The word PGP is an abbreviation for Pretty Good Privacy. It is an encryption software designed to provide privacy, security, and authentication for Internet communication systems. Phil Zimmerman is the owner of the first PGP software and according to him it was made available for free due to the increasing social demand for privacy.

Many versions of PGP have been created since its inception in 1991. In 1997 Phil Zimmerman submitted a proposal to the Internet Engineering Task Force (IETF) to create an open source PGP standard. The proposal was then accepted and led to the creation of the OpenPGP protocol, which defines standards formats for encryption keys and messages.

Although initially used only to secure emails and attachments,  PGP is now applied to a wide range of use cases including digital signatures, full disk encryption, and network protection.

PGP was initially owned by PGP Inc which was later purchased by Network Associates Inc. In 2010, Symantec Corp. purchased PGP for $300 million and the term is now a trademark used for its OpenPGP-compatible products.


How it works?

PGP is among the first widely available programs to implement public key cryptography. It is a hybrid encryption system that uses symmetric and asymmetric encryption to achieve a high level of security.

In the simple process of encrypting text, plaintext (data that can be clearly understood) is converted into ciphertext (data that is unreadable). But before encryption, most PGP systems compress data by compressing plain text files before sending them. PGP saves disk space and transmission time while also improving security.

After compressing the file, the actual encryption process begins. At this point, the compressed plain text file is encrypted using a single-use key, which is known as the session key. This key is generated randomly through the use of symmetric encryption and each PGP connection session has a unique session key.

The session key itself is then encrypted (1) using asymmetric encryption.  The intended recipient (Bob) provides his or her public key (2) to the message sender (Alice) so she can encrypt the session key. This step allows Alice to securely share the session key with Bob over the Internet regardless of security conditions.

ما هو الـ PGP؟


Asymmetric encryption of the session key is usually done through the use of the RSA algorithm. Many other encryption systems use RSA, including the Transport Layer Security (TLS) protocol, which secures much of the Internet.

Once the ciphertext of the message and the encrypted session key are sent,  Bob can use his private key (3) to decrypt the session key which is then used to decrypt the ciphertext back to the original plaintext.


ما هو الـ PGP؟


Aside from the basic process of encryption and decryption, PGP also supports digital signatures, which serve at least three functions:

  • Authentication: Bob can verify that the sender of the message is Alice.

  • Integrity: Bob can be sure that the message has not changed.

  • Non-repudiation: After digitally signing the message, Alice cannot claim that she did not send it.


Use cases

One of the most common uses of PGP is to secure emails. Email protected by PGP is converted into an unreadable string of characters (ciphertext) and can only be decrypted using the corresponding decryption key. The workings are practically the same as for securing text messages. There are also some software applications that allow PGP to be implemented on top of other applications  effectively adding an encryption system to insecure messaging services.

Although PGP is mostly used to secure Internet connections, it can also be applied to encrypt individual devices. This means that  PGP may be applied to the disk partitions of a computer or mobile device. Meaning that when the hard drive is encrypted, the user will be asked to provide a password every time the system starts up.


Advantages and disadvantages

Thanks to the combined use of symmetric and asymmetric encryption,  PGP allows users to securely share information and encryption keys over the Internet. PGP benefits from both the security of asymmetric encryption and the speed of symmetric encryption as a hybrid system. In addition to security and speed, digital signatures also ensure the integrity of the data and the authenticity of the sender.

The OpenPGP protocol allowing the emergence of a unified competitive environment and PGP solutions is now provided by many companies and organizations. However, all PGP programs that conform to the OpenPGP standards are compatible with each other. This means that files and keys created in one program can be used in other programs without problems.

As for the disadvantages,  PGP systems are not easy to use and understand especially for users with little technical knowledge. Also, the long length of public keys is considered by many to be relatively inconvenient.

In 2018, a major vulnerability called EFAIL was published by the Electronic Frontier Foundation (EFF). EFAIL allowed attackers to exploit active HTML content in encrypted emails to access unencrypted versions of messages

But some of the concerns described by EFAIL had already been known by the PGP community since the late 1990s. In fact,  the vulnerabilities are related to different implementations on the part of email clients and not to PGP itself. So despite the annoying and misleading headlines PGP is still very secure.


Concluding thoughts

PGP has become an essential tool for data protection and is now used in a wide range of applications since its inception in 1991, providing privacy, security and authentication to many communications systems and digital service providers.

While the 2018 discovery of the EFAIL flaw raised major concerns about the feasibility of the protocol, it is still  considered the underlying technology is cryptographically robust and sound. It should also be noted that different PGP implementations may offer different levels of security.