PGP stands for Pretty Good Privacy. It is encryption software designed to provide privacy, security and authentication of online communication systems. Phil Zimmerman was the creator of the first PGP software and, according to him, it was made freely available because of the growing social demand for privacy.

Since its inception in 1991, many versions of PGP software have been created. In 1997, Phil Zimmerman proposed to the Internet Engineering Task Force (IETF) to create an open-source PGP standard. The proposal was accepted and led to the creation of the OpenPGP protocol, which defines standards formats for keys and encryption and encrypted messages.

Although initially used for securing emails and attachments, PGP is now applied to a wide range of use cases, including digital signatures, full disk encryption and network protection. .

PGP was initially owned by PGP Inc, which was later acquired by Network Associates Inc. In 2010, Symantec Corp. acquired PGP for $300 million. This term is now a trademark used for their OpenPGP compatible products.


How it works?

PGP is one of the first widely used software programs to implement public key cryptography. It is a hybrid cryptographic system that uses both symmetric and asymmetric encryption to achieve a high level of security.

In a basic text encryption process, plaintext (data that can be clearly understood) is converted to ciphertext (unreadable data). But before the encryption process is carried out, most PGP systems perform data compression. By compressing plain text files before transmitting them, PGP saves both disk space and transmission time, while improving security.

After compressing the file, the encryption process begins. At this point, the compressed plain text file is encrypted with a one-time key, called a session key. This key is randomly generated using symmetric cryptography and each PGP communication session has a unique session key.

Subsequently, the session key (1) itself is encrypted using asymmetric encryption: the recipient (Bob) provides his public key (2) to the sender of the message (Alice) so that it can encrypt the session key. This step allows Alice to securely share the session key with Bob over the Internet, regardless of security conditions.


    Qu'est-ce que PGP?


Asymmetric session key encryption is typically performed using the RSA algorithm. Many other encryption systems use RSA, including Transport Layer Security (TLS), which secures much of the Internet.

Once the message ciphertext and the encrypted session key are transmitted, Bob can use his private key (3) to decrypt the session key, which is then used to decrypt the ciphertext into the original plaintext.

Qu'est-ce que PGP?

Besides the basic encryption and decryption process, PGP also supports digital signatures, which serve at least three functions:

-    Authentication: Bob can verify that the sender of the message was Alice.

-    Integrity: Bob can be sure that the message has not been modified.

-    Non-repudiation: once the message is digitally signed, Alice cannot claim not to have sent it.


Use cases

One of the most common uses of PGP is to secure email. An email protected with PGP turns into an unreadable string of characters (encrypted text) and can only be decrypted with the corresponding decryption key. The working mechanisms are practically the same for securing text messages. Additionally, some software applications allow PGP to be implemented into the operation of other applications, thereby adding an encryption system to insecure email services.

Although PGP is primarily used to secure Internet communications, it can also be used to encrypt individual devices. In this context, PGP can be applied to disk partitions of a computer or mobile device. By encrypting the hard drive, the user will have to provide a password each time the system starts.


Advantages and disadvantages

Through its combined use of symmetric and asymmetric encryption, PGP allows users to securely share information and cryptographic keys over the Internet. As a hybrid system, PGP benefits from both the security of asymmetric cryptography and the speed of symmetric encryption. In addition to security and speed, digital signatures ensure data integrity and sender authenticity.

The OpenPGP protocol has enabled the emergence of a standardized competitive environment and PGP solutions are now provided by several companies and organizations. However, all PGP programs conforming to OpenPGP standards are compatible with each other. This means that files and keys generated in one program can be used in another without problems.

As for the disadvantages, PGP systems are not that easy to use and understand, especially for users with little technical knowledge. Additionally, the long duration of public keys is considered by many to be rather inconvenient.

In 2018, a major vulnerability called EFAIL was published by the Electronic Frontier Foundation (EFF). EFAIL allowed attackers to exploit active HTML content in encrypted emails to access plaintext versions of the messages.

However, some of the concerns described by EFAIL were already known to the PGP community since the late 1990s and, in fact, the vulnerabilities are related to different email client implementations, not PGP. So, despite the alarming and misleading headlines, PGP is not questioned and remains highly secure.


Closing Thoughts

Since its development in 1991, PGP has become an essential tool for data protection. It is now used in a wide range of applications, providing privacy, security and authentication to multiple communications systems and digital service providers.

Although the discovery of the EFAIL flaw in 2018 raised significant concerns about the viability of the protocol, the core technology is still considered robust and cryptographically valid. It should be noted that different PGP implementations may have different levels of security.