and manages PGP Desktop 9.x clients. It works with the PGP public keyserver—called the PGP Global Directory—to find recipient keys. It has the capability of delivering email securely when no recipient key is found via a secure HTTPS browser session.

With PGP Desktop 9.0 managed by PGP Universal Server 2.0, released in 2005, all PGP encryption applications are based on a new proxy-based architecture. These newer versions of PGP software eliminate the use of email plug-ins and insulate the user from changes to other desktop applications. All desktop and server operations are now based on security policies and operate in an automated fashion. The PGP Universal server automates the creation, management, and expiration of keys, sharing these keys among all PGP encryption applications. PGP Desktop 9.0 is available as a 32-bit application only, and therefore does not support 64-bit editions of Microsoft Windows including the 64-bit version of Windows Vista.

New versions of PGP applications use both OpenPGP and the S/MIME, allowing communications with any user of a NIST specified standard.

See also


Further reading

References

  1. ^ Schneier, Bruce (1995-10-09). Applied Cryptography. New York: Wiley, 587. ISBN 0471117099. 

External links


Support


This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)

 
 

Join the WikiAnswers Q&A community. Post a question or answer questions about "Pretty Good Privacy" at WikiAnswers.

 

Copyrights:

Dictionary. The American Heritage® Dictionary of the English Language, Fourth Edition Copyright © 2007, 2000 by Houghton Mifflin Company. Updated in 2007. Published by Houghton Mifflin Company. All rights reserved.  Read more
Computer Desktop Encyclopedia. THIS COPYRIGHTED DEFINITION IS FOR PERSONAL USE ONLY.
All other reproduction is strictly prohibited without permission from the publisher.
© 1981-2008 Computer Language Company Inc.  All rights reserved.  Read more
Intelligence Encyclopedia. Encyclopedia of Espionage, Intelligence, and Security. Copyright © 2004 by The Gale Group, Inc. All rights reserved.  Read more
Abbreviations. STANDS4.com - The source for acronyms and abbreviations. Copyright ©2006 STANDS4 LLC. All rights reserved.  Read more
Wikipedia. This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Pretty Good Privacy" Read more

Search for answers directly from your browser with the FREE Answers.com Toolbar!  
Click here to download now. 

Get Answers your way! Check out all our free tools and products.

On this page:   E-mail   print Print  Link  

 

Keep Reading

Mentioned In:

 |  More >More >

Related Topics

More >
 

Do you have the answers?