PGP - Pretty Good Privacy

Kellie M. Etheridge
CMSC 482

Introduction

    How would you feel if you knew that anyone had access to the private details of your life? Well, it is very possible that they do! If you use e-mail, any information that you send can be accessed, with a little effort, by anyone with an interest and some basic knowledge. "A person can capture information as it passes through the pipeline without having access to the machines for which the message was destined." With that in mind, it would be nice to have a way to seal up, so to speak, our electronic communications, so that only the person for whom our messages are intended can break the seal.

    Fortunately, there is a way to put our e-mail in an envelope. Pretty Good Privacy (PGP), a freeware program released in June 1991 after a six-month unpaid effort by Philip Zimmermann provides confidentiality for electronic communications and file storage as well as sender authentication, through the use of a public key encryption scheme.

How PGP Works

    PGP provides two main functions, encryption and digital signatures. PGP uses a standard public key encryption scheme, wherein it uses encoding and decoding algorithms to create a public key and a private key. The public key is used by other people to encrypt messages that they send to you, and the private key is used by you to decrypt messages that were encrypted with your public key. The idea is that you are the only person with access to your private key, so you are the only person that can decrypt messages that were encrypted using your public key.

    PGP uses a combination of algorithms to perform encryption. The first step in PGP's encryption process is to compress the text that is to be encrypted, called plaintext. Next, the International Data Encryption Algorithm is used to generate a random session key, which is used to encrypt the compressed file, producing what is called the ciphertext. Continuing, the well-known RSA (Rivest, Shamir, and Adleman) public key encryption algorithm is used to encrypt the session key using the recipient's public key. This encrypted session key is then placed at the front of the ciphertext file, which is now ready for sending. To decrypt messages, this process is essentially reversed using the private key though, instead of the public key.

    To authenticate messages, PGP uses digital signatures. The concept of a digital signature or key fingerprint is to ensure that the message has not been altered in any way from the original and that the message is, in fact, from the sender that is claimed. The key fingerprint is a string of hexadecimal numbers that is unique to the message.

    To compute the digital signature, PGP first produces a hash code of the message, using a time-efficient algorithm known as MD5, RSA's message digest algorithm. This unique code is then encrypted with the sender's private key using RSA. A time stamp is then added in, thus creating the digital signature, which is then placed at the front of the file, now ready for sending. When the intended recipient acquires the message, the sender's public key is used to decrypt the signature, and a new signature is also computed for comparison with the sent signature. If the two values match, authentication was successful.

Legality of PGP

    There are a number of questions concerning the legality of PGP. Currently, the originator of PGP, Philip Zimmermann, is involved in a grand jury investigation by the US Customs office in San Jose, California that began in 1994. Zimmermann has been accused of violating the International Traffic in Arms Regulations by exporting a munition. In question is whether or not posting a munition on the Internet is, in fact, exportation.

    There were also patent issues involved with version 2.3 of PGP in the United States. PGP 2.3 makes use of the RSA algorithm, which possesses a U.S. patent, so anyone using PGP 2.3 is technically in violation of patent infringement laws.

    Because of the many legal issues involved with PGP, there are currently many different versions of PGP. The "official" version is currently PGP 2.6.2, developed at MIT with the participation and full support of Phil Zimmermann, which uses the RSAREF library, developed by RSA Data Security, Inc. for free non-commercial use, to avoid any patent infringement problems. However, it cannot be exported without a license. There is also a commercial version of PGP available for cost from ViaCrypt, currently ViaCrypt PGP 2.7. Additionally, the freeware program PGP 2.6.2i was developed for use outside of the United States and Canada, and many older versions of PGP are still available though at a legal risk and with some incompatibility problems.

How to Get PGP    

    PGP is freeware which has been ported for use on many different operating systems, including DOS, UNIX, Macintosh, OS/2, VMS, Atari ST, Archimedes, Commodore Amiga, and several others. It is available at many sites throughout the world. However, the primary FTP site for PGP, in the United States is net-dist.mit.edu.

    To get your own copy of PGP, use FTP to log into net-dist.mit.edu , with the user name anonymous. Next, go to the directory /pub/PGP, and follow the instructions stated in the README file. You will be given several stipulations to which you must comply. Upon consent, the next step is to telnet to net-dist.mit.edu, logging in as getpgp. You will be asked a series of 4 questions that are used to verify your citizenship as well as your intended use of the program. Assuming that your responses to these questions are satisfactory, at this point you will be given the actual location of the PGP software. You now must FTP back into net-dist.mit.edu within a half-hour and go to the location that was just disclosed to you. The location of the PGP distribution is set to a new random location, once every half-hour, and the directory that it is located in is not readable. You may change directories but not read the contents. If the MIT site cannot verify that your site resides in the United States, you will be denied access. Fortunately, you are given all the information at this point to download the program, which is in the form of a "zip" file. You must unzip the distribution, and the documentation will guide you through the rest of the way.

How to use PGP

    After you have downloaded a copy of PGP, read the documentation, and completed the setup, the first thing that you should do is create a public/private key pair. You will very quickly discover that PGP is nota very "user-friendly " program. It is a simple command line based program; none of those fancy interfaces.

    To create a public/private key pair, type "pgp -kg". First, PGP will ask you to select a key size. Generally, you should choose 1024 bits, military grade, unless you are working on a slow system. The greater the number of bits, the better the encryption is, but the longer it takes for PGP to generate your keys. Next, you will be asked to choose a key identifier, usually of the form:

        First_Name Last_Name <user_name@your_node.your_domain>

Now, you must enter a pass phrase, something that is difficult to guess but easy for you to remember. PGP will then have you re-enter your pass phrase for verification. Last, PGP will have you enter random text, using the time intervals in between key strokes to generate a random seed for creating the session key. It will now generate both your public and private key rings, pubring.pgp and secring.pgp, respectively.

    The next thing that you will want to do is sign your key, so that you can take advantage of PGP's authentication mechanism. You can do this with the following command:

        pgp -ks your_key_identifier -u your_key_identifier

Your public key ring is intended to hold your public key as well as other people's public keys. In order to distribute your public key, you will need to extract it from pubring.pgp and place it in a file, using the following command:

        pgp -kxa your_key_identifier filename

To add someone's public key to your public key ring, do the following:

        pgp -ka file

To encrypt a file using someone else's public key, you must first add their key to your public key ring, then use the following command:

        pgp -e file person's_key_identifier

Lastly, to decrypt a message, that was encrypted using your public key, use the following command:

        pgp name_of_encrypted_file

Conclusions

    Pretty Good Privacy is a top notch public key encryption program. In fact, it is the defacto standard among public key encryption schemes for both micro computers and mainframes. It provides confidentiality for e-mail and stored files, using a private/public key pair, along with sender authentication and data integrity, using digital signatures. It is used throughout the world by your average person on up to large corporations.

    PGP can be acquired from a large number of FTP sites, though MIT is the most popular. It runs on just about any platform, and does not require anything but what is provided by the distribution package, unless you are trying to port it to a new platform.

    It should be pointed out though, that PGP, along with all other public key encryption systems, has one major flaw, that being how to distribute public keys. There are many public key servers from which you can retrieve other people's keys from and post your own key to. However, they do not check to ensure that the person who published the key is actually the person indicated by the key identifier. Therefore, you need to be very cautious in using these servers or trade public keys on a one-on-one basis in lieu of using a key server.

    Nonetheless, PGP provides just what its name claims, Pretty Good Privacy, and is thus an excellent way to seal up our otherwise publicly accessible electronic communications.

Bibliography

alt.security.pgp FAQ.
     http://www.jungle.com/msattler/sci-tech/comp/privacy/pgp-docs/a-s-pgp-faq.html

Electronic Frontiers Houston. Pretty Good Privacy Workshop.
     http://www.efh.org/pgp/pgpwork.html

Morton, Bill. The Beginner's Guide to Pretty Good Privacy.
     http://netaccess.on.ca/~rbarclay/bg2pgp.txt

Noor, Arshad. "PGP: Pretty Good Privacy" UNIX Review Feb.1995:31-38.

Phil Zimmermann: Overview of the Case.
     http://www.netresponse.com/zldf/phil-overview.html

Privacy in Cyberspace.
    http://www.jungle.com/msattler/sci-tech/comp/privacy

Schumacher, Stale. The International PGP Home Page.
     http://www.ifi.uio.no/~staalesc/PGP/home.html

Stallings, William. "Getting Cryptic PGP For You and Me" Internet World
    Feb.1995:34-39

Zimmermann, Philip. Why Do You Need PGP.
     http://www.ifi.uio.no/~staalesc/PGP/why_PGP.html