PGP stands for Pretty Good Privacy. It is encryption software designed to provide privacy, security and authentication for online communication systems. Phil Zimmerman is the name behind the first PGP program, which he says was made available for free due to growing societal demand for privacy.

Since its creation in 1991, many versions of PGP software have been created. In 1997, Phil Zimmerman made a proposal to the Internet Engineering Task Force (IETF) for the creation of an open source PGP standard. The proposal was accepted and led to the creation of the OpenPGP protocol, which defines standard formats for encryption keys and messages.

Although initially only used to protect email messages and attachments, PGP is now applied to a wide range of use cases, including digital signatures, full disk encryption, and network protection.

PGP was initially owned by the company PGP Inc, which was later acquired by Network Associates Inc. In 2010, Symantec Corp. acquired PGP for $300 million, and the term is now a trademark used for its OpenPGP-compatible products.


How it works?

PGP is among the first widely available software to implement public key cryptography. It is a hybrid cryptographic system that uses both symmetric and asymmetric encryption to achieve a high level of security.

In a basic text encryption process, plain text (data that can be clearly understood) is converted to ciphertext (unreadable data). But before the encryption process takes place, most PGP systems perform data compression. By compressing plain text files before transmitting them, PGP saves disk space and transmission time, while improving security.

After file compression, the actual encryption process begins. At this stage, the compressed plaintext file is encrypted with a one-time key, which is known as the session key. This key is randomly generated using symmetric cryptography, and each PGP communication session has a unique session key.

The session key(1) itself is then encrypted using asymmetric encryption: the intended recipient (Bob) provides his public key(2) to the sender of the message (Alice) so that he can encrypt the session key. . This step allows Alice to securely share the session key with Bob over the Internet, regardless of security conditions.

¿Qué es PGP?

Asymmetric encryption of the session key is usually done by using the RSA algorithm. Many other encryption systems use RSA, including the Transport Layer Security (TLS) protocol that protects much of the Internet.

Once the message ciphertext and the encrypted session key are transmitted, Bob can use his private key(3) to decrypt the session key, which is then used to decrypt the ciphertext back to plaintext.

¿Qué es PGP?

Aside from the basic encryption and decryption process, PGP also supports digital signatures, which serve at least three functions:

  • Authentication: Bob can verify that the sender of the message was Alice.

  • Integrity: Bob can be sure that the message was not modified.

  • Non-repudiation: After the message is digitally signed, Alice cannot claim that she did not send it.


Use cases

One of the most common uses of PGP is to protect emails. A PGP-protected email is converted into a series of characters that cannot be read (ciphertext) and can only be decrypted with the corresponding decryption key. The working mechanisms are largely the same for protecting text messages, and there are also some software applications that allow PGP to be implemented on top of other applications, adding an encryption system to unsecured messaging services.

Although PGP is primarily used to secure Internet communications, it can also be applied to encrypt individual devices. In this context, PGP can be applied to disk partitions of a computer or mobile device. When you encrypt the hard drive, the user must provide a password each time the system boots.


Advantages and disadvantages

Thanks to its combined use of symmetric and asymmetric encryption, PGP allows users to securely share information and cryptographic keys over the Internet. As a hybrid system, PGP benefits from both the security of asymmetric cryptography and the speed of symmetric encryption. In addition to security and speed, digital signatures guarantee data integrity and the authenticity of the sender.

The OpenPGP protocol allowed the emergence of a standardized competitive environment and PGP solutions are now provided by various companies and organizations. Still, all PGP programs that comply with OpenPGP standards are compatible with each other. This means that files and keys generated in one program can be used in another without problems.

As for the disadvantages, PGP systems are not that easy to use and understand, especially for users with little technical knowledge. Additionally, many consider the long length of public keys to be quite inconvenient.

In 2018, the Electronic Frontier Foundation (EFF) published a large vulnerability called EFAIL. EFAIL made it possible for attackers to exploit active HTML content in encrypted emails to gain access to plaintext versions of the messages.

However, some of the concerns described by EFAIL were already known to the PGP community since the late 1990s, and in fact the vulnerabilities are related to different implementations of email clients, and not to PGP itself. . So despite the alarming and misleading headlines, PGP is not broken and remains highly secure.


In conclusion

Since its development in 1991, PGP has been an essential tool for data protection and is now used in a wide range of applications, providing privacy, security and authentication for various communication systems and digital service providers.

While the 2018 discovery of the EFAIL flaw raised significant concerns about the protocol's viability, the core technology is still considered robust and cryptographic. It is worth noting that different PGP implementations may present different levels of security.