Emails on their own, are vulnerable and thus, sending an email in plain text, without any protection can be risky, specially if it contains sensitive information. PGP is a software package that adds security to your emails.
To better understand the working of PGP, you can also check out the article on the basics of cryptography here.
PGP was invented by Phil Zimmermann in 1991 and it stands for Pretty Good Privacy (PGP). It is a hybrid cryptosystem which combines the features of both symmetric (a single key to encrypt and decrypt message) and asymmetric (a pair of keys for encryption and decryption) cryptography, to provide four aspects of security to emails, namely:
- privacy or confidentiality (through the use of symmetric encryption)
- integrity (through the use of hash functions)
- authentication (through the use of digital signature)
- non-repudiation (through the use of asymmetric or public key cryptography)
Thus, PGP uses a combination of encryption methodologies such as hashing, data compression, symmetric or private-key cryptography and asymmetric or public-key cryptography to keep the data secure.
How PGP works
The following are the steps taken by PGP to create secure e-mail at the sender site:
- The e-mail message or plain text is firstly hashed to generate a hash value, or a message digest. This is done with the help of a hash function which creates the message digest by compressing the plain text.
- This hash value or message digest is then encrypted to form a signed digest by using the sender’s private key, and then the signed digest is further added to the original (unencrypted) email message.
- PGP then creates a session key which is a one-time secret key, generated from the random movements of your mouse and the keystrokes you type.
- Thereafter, the combination of the original email message and the signed digest are encrypted by using this one-time secret key.
- The secret key is then further encrypted by using the receiver’s public key. The public key is unique to each person, meant to be shared with others. However, each person’s public key corresponds to their private key, which is secret and known only to that person.
- Lastly, both the encrypted secret key and the encrypted combination of email message and signed digest are sent together.
The following are the steps taken to show how PGP generates the original message at the receiver’s end:
- The receiver receives the combination of encrypted secret key and the encrypted combination of email message and signed digest.
- The encrypted secret key isthen firstly decrypted by using the sender’s private key. Now, we have the one-time secret key for use.
- This decrypted secret key is then used to further decrypt the encrypted combination of message and digest. Now, we have the original message and an encrypted signed digest.
- Thus, in the next step, the signed digest is decrypted by using the sender’s public key. This means that now we have the message digest or the hash value along with the original email message, available for the receiver to read.
- Now, in order to make sure that the original email message has not been tampered with, that is, to check its integrity, it is hashed by using a hash function to create a message digest or hash value.
- Lastly, both the digests or hash values, that is, the message digest sent by the sender and the message digest newly generated by the receiver in the previous step are finally compared. In the event that both of them are equal means that all the aspects of security have been preserved.
PGP not only encrypts the email message and the signed digest with the secret key (symmetric cryptography), but it also takes an additional step of further encrypting the secret key with the recipient’s public key (asymmetric cryptography).
This is because asymmetric or public-key cryptography is much slower than symmetric cryptography, especially for large messages. Thus, it would take too much time to encrypt and decrypt large emails directly using the public key.
However, symmetric cryptography without public-key cryptography is less convenient since it uses a single key to encrypt and decrypt and therefore, would require the sender to somehow share the secret key with the recipient. To do so in plaintext would not be secure and to do so in person would be impractical. Therefore, PGP combines the efficiency of symmetric encryption and the convenience of public key encr